Domain: symbiansigned.com
Stories and comments across the archive that link to symbiansigned.com.
Comments · 21
-
Re:Symbian
Yes, there's a sign-signed option. But you're still at the mercy of Symbian; you have to submit each changed version of your application through them. And you can't run the signed binaries on any other device. Also, self-signed applications don't have full access to the device. They have only ReadUserData, WriteUserData, NetworkServices, LocalServices, and UserEnvironment capabilities.
-
They want to have first worm catastrophe on mobile
They need to have same lesson which Nokia had with Cabir worm resulting in billions of dollars of brand value loss and users still getting robbed by AV vendors for non existent threat. Cabir was just a first warning and Nokia took it very serious and fast, coming up with their Symbian Signed initiative which has _nothing_ to do with apple app store.
Of course, I don't believe you can code such deep level running utility such as AV on an OS named "WebOS". So, malware will be there and protection won't. Palm shows every kind of example how you shouldn't try to race with Apple. They stupidly ignore what Nokia does and did to stay afloat.
This is what you do if you don't want to be Apple and yet have App Store: https://www.symbiansigned.com/ or a way more secure thing fits excellently to their "WebOS" http://www.ibm.com/developerworks/wireless/library/wi-secj2me.html (code signing part)
-
Re:What?
That is factually incorrect. While apple relays on App Store reviewers and cersorship for enforcing security on their platform Symbian relies on Certificates.
Certificates are issued at various levels: from home brew developer (install on one phone) to Software firm (installs on all devices). Also certificates are issued with various capabilities like reading contacts, sendind sms, sending data, accessing camera/microphone, being able to read or write system files etc. During the installation of a Symbian program the user is constantly nagged with the following information and has to approve/aknowledge separately: Certificate validity - Certificate Capabilities for the program - Program final install.
You can find more informations here: https://www.symbiansigned.com/app/page
The easy way to circumvent this - similar to jailbreking for iPhones - can be found here http://helloox2.com/ and it's free as long you've got a developer certificate issued for your phone to sign it.
-
Re:you can get that today
You do need Symbian approval, although they are more relaxed than Apple are. You can't load an application without signing it first. Free certificates are available, but they're tied to the device's IMEI number, you can't automatically generate them, and a message warning that you're running a developer version of your program is shown at install time.
Paid certificates are available, but they're expensive and you have to adhere to a set of testing guidelines.
None of this is as restrictive as Apple's regime, but it's not nearly as open as developing for a PC.
-
Re:Application signing
You can already run your own application on your own phone, officially and for free.
Just use the Open Signed Online service. -
Re:One Can Hope
> It may have 20 times the market share 'right now' but the writing went up on the wall for its demise at
> about the time the whole certificate business came in to being. It'll be interesting to see if open
> sourcing will make any difference.Indeed. However, the backing of the manufacturers is fairly impressive, I think; though things can change pretty quickly, for sure. After all, phones only last a year or two these days, and I suspect manufacturers are pretty similar. At least they no longer have to pay royalties on the OS.
> Certainly you can distribute unsigned applications, quite a few people have gained much popularity by
> going this route, but to rake in the cash from average users you have to pay the toll to get your app
> signed.I wouldn't call it a 'toll', and I'm not sure it actually necessarily costs anything. Looking briefly at http://www.symbiansigned.com/, things seemed to have changed since I worked on S60, but back then, one test house was sponsored by the likes of Nokia and would sign freeware apps for no cost.
> Not only that, while you may have knocked up the best 'killer app' ever over a weekend or two, it would
> still take 6 months to 2 years before you get the silent nod from Symbain to unleash it on the world.Not in my experience - it only took a couple of weeks for me.
> Symbian also decide what they will or wont sign, and while they perhaps aren't as obvious in their motives as Apple, they are just as bad.
This is, I think, misleading. Symbian provide testing guidelines for the test houses, who run the apps through those tests, but, IINM, their only criterion is the integrity of the users' phones. However, like I said, things may well have changed in the last year or so.
It is most certainly, completely different to the situation with Apple, and in no way at all, that I can see, are they 'just as bad'.
Heck, Symbian has plans to go completely open source - I don't see Apple doing anything like that....ever.
-
Re:Don't buy it
No no, wrong example...
Symbian S60 V3 aka "Series 60". There are like thousands of evil guys trying to exploit them and there is serious money in it. Nobody could come with a single example of malware so far. Thanks to http://www.symbiansigned.com/ scheme.
By forcing people to hack their devices, making them get used to binary hacks, educating them to ignore security concerns... They are acting like Nokia back in 2001! This time, a Cabir.iphone or any trojan.iphone will be a disaster. Things have really changed...
-
Symbian 3rd signed is the same
Symbian 3rd edition, hava also limitations to developers, for certain type of capabilities the program must be signed by nokia. And there is a license 10.000$ for developers to sign and sell symbian applications. It is the same like games on consoles. The device is definitively, "not open" for everyone. https://www.symbiansigned.com/app/page/overview/faq Unfortunately, Apple is not makeing different things that others in the industry done.
-
Compare to Symbian SignedBut not useless for creating applications which is all most people really want. It will probably need each app to be signed by the holder of a code signing certificate. Based on what I've seen on other similar platforms (such as Symbian Signed), the terms of service attached to code signing will likely have a technicality, such as no charging for copies of signed binaries, that makes it incompatible with the requirements of the GNU GPL, such as granting permission to distribute source and binaries for a fee and disclosing Installation Information.
-
Nokia development
For those intrigued by the ads, here is where to get started for Nokia development. It is important to note that all applications must be signed (expounded on here), with the option (but not requirement) of doing things through a Symbian Signed certificate.
It should also be noted that Nokia's openness to development in comparison to the iPhone has been suitably documented previously. -
Symbian Signed
Maybe you want to have a look at Symbian Signed so see what kind of loops and hops you have to go thrue to run your own software on a smart phone.
It's the same for Windows Mobile and will be the same for the iPhone.
And, of course: a network provider can ban the use of specific API's and or unsigned software on subsidised/branded phones.
Martin
[1] https://www.symbiansigned.com/app/page/dev/devcert Summary -
Re:iPhone does run third party apps
Now here's the kicker - Symbian platforms are moving to signed app model, where third party app makers have to buy a Verisgn certificate to run on the SYmbian platform, at a cost of hundreds of dollars per year. Sure, that's SO MUCH more open.
The cost is something like 300$ per year, which is feasible for a developer/company with any significant sales. However, you can get your freeware/open source app signed for free. And there are no restrictions on J2ME apps. So yes, it is much more open.
-
Re:Symbian and other locked environments
This is the ultimate resource. You might find that there's even too much detail.
https://www.symbiansigned.com/app/page
Basically the user has to approve anything that might cost them money so an EXE or DLL that wants internet access will trigger the installer to ask the user for permission. Programs can't change their capabilities once installed, and the data of one app can be stored such that others are not able to see or access it. Various bits of the filesystem are also inaccessible to insufficiently privileged apps etc etc. So apps are insulated from each other and the OS is shielded from apps. This makes viruses much harder to propagate. Software must be installed to work and only the system installer has the privileges to do that - and it asks the phone user and checks signing.
If some software was found to be "bad" even after testing then it's certificate could be revoked, although I'm not sure if much infrastructure has been devoted to this possible course of action.
The best a virus writer might hope for is to write something in an application's own macro language e.g. javascript in the browser. They might be able to infect the application and cause trouble but at least the damage would be limited to the capabilities of that application. So a virused browser wouldn't be able to cause a Denial of Service on the Mobile Network by doing something horrible with the phone's radio. This is still pretty cool.
A lot of effort has been put into reducing the trouble and bother of platsec and into helping developers and you can read about it on the link. e.g. there's a thing called a devcert that lets you sign your own apps but these will only install on a couple of specific phones. This allows a developer to test software on their own phone(s) up to the point of release.
My very personal opinion is that there are other problems with the structure of the market that, once solved, will set loose a flood of applications. I would probably be unwise to say anything more on that though. -
Re:Why Symbian rules
Hi,
OK, the opinions here are my own personal ones and in no way represent any other person or entity. It's also not guaranteed to be accurate.
I have seen the issue from both sides and I basically agree that getting in the way of developers is very bad. I think that the issue will become much less important thanks to the "firming up" of some APIs and the fact that manufacturers support them better.
The certificate stuff is pretty much an answer for the security argument against releasing APIs. It will stop a legion of trojans and worms from wriggling through GPRS/3G/bluetooth/wifi connections and infesting the world's mobile phone "fleet". The only alternative is to lock down phones completely and that is what might happen to the other OSes if something similar isn't done for them. I think that this is actually critical to enabling third-party software and quite positive for everyone. Symbian have put in a huge effort to make it friendly so don't be disheartened - read on to find out why it'll be ok.
The first thing to note is that you can get a free certificate (DevCert) that gives you very "deep" access but it's locked to your personal phone. This means that you can develop whatever you like on your own device.
If your application uses the 60% of the API which is considered harmless then it can run without signing.
There are a number of capabilities which are considered to be simple enough that the user can understand them and grant them during installation. So these also don't require signing.
If you use some of the extended capabilities or Phone Manufacturer Approved capabilities and you wish to make your software generally available on all phones then you'll need a certificate.
If your software is free (i.e. you make no financial gain from it) then Symbian has made free testing and free certificates available. If your software is not free then you can probably afford a "couple" of hundred dollars for it to be signed.
These links have more detail:
https://www.symbiansigned.com/How_has_Symbian_Sign ed_evolved_with_Symbian_OS_v9.pdf
https://www.symbiansigned.com/app/page/freewareFaq
Cheers,
Tim -
Re:Why Symbian rules
Hi,
OK, the opinions here are my own personal ones and in no way represent any other person or entity. It's also not guaranteed to be accurate.
I have seen the issue from both sides and I basically agree that getting in the way of developers is very bad. I think that the issue will become much less important thanks to the "firming up" of some APIs and the fact that manufacturers support them better.
The certificate stuff is pretty much an answer for the security argument against releasing APIs. It will stop a legion of trojans and worms from wriggling through GPRS/3G/bluetooth/wifi connections and infesting the world's mobile phone "fleet". The only alternative is to lock down phones completely and that is what might happen to the other OSes if something similar isn't done for them. I think that this is actually critical to enabling third-party software and quite positive for everyone. Symbian have put in a huge effort to make it friendly so don't be disheartened - read on to find out why it'll be ok.
The first thing to note is that you can get a free certificate (DevCert) that gives you very "deep" access but it's locked to your personal phone. This means that you can develop whatever you like on your own device.
If your application uses the 60% of the API which is considered harmless then it can run without signing.
There are a number of capabilities which are considered to be simple enough that the user can understand them and grant them during installation. So these also don't require signing.
If you use some of the extended capabilities or Phone Manufacturer Approved capabilities and you wish to make your software generally available on all phones then you'll need a certificate.
If your software is free (i.e. you make no financial gain from it) then Symbian has made free testing and free certificates available. If your software is not free then you can probably afford a "couple" of hundred dollars for it to be signed.
These links have more detail:
https://www.symbiansigned.com/How_has_Symbian_Sign ed_evolved_with_Symbian_OS_v9.pdf
https://www.symbiansigned.com/app/page/freewareFaq
Cheers,
Tim -
Symbian Signed: Not as smart as you think
Actually Symbian are committed to Open Source as a way of getting more people to develop on their platform (and hence get more phones into the mid-range market).
For details about how to get freeware apps signed (for nothing) have a look here. -
Thanks for information about Symbian Signed
You might not require any at all, and you can still install unsigned software, you'll just get a nice set of warnings about what features it's trying to access.
The PDFs on the page that you linked suggest that the warnings for most "unsigned sandboxed APIs" happen at install time, which is better than what I had imagined (every time an unsigned program starts).
Windows Mobile includes a checkbox for a network operator (also called carrier or provider) to turn off execution of unsigned code entirely, and almost the entire North American carrier oligopoly turns it on to preserve the revenue stream of each network operator's own online store. Does Symbian OS have a similar checkbox? Based on this page, it would appear that they do:
Market channel owners (such as network operators, phone manufacturers and download distribution sites) are concerned about the end user experience. From their perspective it is better that the application is signed and some channels such as Preminet mandate this. It is up to the channel to define their policy on whether content must be Symbian Signed or not.
Another non-surprise, from the PDF that describes the process for obtaining a developer testing certificate:
Symbian Signed have created a tool called DevCertRequest which is used to create the CSR. This is a Microsoft Windows® based application wizard used as a first step for requesting a Symbian Developer Certificate.
In other words, people who use Linux or (pre-Intel) Mac OS need to buy a new computer to run Windows just to get a developer certificate. Or is this known to work in WINE?Though Symbian Signed makes a provision for free software and freeware (but not for "content", defined as works other than software), do network operators respect this? And are there corresponding freeware programs for other platforms? (There's definitely not one for BREW, as the BREW model resembles the video game console development model more than anything else.)
-
Thanks for information about Symbian Signed
You might not require any at all, and you can still install unsigned software, you'll just get a nice set of warnings about what features it's trying to access.
The PDFs on the page that you linked suggest that the warnings for most "unsigned sandboxed APIs" happen at install time, which is better than what I had imagined (every time an unsigned program starts).
Windows Mobile includes a checkbox for a network operator (also called carrier or provider) to turn off execution of unsigned code entirely, and almost the entire North American carrier oligopoly turns it on to preserve the revenue stream of each network operator's own online store. Does Symbian OS have a similar checkbox? Based on this page, it would appear that they do:
Market channel owners (such as network operators, phone manufacturers and download distribution sites) are concerned about the end user experience. From their perspective it is better that the application is signed and some channels such as Preminet mandate this. It is up to the channel to define their policy on whether content must be Symbian Signed or not.
Another non-surprise, from the PDF that describes the process for obtaining a developer testing certificate:
Symbian Signed have created a tool called DevCertRequest which is used to create the CSR. This is a Microsoft Windows® based application wizard used as a first step for requesting a Symbian Developer Certificate.
In other words, people who use Linux or (pre-Intel) Mac OS need to buy a new computer to run Windows just to get a developer certificate. Or is this known to work in WINE?Though Symbian Signed makes a provision for free software and freeware (but not for "content", defined as works other than software), do network operators respect this? And are there corresponding freeware programs for other platforms? (There's definitely not one for BREW, as the BREW model resembles the video game console development model more than anything else.)
-
Re:Anti-hobbyist? - not neccessarily
Most of the stuff covering how PlatSec works, and how to handle it is available here
Depending on what you want to do changes what capabilities you require. You might not require any at all, and you can still install unsigned software, you'll just get a nice set of warnings about what features it's trying to access.
Getting is signed is a bit expensive for your average hobbiest, but there is a faq here -
Symbian OS have similar problemFrom TFA:
Contrast this with Symbian, who provides free documentation and software development kits for all of its mobile phone platforms, encouraging third-party developers.
Don't worry, that is not the case any more. From the version 9.1 Symbian with introduction of Symbian Signed Symbiam is not encouraging small/freeware/opensource developers any more. For small commertial developer sitaution worst - they have to pay for every binary release (good buy patches/expansions) around 400USD to testing house(and that is taking into account that symbian applications is not a big market). For freeware/opensource situation is little better - they don't have to pay for testing (if symbiansigned deside that application deserve to be freeware of cause - that is symbian to deside)but still, to test/debug application on the real phone they have to get developer certificate. For access nontrivial capabilities (freeware/opensource too), like multimedia drivers, they have to pay around 350usd/year and get phone manufacturer approval - taht is only to be able to test/debug applicatopn on the phone. -
Re:Let's not get our hopes too high
- Nintendo has to provide the infrastructure for a downloading service
- Nintendo has to somehow make sure no harmful software can be downloaded
There is already a working model for this kind of setup in the Symbian Signed* application quality assesment process.
The developer downloads the dev kits (for free, I might add) from the main web site, and programs her little heart out. If said dev is certain of an application's success, she can pay a fee to have the application tested and certified. The cert process basically verifies that things install/uninstall correctly, the app doesn't have memory leaks, etc., more or less guaranteeing that the application is "safe". Most of the phone carriers require that the apps they sell be certified, meaning that if you want access to the larger market, you have to be willing to invest some cash upfront.
Think about an indie dev program through Nintendo in a similar way. You make a small investment (that could be waived or charged against future earnings for really small developers with good ideas) up front, which indicates to Nintendo that you're serious about this whole thing. The small entry cost keeps out most of the 'me too' types, and pays for the infrastructure and safety checks.
* For those of you who do not know, Symbian is the OS on a lot of Nokia phones (including the N-Gage), that evolved from Psion's handheld OS. Once you develop an application and get it certified, you can sell it on Nokia's website (they keep some of the profits). The barrier to entry imposed by the certification costs keeps the application pool relatively free of pong clones and other crap, yet there are still many programs available for purchase.