On his blog, David Wood, Executive Vice President of Research at Symbian, explains why he thinks there’s a need for signing mobile applications.

David takes the recent example of rogue Android applications racking up hidden charges. Unfortunately, this can happen on any platform, including Symbian - even with 3rd party tested Symbian Signed applications. Symbian Signed doesn’t test for this and many other ‘rogue’ scenarios.

At one time, the Symbian Signed requirements required that a ‘billing’ prompt be given to the user when the application first accessed the Internet. Optionally, a second prompt after this could allow the user to turn off further prompting. It has been removed from the last two iterations of the Symbian Signed requirements presumably because…

a) Most people would just disable the prompts and further ‘rogue’ events can happen unnoticed
b) The prompts really don’t make sense with the majority of people using ‘unlimited’ data tariffs

At the time this ‘billing dialog’ requirement was in place, I had difficulty explaining to my clients why the S60 version had so many extra screens/dialogs compared to the Windows Mobile, RIM and Palm OS versions of the same application. I am pleased the requirement has gone now.

As the above example shows, a rogue scenario can be very complex. Sometimes there are exceptions where the rules don’t make sense. Sometimes there are cases where the rules make more sense (e.g. Data access while roaming).

The problem with the Symbian Signed tests is that there aren’t enough of them and they aren’t detailed enough. Hence, they don’t really cover as much as people might think. Conversely, the existing set of tests are already an administrative and development burden so adding to them wouldn’t be practical. So what should be done?

While I agree we need signing, I am beginning to believe more in the Android self-signing approach where developers can be traced and applications revoked (disabled by Google) as necessary.

As I have said previously, I think more could be done by the phone software itself to police activity rather than solely relying on signing. As an example, in the case of use of data while roaming, the phone OS should be able to detect this and warn the user.

Related Articles:

• iPhone 3G Instability
• New Open Signed Online Anguish
• How to Satisfy Symbian Signed & Nokia Criteria
• Symbian Signed Under Attack
• Symbian Dev Certs without Publisher ID
• Self Signed Application Validity Period
• New Symbian Signed Test Criteria Issued
• Is FlexiSpy Malware?
• S60 Spyware
• Symbian Signed and Piracy
• Symbian Signed AllFiles and TCB
• Symbian OS 9.1 Implications
• Signing and Certification
• Symbian Break in Binary Compatibility

This entry was posted on Monday, December 15th, 2008 at 12:31 pm and is filed under Symbian, Series 60, Mobile, Android. Both comments and pings are currently closed.