The company I work for often releases applications on multiple mobile platforms, including S60 / Symbian. Some of these applications are our own products. Other applications are promotional apps for our clients, which are among the biggest brands in the world, such as IBM, Nike, Ford, etc., and even Nokia itself. These promotional applications are often released at the same time as new marketing initiatives, new advertising campaigns, or new products launched by our clients. All the Symbian application we release, whether for ourselves or for our clients, are Express-Signed.
In the past, some of these applications have been audited, and they have always passed the audits. However, for one of our recent applications (application # 5011851), the auditing test house raised some objections, for which we offered clarifications and explanations. The auditor informed us that they were forwarding our case to Nokia for a final decision.
Yesterday when we tried to release the latest version of one of our apps, we found that Express Signing was disabled for our account. Upon reading the audit report, it looks like the auditor has marked our application as having failed audit, and Nokia either agrees with them, or hasn't yet looked into the case. Because of our account being suspended, we are not able to release our apps at this time. This can potentially cause us great hardship and loss of business, because our clients often come to us with an idea for an application which needs to released in a short time, to coincide with a new advertising campaign / new product. For such apps, going through the Certified Signed process would mean that our clients advertising campaigns / new launches would be delayed, something which would be unacceptable for them.
Moreover, we feel that the decision to fail our application in the audit was itself somewhat harsh, as explained below:
Our application was failed for not informing the user before making a data connection (GPRS), or before sending an SMS. In hindsight, we agree with the reasons for these requirements: if the user incurred any expenses without their knowledge, they would probably not have a pleasant experience of using the application. If many applications did the same thing, it would harm the entire Nokia Store ecosystem, as the users would we wary of trying new mobile apps. Therefore, we completely agree that before an application takes any action that incurs a charge for the user, they should ask the user permission for the same. Towards this end, we are committed to implementing this feature in all our future applications.
However, this requirement (of seeking the user's permission) is not mentioned anywhere in Symbian Signed Test Criteria (http://www.developer.nokia.com/Commu...4_Wiki_version). Before Express-Signing our application, we used to test it against all the tests mention in the V4 Symbian Signed criteria, and since our application passed all the tests, we used to confidently sign and release them. Only after reading the auditors' report did we find that this requirement (asking the user's permission before actions tham may incur charges) is one of the ways of interpreting "Check 4", which is meant to check "Malware".
Here is the complete text of Check 4:
Please note that nowhere does Check 4 educate the reader about the requirement to seek the user's permission before incurring a charge. This requirement only becomes clear in hindsight, after it is described by a test house / auditor."CHECK 4 - Malware check
The submission may not include any viruses, worms, malware, Trojan horses, time bombs or any other malicious code.
Nokia or appointed Nokia contractor will scan every submission coming through Symbian Signed service. Nokia may share the application and information submitted with the application, including but not limited to the developer information to assure the submission did not include any malware. If malware is found Nokia will suspend the user's account."
Since this requirement is not EXPLICITLY mentioned in any of the tests or checks listed in the Symbian Signed V4 criteria, we feel it is harsh to fail an application because of this. In our opinion, this should have resulted in a warning / advise to change functionality in the future.
For the above two reasons, i.e. ...
(1) Disabling Express-Signing for our account would cause a lot of harm to our business, and,
(2) The requirement to seek the user's permission (before any charge-accruing action) is not explicitly mentioned in the Symbian Signed criteria,
... we request that you re-enable Express Signing for our account. We do commit to making the required changes in all our future app releases.
Moreover, we are willing to go through the Certified Signed process too, but request that you (provisionally) re-enable Express Signing as well for us, even while the Certified Signing process is going on, so that we can continue to release applications for our clients.
Please do respond soon, and let us know your decision.