signed/unsigned

**WaelA** · 2006-12-11, 19:51

Hello,
i read about sign app
https://www.symbiansigned.com/how_do...ion_signed.pdf

but i still need help i have 1 question
if my app self signed
how will that affect phone?
what if the user from app manager (software installation all)
will my app install on phone device and work functionality?

regards
Wael

**Sorcery-ltd** · 2006-12-11, 20:12

Hi Wael,

If your application is self-signed then it can still install as long as the UID is from the unprotected range. The user will get a warning on installation that the application is from an untrusted source (or something like that). If it works or not after that will depend on what capabilities your application uses. If it doesn't need any then it will work fine. If it needs some user grantable capabilities then the user will have to allow the application to use them for it to work. If you need some capabilities that the user cannot grant then I'm afraid you'll need to go through symbian signed.

I hope that answers your question?

Sorcery

**WaelA** · 2006-12-11, 20:41

hi Sorcery-ltd ,
thanks, for your answer
it would use location /network info

but this is a big pain
does symbian want developers go another OS like windows mobile?

by example CommDD why CommDD is Capability
i am just a developer and not a big company what if i want to sell my symbian OS?

there is many forms of secuirty !!! but for most it must be controlled by user he can open his mobile or stop it and it should not mandatory by OS
but sign the app is not a proof of high quality of the app!!

Regards
Wael

**Sorcery-ltd** · 2006-12-12, 12:27

Hi Wael,

The good news is that location and network services (is that what you mean? - there isn't a network info as far as I'm aware) are likely to be user grantable. Most likely you application can be self signed. The user will just have to grant the capabilities.

One of the reasons we have platform security is that some of the APIs on the phone are very powerful and if used maliciously or just carelessly they could break the phone functionality, or cost the user a lot of money. APIs requiring CommDD are and example of this. So, it was decided some sort of security was needed to protect the end users and the networks. It isn't very popular with developers. Hopefully the developers will benefit because end users will trust their applications when they are signed - but that is still to be seen.

I am just a developer too, and I don't work for a big company (although I used to work for phone manufacturers so I have seen from the inside too). You should be able to develop most applications with just the user grantable capabilities. If you really need to use the restricted capabilities then your application ought to be doing something useful/clever with it which is worth some money. In that case it should be worth the investment in getting it signed - it is not THAT expensive.

Signing is not really supposed to be proof of the application quality, it really just says it has been tested by an independent test house who don't think it will do anything bad!

I actually agree with you - the user should have ultimate control. There should be a setting that allows the user to grant any capability (probably not the default). I can install unsigned device drivers into windows and I just get warned about the possible consequences. The end user should just be warned about the potential results of granting an untrusted application certain capabilities and given the choice. If they don't understand they should say NO. If they don't then it's their fault when things go wrong!

Good luck with your development! By the time you are finished perhaps there will be some changes that make it easier for independent developers to get their applications signed.

Sorcery

**WaelA** · 2006-12-12, 12:47

'
hello,

i just need to are code (cell info)
iCellId, iCountryCode, iLocationAreaCode, members of class TNetworkInfoV2

about other issue
if i am not wrong
i think that i can write to file c:\test.dat with normal self signed app

also what about bluetooth apps?

thank you Sorcery i just feel that sign is a big pain

regards

>>>
cation and network services (is that what you mean? - there isn't a network info as far as I'm aware)

Originally Posted by Sorcery-ltd

Hi Wael,

The good news is that location and network services (is that what you mean? - there isn't a network info as far as I'm aware) are likely to be user grantable. Most likely you application can be self signed. The user will just have to grant the capabilities.

One of the reasons we have platform security is that some of the APIs on the phone are very powerful and if used maliciously or just carelessly they could break the phone functionality, or cost the user a lot of money. APIs requiring CommDD are and example of this. So, it was decided some sort of security was needed to protect the end users and the networks. It isn't very popular with developers. Hopefully the developers will benefit because end users will trust their applications when they are signed - but that is still to be seen.

I am just a developer too, and I don't work for a big company (although I used to work for phone manufacturers so I have seen from the inside too). You should be able to develop most applications with just the user grantable capabilities. If you really need to use the restricted capabilities then your application ought to be doing something useful/clever with it which is worth some money. In that case it should be worth the investment in getting it signed - it is not THAT expensive.

Signing is not really supposed to be proof of the application quality, it really just says it has been tested by an independent test house who don't think it will do anything bad!

I actually agree with you - the user should have ultimate control. There should be a setting that allows the user to grant any capability (probably not the default). I can install unsigned device drivers into windows and I just get warned about the possible consequences. The end user should just be warned about the potential results of granting an untrusted application certain capabilities and given the choice. If they don't understand they should say NO. If they don't then it's their fault when things go wrong!

Good luck with your development! By the time you are finished perhaps there will be some changes that make it easier for independent developers to get their applications signed.

Sorcery

**Sorcery-ltd** · 2006-12-12, 14:08

Oh - it looks like you might have a problem there.

According to the SDK documentation you need both:
ReadDeviceData
Location

to request the location info from CTelephony via GetCurrentNetworkInfo(). Perhaps there is another solution?

I don't think ReadDeviceData is user grantable - someone please correct if I am wrong?

I think you would need WriteUserData to write c:\test.dat but that should be user grantable, so you could self-sign.

Generally I think you need LocalServices capability to use Bluetooth which should also be user grantable.

I hope that has answered your questions?

Sorcery

**WaelA** · 2006-12-12, 14:12

thanks Sorcery,
i read 3d docs and i was able find how to know that API requier CAPABILITY or not and if need it shows what kind of CAPABILITY it requier
in general sign or CAPABILITY is pain for developers

and i have another question how the phone can recognize the certificate?

does when i install an app it connects over GPRS(access point) and verify the certificate?

Regards
Wael

**Sorcery-ltd** · 2006-12-12, 17:38

That question is best answered by a real platform security expert... but they might not want to tell you?

It doesn't have to connect over GPRS to verify the certificate. There are certain root certificates installed in the device and the certificates that you get from Symbian signed will "chain" to those. I haven't really looked at how it works underneath in great detail, I just use it!

It is possible for a certificate to be revoked but I assume that in that situation a message would have to be pushed to devices from the networks.

Sorcery

**antonypr** · 2006-12-12, 17:43

As explained by Sorcery-ltd, there are some root certificates that are installed on the phone during manufacturing. You can check it from Tools | Settings | Security | Certif. management. There you can see root certificates on your device.

When you install an application, it will check the certificate against these certificates. If the installer cannot verify the application's certificate, it will simply display unknown certificate -> thus the application is not trusted.

One additional note, it is also possible to install additional certificate on the phone using .sis file -> it is not common, but possible.

Antony

Discussion Board

Thread: signed/unsigned

Thread Tools

Search Thread

Rate This Thread

Display

Posting Permissions