Comments

04 Sep
2009

Article Review by kamalakshan (20090904)

This article gives a clear idea of on which capabilities would be when developing sensitive applications. It is grouped according to the applications and capabilities it might require. It also list down some applications where in applications might require manufacturer capabilities and can achieve the tasks with some alternatives. And also points out clearly type of requests that might be rejected. The information listed is hardly available anywhere else and hence helps in preparing your self for getting application signed with manufacturer capabilities.

Log in or Join to leave comments.

This article contains a non-exhaustive list of the sorts of applications that typically need to be granted sensitive platform security capabilities, along with information about the capabilities required and why.

Capabilities for known applications

Here is a non-exhaustive list of known applications and the needed capabilities. If you are developing an application that falls into a category listed here, you should prepare to apply for listed capabilities when applying for a DevCert. In addition your application must pass both Symbian Signed. If any of the manufacturer approved capabilities (TCB, DRM and/or AllFiles) are included also Nokia test criteria must be passed in order to receive the final Symbian Signed certification.

Note also, that the capability reasoning given here is not self sufficient when applying for the DevCert; you will need to provide detailed information on the APIs needing mentioned capabilities. (Stating only that application XY needs TCB because stated so on this wiki page, is not itself a good enough reason for getting TCB approval)

Also, when making the DevCert request, it is strongly recommended that you scan your application code to see what other capabilities are really needed, and to omit all unnecessary capabilities from your DevCert request. Doing so may reduce otherwise unnecessary steps when handling your request.

Capabilities for known applications - by type

Firewall
CommDD, NetworkControl

Reasons: Hook in IP stack, advanced connections management

Antivirus
AllFiles, TCB, DiskAdmin, CommDD

Reasons: Read & Write access to caged data (\sys, \resource, \private), virus definition file updates from network.

Note that antivirus application needs to create file hooks, which cannot be implemented without a Symbian Platinum Partner development kit.

Encryption
AllFiles, TCB, DiskAdmin

Reasons: Read & Write access to caged data (\sys, \resource, \private)

Device management & device blocking
AllFiles, DiskAdmin, NetworkControl, CommDD, MultimediaDD

Reasons: Read & Write access to caged data (\sys, \resource, \private), managing connections, managing system resources

VoIP
NetworkControl, MultimediaDD

Reasons: Full duplex audio (APS), low level IP protocol access

Network Monitoring
CommDD, NetworkControl

Reasons: Protocol packets access, access to IAP tables

VPN
CommDD, NetworkControl

Reasons: Access to protocol packets, tunneling secure data

HotSpot Framework
CommDD, NetworkControl

Reasons: Access to protocol packets, tunneling secure data

Following are examples of applications that in theory can need sensitive capabilities but do so only in rare circumstances, and thus need extra reasoning in order to be approved.

Data call
CommDD, NetworkControl

Reasons: There are better way to implement data connection that a CSD data call.

SIP application
NetworkControl

Reasons: Enabling a SIP profile – not a common action of a SIP application.

File browser application
DiskAdmin, AllFiles

Reasons: File browser application that has access to all caged data will not get accepted, as it will jeopardize the Platform Security feature as such.

File access capabilities in general
Three caged locations in the file system need capabilities to access:

\sys – AllFiles to read, TCB to write
\resource – no caps to read, TCB to write
\private – no caps for process’ own caged part, for other parts AllFiles is needed (read & write).

DLL loading requirements by DLL type

Message Type Modules:
Client side MTMs

• S60 3.0, 3.1 All –TCB (read: All minus TCB)
• S60 3.2 onwards only NetworkControl and DiskAdmin are needed.

Server MTM
NetworkControl and DiskAdmin

BIO Messaging:
BIO Parser
NetworkControl, DiskAdmin
BIO Control plug-in
NetworkControl

FEP
All –TCB

Profile plug-in
All –TCB

Browser plug-in

• S60 3.0, 3.1 DRM, NetworkControl
• S60 3.2 onwards NetworkControl

Phonebook plug-in
NetworkControl