In general, Symbian OS is not strongly protected against a hands-on attack (that is, when an attacker has physical access to the mobile device) because access to a device is controlled by the device lock feature, which is not used often. Other external methods of protection, like a PIN code or Subscriber Identity Module (SIM) locking, tend to provide protection only when a cellular network is being accessed, leaving the device's information content vulnerable to physical attack. Without cryptographic protection, it is also relatively easy to gain access to the device's information storage with hardware-based methods (for example, wiretapping connectors and direct reading of memory chips).
As mentioned previously, Symbian OS platform security consists of hardware security and software security. Hardware security protects the integrity of software, and software security enforces application-level security.
Sometimes an application needs to identify the mobile device it is running
on for security reasons, for example to use specific ciphering keys or to
apply copy protection. Identification can be done by checking the device's
International Mobile Equipment Identity (IMEI) code, which is unique to each
device used in cellular networks. IMEI can be retrieved using, for example, PlpVariant::GetMachineIdL or CTelephony::GetPhoneId, depending on the SDK version in use. Refer to the SDK API or Symbian documentation
for the proper method because there are different APIs for getting IMEI in
different versions of SDKs.
Another way to get information about the running platform and the mobile
device is through the HAL:Get() method defined in hal.h.
More information and examples about this subject can be found in the document S60
Platform: Identification Codes on the Forum Nokia Web site.
User authentication
When powering on the device, the user is authenticated in the operating system level using standard device authentication methods such as a PIN code and security code requests. However, these features can be turned off by the user and are easily reset with special hardware. If an application needs to authenticate the user (for example, the application manages device settings), it should be done in the application level by implementing a separate user name/password authentication mechanism.
Symbian OS claims to ensure the integrity of data even in the presence of unreliable communication and a shortage of resources such as memory, storage, and power.
However, the user may detach removable storage media at any time, either
intentionally or unintentionally. There is a built-in detach-handling mechanism
in Symbian OS, but applications should still be prepared for a sudden loss
of storage media to prevent data loss or corruption. The type of storage media
(removable/fixed) can be checked with the RFs::Drive() method.
The same rules also apply to power availability. The device may shut
down at any time, either by accident or because the battery has run out. It
is recommended that important data stored in nonpermanent memory be written
to permanent disk as soon as possible. The battery level can be queried with
the HAL::Get(EPowerBatteryStatus) method. Forum Nokia's S60 Platform: System Information Example demonstrates retrieval
of system information.
Even though internal storages are not physically protected, Symbian
OS provides a way to secure memory cards with password protection. If the
locking option is used (method RFs::LockDrive), memory card contents are protected
with a certain password and thus cannot be read in any other device without
the password. Password locking is provided by the extended functionality of
the Multimedia card (MMC), and therefore might not be compatible with all
hardware and software configurations.
Several third-party security applications can help maintain device security and information security
A mobile device can be protected with antivirus software that can detect and quarantine any viruses that try to access the device. It may also disinfect infected files, retaining the original, usable data. Another important security category is firewalls, which are usually combined with antivirus software to protect and observe both incoming and outgoing data connections. This enables monitoring of important information and prevents the possibility of sending it out of the device. Furthermore, firewall and antivirus software can be part of an intrusion detection system that notifies the user whenever a malicious attempt is detected.
The selection of information security applications is even greater. There are applications to encrypt existing files, manage passwords, and store information and data securely (that is, vaults). It is even possible to cipher information in applications and connection methods not initially supporting the ciphering (for example, short message service [SMS]).
The possibilities offered by third-party applications should be carefully studied when preparing new mobile systems that will be used in the business world.