Why are applications digitally signed?

After customizing your smartphone with various applications and widgets downloaded from Nokia’s OVI Store and Beta Labs, your smartphone should now simplify many daily tasks. However, in order to unlock the N8’s full potential, you may want to install applications developed by other software developers (called publishers). Worldwide, there are many software developers creating applications (and utilities) for the Symbian platform. For example, 400,000 new developers joined the Nokia Developer Forum in the past 12 months.

Once developed, Symbian applications need to find a route to customers’ mobile phones. The ideal method for distributing applications is to partner with a cellphone manufacturer and have the software included on the device, before it leaves the factory. Alternatively, applications can be packaged as .SIS files which may be:

  • downloaded from the Internet (for example the OVI Store),
  • transferred via Bluetooth from a friend’s compatible cellphone, or
  • installed from a memory card.

As with any operating system, the Symbian platform is susceptible to malware. Malware is malicious software designed to carry out a particular function without the owner’s informed consent or prior knowledge. Malware can damage the phone’s operating system, rendering the device unstable or even useless.

With a view that the average smartphone user shouldn’t have to worry about security, the Symbian platform prevents the installation of applications that are not digitally signed. This also theoretically prevents applications from “covertly” sending or receiving data via Bluetooth or the Internet (which can cost the phone user money).

Digital signing assures the phone user that the application can be traced back to the original developer, using a publisher ID embedded in the installation file. More importantly, it helps guarantee that data on the smartphone is protected. Before an application can be signed and certified, it must:

  • meet certain criteria defined by Nokia (allow the application to be stopped using the task manager; allow the user to turn off autostart functionality; cleanup all files when uninstalled; pose no disruption to voice calls or text messaging whilst running),
  • pass a series of rigorous tests conducted by IT engineers working for Nokia’s Test House (a French company called Sogeti High Tech). To conduct these tests, the developer pays the cost of 150 Euros.

The Symbian operating system is divided into 21 parts, one of which is open and 20 of which are behind various “capabilities”, based on how sensitive they are and which functionalities they protect. A developer must understand each of these distinct “capabilities” and how they prevent the misuse of sensitive phone functions. The developer must declare which “capabilities” an application requires during the signing process.

Consider the following example which explains why digital signing is so important: If the application makes use of the phone’s multimedia capability such as audio playback or recording, it is vital that the application does not interfere with the phone’s ability to make and receive calls, especially emergency calls. Once the application passes the testing process, it can be digitally signed. The end user is now assured the application is safe to both install and run.

An application must also be thoroughly tested if the device’s Bluetooth, Infrared, GPS, USB, GSM Cell ID, Wi-Fi or Voice Call functions are used. If the application requires access to All Files (for backups), Digital Rights Management (music playback) and Disk Administration (memory formatting), it too must be rigorously tested.

Developers wishing to distribute their applications via the OVI Store can request Nokia to sign their application for free. This is possible for simple applications (such as Symbian themes) that don’t integrate with any of the phone’s capabilities. Applications developed in Qt Symbian, Symbian C++ and Flash Lite can also be signed for free by Nokia.

This entry was posted in Uncategorized and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s