Wednesday, May 23, 2007

Symbian Signed is not an anti-virus software

The Register reported today that a new spyware for mobile phones had appeared on the horizon. It's harmful for S60 phones, too, 3rd Edition devices included. And what causes the stir in the water is that it's a Symbian Signed application.

There's a general misconception here, I'm afraid. I think the biggest problem most people don't understand that signing has not much to do with protection against malicious programs. These people don't understand that the process is about signing (surprisingly), i.e. certifying that the application comes from a well-known source. Additionally, in order for an application to be Symbian Signed it must undergo thorough testing being done by independent test houses. Since this application is Symbian Signed, it must have passed those tests.

The problem is that it's impossible to test everything an application can do. It's even possible to acquire for a capability (and get it!) just by saying that the application needs it for a different purpose. As this example shows: I can ask for e.g. NetworkServices capability and say that I need it for remote backup. And then make no mention on the fact that I will use it for other reasons, too. You know, it can be done since no-one checks the source code, it's not part of the approval process for Symbian Signed certification. And it will never be, I suppose, as no-one will ever share their best kept secret (i.e. the source code) with outsiders.

What Symbian (Signed) could do better, though, is that they shouldn't advertise these signed applications as "trusted". Because they aren't. What you can trust, though, is that the author of a Symbian Signed application is accountable. If he/she/they produce a software that proves to contain some malicious code, then they can be "caught" and counter-measures can be taken. What counter-measures? For example, the author's certificate can be revoked and added to a list, called Certificate Revocation List or CRL for short. This list can be always checked upon on-line. For example, when a user is just about to install a 3rd party software whose author is not known (or at least not trusted), the Application Installer can do this cross-verification as part of the installation process. Pretty useful info, isn't it? Worth noting that most users are not aware of this and they have this feature disabled on their phones. Including me, but that's on purpose. :-\

Just my two cents,

Tote

15 comments:

Anonymous said...

Here are two more cents for you :

Open

Source

It's not rocket science :)

Gábor Török said...

Hmm, open source what? Open source the 3rd party application so that we can see what it does? Perhaps these people wouldn't like for others to see their code. Or open source Symbian? That's an even more problematic topic. And the decision is definitely not up to me.

Would you please further elaborate your thoughts? Thanks!

Anonymous said...

Open

Source

indeed a good thing and you can easily protect your ideas -and not the source code- by other means....but it wouldn't really help in this case. Obfuscation is one quick and easy way of breaking it.

Gábor Török said...

I don't doubt that open source is a good thing, but could anyone explain it to me how it has anything to do with all the things I've mentioned in my article? And obfuscation? How does it come to my article?

Anonymous said...

I believe what haveigotgnusforyou is trying to say is, "If it isn't open source, don't use it." Of course, I'm not aware of any open source antivirus product out there for S60, but then if all you run is open source, and you know how to read the code... you won't need antivirus :) You can read the app and see if is malicious. If it is, you can clip out the malicious parts and continue on your merry way or just not use the app at all.

Gábor Török said...

Thanks, Anonymous, for the clarification! However, I believe that Open Source is a different world compared to what is happening now with Symbian. Although it's naturally possible to write open source sw for Symbian, but there's a different approach in use, too. And that's signing. And it seems that it's buggy or at least misleading. It misleads people, because they seem to think that the pure fact that an application is signed guarantees that it's not a spy/mal/etc.ware. But it doesn't. It's just about certifying that the author of the software is really what he/she claims to be. Plus some testing has been performed, too, but it's definitely possible to cheat.

Okay, one can say that go Open Source, but in fact it pretty much limits what you can install on your phone, then.

puterman said...

In actual reality Symbian Signed doesn't guarantee anything but the identity of the publisher, but the way it grants sensitive capabilities to apps makes it seem like it would actually guarantee that you're safe if you're using Symbian Signed apps. Of course, anyone who's ever been involved in a Symbian Signed project knows better. :)

Anonymous said...

Try this directory for open source antivirus software. Most are freeware to download and use right away..

Download Antivirus

Gábor Török said...

Unfortunately, there is no software that would match the 'antivirus symbian' search criteria. :-\

Anonymous said...

Hi,

This article is good and informative.

Software Development Company

Free Directory

Software Jobs India

Gábor Török said...

Thanks! :)

Anonymous said...

Thank you for the good posting. I've read about this from other people's view and opinion in other sites. At least now i have better understanding about malicious programs. Thank you again.

A.T. said...

Gabor, why you just didn't go straight to the point - Symbian Signed is software DRM, or to be more precise, it's architecture designed with one primary goal - to obscure/limit range of runnable apps on (mostly employer- or operator-subsidized) smartphones... as if you didn't know this before you've posted :(

Gábor Török said...

Because I have never thought of it like that. And I still believe that these are not the same. Look, DRM's main purpose is to grant for the content provider that the content (music, video, image, program, whatever) will be used exactly the way the content provider specifies. It's basically to guarantee the revenue for the content author.

On the other hand, Symbian Signed guarantees for the user that the application she is about to install has passed some official tests and gives some certainty that it's not a malware.

Do you think that these two are the same?

Bonobo said...

The blog ‘Mobile Thoughts’ is kept by Gábor Török, who is a professional mobile software developer. In this particular post he speaks about the emergence of a Symbian Signed spy ware attacking the smart phones. He explains the related concepts with a professional ease and judging by the average number of comments he gets in his blogs, it can be safely assumed that the blog has a loyal reader base.
IE AntiVirus