<div class='os_post_top_link'><a href='http://www.mobileburn.com/news.jsp?Id=441' target='_blank'>http://www.mobileburn.com/news.jsp?Id=441</a><br /><br /></div>From the "Microsoft Didn't Think Of It" Department...<br /><br />MobileBurn notes that that UK mobile operator 3 is selling the Motorola A920 3G handset with a "closed" version of SymbianOS 7.0. Applications must be "authorized" by 3 before users may install them on their phones. A quick check of 3's web site did not yield information on the authorization process. I will post back once I find it and can compare it to Microsoft's Mobile2Market certification process.<br /><br />This illustrates that application certification, or authorization, is being asked for by mobile operators. If it's being asked for by the operators, then Microsoft and Symbian have little choice but to supply it. Operators, I'm sure, have to be terrified by the thought of a Blaster-like attack on the mobile networks. Is tightly controlling the installable base of applications through a certification process the best way to do it?

I am a supporter of Application Signing for phones..But not all apps!

I would like to see the two categories of applications...

1. Applications that access the network (send SMS, download/send data), "change" (not read) addressbooks or would "change" the phone settings : such apps should be signed. Basically to access priviledged API the app has to be signed.

2. Applications like games, screensavers or other simple programs that one may write. Should not require signing. I think showing a Unsigned App warning is sufficient.

This way u can restrict crazy programs that want to read the addressbooks and send SMS messages on its own. Or ones that can mess up your phone settings. But still enjoy installing harmless apps like games
or caller id freely.

Kris

I would like to see the two categories of applications...

1. Applications that access the network (send SMS, download/send data), "change" (not read) addressbooks or would "change" the phone settings : such apps should be signed. Basically to access priviledged API the app has to be signed.

2. Applications like games, screensavers or other simple programs that one may write. Should not require signing. I think showing a Unsigned App warning is sufficient.

I like the idea, but wouldn't you, as a mobile service operator, need to certify that apps in point #2 don't do any of the things listed in point #1?

From the phone operator's perspective I can see the value in testing/certification of the app, so that it doesnt freeze or hang the phone. I can see that certification can reduce the customer support calls.

The reasons why I dont want ceritification to point 2 (second category apps):
- signing/ceritification/testing comes at a cost, the developer has to pay the operator for it or a third party, it will kill the creative shareware/freeware community. It will put a cost on each app.
- currently Smartphone (MS or Symbian or Linux) is a new tool/concept, the advantage of Smartphones is that u can customize it with apps, and if there is a cost associated with each app (no freeware/shareware apps), I may feel less compelled to adopt the technology.


But I can see the whole mess...and why Operators may wanna force signed/certified apps.

So here is an expansion over my earlier proposal...three tier system

1. The category 1 apps (that access network, modify address book) must be signed.
2. The category 2 apps "should" be signed. The operator may leave the option upto the customer to decide, whether he wants to restrict apps based on whether they are signed or not. It could be one of the settings on the phone. Just like on Windows 2000 or XP, when u r installing drivers, u can specify how the system should react to unsigned drivers, dont install, install or prompt.

Basically the user can install harmless apps, knowing that they havent been tested and may not work well and if it crashes the operator may charge him for customer support :-)

But apps that require network access or modify settings should be blocked if they are not certified.

Kris

On MS smartphones we already have a security model with "privaleged certificates," generally issuable only by the network operator which allow access to privaleged functions on the phone. Non-privaleged certificates are issued by signing bodies such as geo-trust and verisign, and allow access to all the non privaleged functions, so are fine for games, callerIDs and so on.


Why this method cant be used on Symbian smartphones is beyond me.

I can see the need to protect privaleged functions, but for non-privaleged functions there really is no excuse for forcing app-signing. Perhaps a warning ONLY the first time it is run would suffice.

not only are they only allowing authorised apps to run - but get this - internet, web and email access appears to be locked inside 3s network!

now i understand certification to a point, to stop harmful apps that will either make you loose data or cost you money (e.g. in unautorised data/sms/voice charges) - although i'd want to be able to have the final decision installing apps on *my* own device

however, locking me inside an operators intranet with no access to the internet is too much control

there is a good article over at AllAboutSymbian (http://www.allaboutsymbian.com/newsdisplay2.php?id=16329) reporting from the launch of the A920 device