[Kris Kumar]

http://msdn.microsoft.com/mobility/default.aspx?pull=/library/en-us/dnppcgen/html/wmsecurity.asp

"Every Windows Mobile–based device implements a set of security policies that determine whether an application is allowed to run and, if allowed, with what level of trust. To develop an application for a Windows Mobile–based device, you need to know what the security configuration of your device is. You also need to know how to sign your application with the appropriate certificate to allow the application to run (and to run with the needed level of trust). ... Most Windows Mobile devices ship with the Mobile2Market privileged certificate. Your application will work on these devices if you sign it through the Privileged Signing program of Mobile2Market. However, Smartphones on some mobile operator networks ship without the Mobile2Market privileged certificates. (As previously mentioned, these operators, as of May 2005, are Orange UK, Verizon USA, and Cingular USA.) On these devices, you have to ask the OEM or mobile operator to sign your application, and that organization may be very restrictive about what applications it is willing to sign."

Application signing has been a controversial topic for the Smartphones. Developers and users hate it. Carriers love it. I consider it as a necessary evil. According to this article not much has changed on the Smartphones as far as the security goes, but seems like development and testing of the application signing process and detecting the security configuration has been simplified.

[Kris Kumar]

http://msdn.microsoft.com/mobility/default.aspx?pull=/library/en-us/dnppcgen/html/wmsecurity.asp

"Every Windows Mobile–based device implements a set of security policies that determine whether an application is allowed to run and, if allowed, with what level of trust. To develop an application for a Windows Mobile–based device, you need to know what the security configuration of your device is. You also need to know how to sign your application with the appropriate certificate to allow the application to run (and to run with the needed level of trust). ... Most Windows Mobile devices ship with the Mobile2Market privileged certificate. Your application will work on these devices if you sign it through the Privileged Signing program of Mobile2Market. However, Smartphones on some mobile operator networks ship without the Mobile2Market privileged certificates. (As previously mentioned, these operators, as of May 2005, are Orange UK, Verizon USA, and Cingular USA.) On these devices, you have to ask the OEM or mobile operator to sign your application, and that organization may be very restrictive about what applications it is willing to sign."

Application signing has been a controversial topic for the Smartphones. Developers and users hate it. Carriers love it. I consider it as a necessary evil. According to this article not much has changed on the Smartphones as far as the security goes, but seems like development and testing of the application signing process and detecting the security configuration has been simplified.

[ctitanic]

Repeating what I said in PPCToughts

Quote:

Well, that's the "pain-in-the-a..." system already implemented in the SmartPhone edition of the current OS. And if you look around the web using google for "Application Lock" you will find 1000s of post from people looking for a way to go around it and install what ever they want in their phones. The implementation of that kind of security is something good for MS and partners making money with the business of "Digital Signing" applications. It's 1000s of times better if each user could implement the level of security he needs, at least from the point of view of consumers it seems to me better than have some companies deciding what is better (secure) for us.

In another hand, these security imposed policies make the prices go up because a developer who pay 1000 dollars just to sign one application for one year will pass that cost to us users.

[Kris Kumar]

I agree with you 100% percent.

It is a necessary evil. But as you said the user should decide the level of security he/she is comfortable with. Instead of the carriers. :evil:

The carriers just like it for the money part, forcing you to not only buy programs from their website. But also charging the developers for the signing. That is double attack. :evil:

This is what Microsoft can do - Instead of the stupid warning that pops up everytime an unsigned app is installed or run for the first time. The OS should detect apps that want to call secure or critical routines (like check addressbook, or trigger SMS/emai or reset etc) and based on that it should bring up a warning, saying that the program intends to make a call to such and such routine - approve/deny?

[ctitanic]

Quote:

Originally Posted by Kris Kumar

This is what Microsoft can do - Instead of the stupid warning that pops up everytime an unsigned app is installed or run for the first time. The OS should detect apps that want to call secure or critical routines (like check addressbook, or trigger SMS/emai or reset etc) and based on that it should bring up a warning, saying that the program intends to make a call to such and such routine - approve/deny?

Sounds good to me. 8)

[Mike Temporale]

Quote:

Originally Posted by Kris Kumar

This is what Microsoft can do - Instead of the stupid warning that pops up everytime an unsigned app is installed or run for the first time. The OS should detect apps that want to call secure or critical routines (like check addressbook, or trigger SMS/emai or reset etc) and based on that it should bring up a warning, saying that the program intends to make a call to such and such routine - approve/deny?

I would like to add a "remember this setting" check box. So that this app will always be allowed to preform those activities, but other apps will still require a prompt. Kind of like the way most Firewall apps do it.

[ctitanic]

Quote:

Originally Posted by Mike Temporale

Quote:

I would like to add a "remember this setting" check box. So that this app will always be allowed to preform those activities, but other apps will still require a prompt. Kind of like the way most Firewall apps do it.

Of course.