The Orange SPV is the first Smartphone 2002 and the first mobile phone with a Microsoft operating system, so it is not a surprise that anything related to the Orange SPV attracts attention. The last couple of days we've seen reports and comments about the new Orange SPV mobile phone and how the phone is "locked" from a software perspective, forcing developers to first get their applications signed by third party certificate authorities such as Verisign. Many have reacted strongly to this as it severly impacts developers ability to reach users and thereby limiting the growth of the software market and user choice. Reactions have been strong also because the process of forced application certification and device locks is uncommon in the software market we've lived in for decades: the PC market.<br /><br />With these thoughts in mind, I put together the questions below to Microsoft. Check them out and read the answers.<!><br /><br /><b>Question:</b> From a software deployment point-of-view, how is the Orange SPV phone locked and why? <br /><b>Answer:</b> Windows Powered Smartphone includes a X.509 based applications security model which allows operators to optionally require applications to be digitally signed prior to installation and execution on devices. The Orange SPV has applications security enabled, making devices "locked" to unsigned applications. For these locked devices, mobile operators engage public trusted authorities i.e. Verisign or Baltimore (certificate authorities) to digitally sign applications before they are installed and executed on devices on their networks<br /><br /><b>Question:</b> What does a developer have to do and obtain to develop, market and sell Smartphone 2002 applications that Orange SPV users can buy, install and use?<br /><b>Answer:</b><br />-Register as a member of <a href="http://www.microsoft.com/mobile/partners/">Microsoft Partner Program</a> and choose "Smartphone" on the left hand menu. <br />-Download the <a href="http://www.microsoft.com/mobile/developer/default.asp ">Software Development Kit (SDK)</a> (More than 225,000 developers have already done so.) <br />-Once developers receive logo certification, they can submit their applications into the Mobile2Market catalog which is promoted to operators and retailers worldwide.<br />-Engage Mobile2Market Certificate Authority partner, Verisign or Baltimore, to digitally sign application. <br />Please note: There is a nominal fee for logo certification and code signing. This fee is paid directly to third party testing houses and code signing partners (and not Microsoft nor Orange). Microsoft is making a limited discount available to partners getting an app certified before 30th January. The discount is being paid directly to the third party testing labs.<br /><br /><b>Question:</b> Is the software lock imposed as a request by Orange or by Microsoft? <br /><b>Answer:</b> Device lockdown is a choice for OEMs or mobile operators. Windows Powered Smartphone 2002 includes optional advanced applications security architecture designed to enable OEMs, operators and corporations the flexibility to meet their customers’ requirements. The X.509 based applications security model allows operators to require applications to be digitally signed prior to installation and execution. <br /><br /><b>Question:</b> What is Microsoft's view on restricting users what they can and can't install on their devices? <br /><b>Answer:</b> A large and empowered end user and software developer community is essential to the health of the computing ecosystem. As the worlds of telephony and software converge on next generation devices like Smartphone, we'll undoubtedly see the traditions in each of these industries evolve somewhat. From a security standpoint, the Smartphone 2002 architecture (based on the X.509 certificate model) allows operators not only to protect their customers from malicious applications and viruses, but also to provide their corporate customers additional levels of device control and customization. <br /><br />Microsoft supports security efforts designed to maximize user experience by protecting the integrity of: <br />1. User data - ensure contacts are not posted to obscure websites, for example <br />2. Network - prevent applications from interfering with network stability through signaling or SMS, for example <br />3. Billing – guarantee applications are not generating traffic or transaction events (and accruing costs) without users knowledge<br /><br />By remaining 100% committed to the Windows developer community and doing our part by providing a fertile platform for innovation, Microsoft hopes to ship every software platform, with the developer community and its needs, as well as the computing ecosystem, in mind. <br /><br /><b>Question:</b> Will an unlocked Smartphone 2002 ever be released by anyone?<br /><b>Answer:</b>The Orange SPV is the first of several Smartphone-based handsets to come to market. Microsoft has nothing to announce today but stay tuned...<br /><br />As far as I can tell, Orange is in true mobile network operator spirit imposing the device lockdown. That is said with ambigious feelings: I would love to see an completely open architecture, and I read the statements about "evolving traditions" both ways: we will eventually see more open telephony architectures as well as more secure and closed software architectures. However, while it is Orange that decided to lock their devices, I don't doubt that product teams at Microsoft will address their not so perfect security track record and act when Bill Gates says: "Trustworthy Computing". Open and secure are each other's opposites, so we will see more closed and more secure architectures from Microsoft moving forward, not only in the areas of telephony.<br /><br />Now it's your turn! What would be the best move by a mobile network operator and by Microsoft moving forward on their next Smartphone projects?

I was planning on changing my T68i for a SPV. I even went as far as placing the order. Then I read about the lockdown so I canceled the order straight away.

There have been several issues with the SPV (not being able to dial contacts from the phone book being a major one) which had me a bit on edge about it. The lack of Bluetooth had me a bit concerned but I thought I'd just buy the SDIO card when it comes out. But the lockdown is just a killer for me!!!

I guess I'll wait for the P800 instead. Sorry Microsoft and Orange but if I can't any apps that I want on a "Smartphone" then it doesn't seem that smart to me! :cry:

I also can't wait for the P800 ;)

Operators should just remove the lock and provide ZoneAlarm for Smartphones.

I've read the comments of an Orange representative saying that they wouldn't want customers being wrongly billed. That is a lame excuse. The same problem exists on the desktop. Just make a popup appear when an app dials a GPRS connection, etc.

Well it is the first device ever made with this OS. Everybody make mistakes and Orange as well as MS will learn form this.

I still think that this OS will really change our way of telephoning. Just be patient

I cannot use such things in Japan, but I am working with China and must go there sometimes. I will prefer to buy the new 6650 Nokia (who arrive this month in Japan the First Mobile phone in the world who can be use almost everywhere :D) than any Smartphone now... just wait and see

When I was in France I play with 2 P800 they look so cheap :( (those Model were borrowed by SE)

I think the market will speak on this one, both from the developer side and the end user side. I'm all for app signing but I think the user needs to be allowed to turn it off.

I've had Lextionary for the Smartphone at beta stage for over a month and that's where it has stayed. No phones to test on, cash up front to certify it, signing hassles, and did I mention a microscopically small Smartphone installed base? I have more pressing things to attend to.

Microsoft and their partners (Orange chose the specific signing model, not MS) will see that software support for the SPV will be a trickle at best and will panic in a few months. The model they have setup works fine for large corporate applications but doesn't work for a cool, hip device with fun and interesting software. Makes even less sense for an inexpensive mass market device such as the SPV.

I guess they are happy to give this market away to Nokia. Nokia has their problems but they also have the head start.

And has Microsoft fallen so far that they were only able to get 2 launch partners, one of which did the unheard of and pulled out at the last minute and the other one is just one more operator in just one more country (no offense UK)?

Okay, it's 3 in the morning and I've been programming all day and I'm a little grouchy....but Microsoft is not getting off to a good start on this one. It's a shame because the hardware and OS are pretty darn decent for a version 1.

And if someone wants to make program for smartphone. They can't test it before signing. And it is so different to code for real hw.

This just verifies my opinion about carrying 2 devices...
It is so useful to make notes to PocketPC while talking on phone.

Changing the subject a bit!!!

I went to see the new James Bond film last weekend. 14 months ago one of the guys there has a P800!!! How come these terrist get a P800 14 months ago yet I have to wait this long! :( :) It worked and all. Had a really good image of Bond on it. He didn't even need to look at the phone when he took the picture it snapped a perfect image of Bond from 20 yards and had him slap bang in the middle of the frame.

Then some bird blew up a building using a stick of dynamite and a t68i. So I decided then to turn my phone off! :D

Sorry just thought I'd say SmartPhones can be used for Good :angel: and Evil :twisted: . So just be careful with the phones people.

The SPV is just a toy for consumers. Internet, ONE email account only, games, no bluetooth.

Biz people will always have two devices. A phone enabled PDA with a large screen and a bluetooth audio earset ;)

Another nail for the coffin :D

The flood of very cheap quality software for the Symbian OS is amazing me, Smartphones are slipping behind, soon the gap will be unrecoverable.

Thoughtful arguments on both sides.

In the final analysis, the customer/user will decide what is most useful and acceptable.

Discussion groups such as this one allow the future customers to learn about the product features limitations and capabilities and thus be prepared to decide.

Thanks for the operations of this discussion goup.
8O

The quality of the free apps is generally pretty dire and with the possibility of malicious code being written by anti-MS loners I think lockdown seems a pretty good idea. Bad publicity from bad software or hacking attempts will hurt the phone more than the availability of a trek game yet another list app. The core of owners will not be the ones who care if shareware is available but people who want solid well thought out and working apps. Sure people have the option to download or not, but a few articles in the press would get them all scared off even if they never downloaded anything in their life. Imagine the headline, "Hackers took over my smartphone". If an app is good then people will pay for it, a few dollars will be enough to recoup the price of the signing, and if they don't then it just means that people didn't think it was worth paying two bucks for in the first place.

Changing the subject a bit!!!

I went to see the new James Bond film last weekend. 14 months ago one of the guys there has a P800!!! How come these terrist get a P800 14 months ago yet I have to wait this long! :( :)


well i have had mine close to two months :P

Wouldnt this locking seem to not allow hacker to write own code to unlock the sim lock? Is that what they are afraid of? hmm... or is the SIM lock totally separate?

Interesting thread - seems like it got all the pro-Symbian people out to mock... :roll:

Thankfully, the buying public is nothing like us, and OS bias will likely not play a factor in their purchasing decision. 8)

I can see the point of protecting against malicious code but the one really worrying thing is that to get a certificate you have to pass the logo tests. Now if this had been implemented on the PocketPC a lot of very fine applications would never see the light of day and in particular anything which patches the OS. For example we are highly unlikely to get certification for SuperAlert for the SPV although we've had a number of requests to do so.

Also if they want to encourage the market certification should be free.

Seems a bit scummy to me, I guess we're all PPC nerds though so claims about market share slipping might be a little premature.
I'd like to see the SP do well but I don't know if this is going to help. Hopefully MS will get more than one partner to ship a device so that we can see what the verdict is.

Daniel

I have an SPV and it works fine - the lockdown problem is an issue but you can already get rebound, tennis addict, slurp, casino, codewallet listpro, interstellar flames, and more from http://www.handango.com/orange-cobrand - how many additional products were available in the first two weeks of the pocket pc platform release

(not many as I remember - I am also a pocket pc user (ipaq 3870) and remember way back when I purchased one of the fist Jornada 545 in the UK)

Reading the smartphone forums is like reading the pocket pc newgroups back in the early days of release - there are problems but I still think its a good product that will only improve with time.

I can already say SPV is a flop. It's just a not-so-dumb-phones, but not a true smartphones.

I think people just have to live with PPC phones edition for a true smartphones functionality. (and bring extra battery)

One of Microsoft's selling points for the smartphone is supposed to be that there's going to be a lot of software available for it. Not like this:

Neither Baltimore or Verisign is doing certificate testing yet. The only apps you can get are the ones that Orange chose for their CD. Nothing since then, and neither company will say when they're going to start testing.

$600US isn't that "nominal" for small developers, especially if you consider that fee for EACH version. Users can say goodby to quick updates.

Developers will only be able to test apps without certificates (any in developement) on emulators that aren't accurate enough for good testing.

Hello, Nokia.

There have been several issues with the SPV (not being able to dial contacts from the phone book being a major one) which had me a bit on edge about it.

You can indeed dial a contact from the phone book, where did you get the idea you couldn't? You can't from the Thera, but that was Toshiba's decision...

$600 per version isn't even close to nominal! If I sell an app. through an online store (like Handango) for $10 my net (after fees) is ~$6. I've got to sell 100 copies before I can even begin to start making up my development costs (computer, time, ISP, etc.). That means if you want me to add some special feature to my existing app (say your red-green color blind and you can't make out the text), you've got to find 100 friends willing to purchase the upgrade before I will even consider helping you. -- On the PC and PPC platforms, it costs me only 5 minutes of my time, you want purple text, ask nicely, it's yours.

But the much bigger problem with the SPV certificate process is this: MS (through Orange) is using it to test the market for the Palladium "Trusted Computing" model. If you're not familiar with Palladium you should be! If it flies, then in the very near future it won't just be your SPV that's locked down. Your home PC will be too!
http://www.microsoft.com/presspass/features/2002/jul02/0724palladiumwp.asp

I put the question like this: Was Orwell's dire prediction in his novel 1984 incorrect, or just premature? Use your consumer power to protect your rights to control content on your PC. Don't buy an SPV until Orange drops their certification.

Everybody is going to buy Taiwanese made CPU, VIA, anybody remember Cyrix? or ARM in the future. (hell Here come SH-3, PowerPC or VR)

put Linux on top of it too....... stick a finger at Paladium.

If anybody is buying SPV and not thinking about Paladium, they deserve to be spied on and their computer locked down in the future because of their stupidity.

I don't have a problem with Digital Signatures. Can you imagine if there was a virus or trojan horse that infected a phone and spread through similiar phones? Because you wanted that solitare application from that 'free' website. Oh yeah. How about a complete melt-down of the communications system within a few hours? Now do you think Digital Signatures is such a bad thing? I think not.

I like SPV, but no bluetooth equals no sale for me. Bluetooth has made my life a little easier. Have you tried the new Jabra bluetooth headset? Yes, bluetooth is cool!

I don't want a Symbian OS for my phone either. Sure, it MIGHT be more stable, but I want my IPAQ, phone and pc to work together without any issues. I like an alternative to MS, but Symbian doesn't have the features to justify me buying it.

To be put it politely, I believe that this lockdown is sheer and utter lunacy of the highest order. If this is the only reliable way to make the MS Smartphone secure, then my name is Bingo Bongo the Second, Grand Emperor of the Planet Venus.

From what I can see, Microsoft are not really the ones to blame in the case of the SPV - it's Orange who have made the decision to require certification, killing any hope of decent third-party software support in the process. Anyone remember how older, pre-Pocket PC CE devices fared against Palm? Yep, in those days, the SDK wasn't free...

The Smartphone OS is a new OS. In order for it to succeed, third-party software development is going to be absolutely vital. If I worked for MS, I would be disgusted beyond belief at Orange's decision (at least, I hope I would!).

It's not so much that certification costs £600 (or £300 for a limited time) a pop. Perhaps more pressing is the problem that, as a developer, you have to pay this money before you can actually test your application on the phone - otherwise, you're restricted to flying blind on the emulator.

Requiring certification in this manner is, in my opinion, dumb beyond belief. At least Orange will have a nice, secure network - for there surely won't be any Smartphones to hack.

Can you imagine if there was a virus or trojan horse that infected a phone and spread through similiar phones?
Fair point, but why ban all programs? Surely, there must be a way of designing the OS so that uncertified programs can't access any functions that have the potential to do damage (i.e. they can only run locally and affect the local device)?

And also, if there is such potential for harm, why don't Pocket PC Phone Edition devices require certified software? As far as I know, my xda hasn't taken down any phone networks yet...

As I mentioned earlier in the thread....

http://www.theregister.co.uk/content/64/28351.html

There appears to be a Major bug in the SPV.

You can read a review of it here;;;

http://www.simonperry.org

This and the lockdown stopped me buying a Smartphone. :(

Fair point, but why ban all programs? Surely, there must be a way of designing the OS so that uncertified programs can't access any functions that have the potential to do damage (i.e. they can only run locally and affect the local device)?


Correct - and Microsoft did this. They give the carriers the option to restrict all non-certified applications or to have the OS prevent non-certified applications from doing certain things. Orange chose the restrict-all model.

Than orange SPV deserve a quick and miserable death for this little adventure.

Interesting thread - seems like it got all the pro-Symbian people out to mock... :roll:

Thankfully, the buying public is nothing like us, and OS bias will likely not play a factor in their purchasing decision. 8)

You're getting touchy in your old Jason, I had to go back to find the one comment.

Very interesting thread, but it would be more interesting if we could get the Orange spin on why they decided to do it.

We have talked about the need to ensure they guarantee both network use and service revenue to support the shed loads of cash they paid for the 3g licences. This could show the model that they will be operating under. Never mind just getting certified. You must get certified for 'our certificates'. Suddenly they have a ring fenced playground that they decide who get into and they can operate like the interactive tv market. Charge a high price for entry and perhaps only certify apps which are limited to providing the network providers content and services. This would ensure that they get the service revenues.

Or they could just be doing it to make sure that they don't a load of technical queries about duff software which keeps taking their phone down.

Very interesting thread, but it would be more interesting if we could get the Orange spin on why they decided to do it.


(Credit goes to pt for pointing this out to me)

They have responded at another website: http://www.modaco.com/SmartPhone/viewtopic.php?t=218

Here is the response:

1) What are Orange and Microsoft's plans regarding bugfixes and
updates?

One of the key applications of the SPV is Orange Update. This allows us to send so software updates to customers over-the-air. We are working on one update to be sent before the end of the Year, and a further update to be sent before the end of Q2 2003. The intention is that these updates will address a number of concerns raised by your contributors.

2) Is there any scope for Orange reconsidering their position to be more
accomodating to developers? I believe the uptake of the SmartPhone
2002 platform would be seriously hindered by this approach.

Orange is committed to working with third party developers, and understand that developers and their applications will be essential to the success of the SPV - without these applications, customers will not get the best out of their SPV. However, to protect it's customers from malicious or corrupt applications and to protect the value generated by application developers, Orange has opted to implement security measures on the SPV. Orange is working towards launching a website early in the New Year to assist SPV developers. The site will detail how a developer can get their application digitally signed, how to get an application published on the Orange download site and also explain how a developer can get an SPV for development purposes.

Wow, there are a lot of free-spirit rebels in this forum :)

"Hey man, why do the imperialist corporations want to co-opt my phone, man? Don't they realize that wireless phones don't have wires because they need to be free from all that heavy stuff, man?"

Sure, it's nearly impossible for the small developer to get on the SPV right now. Yes, Orange should have had developer support in place at launch, but it is supposed to be coming soon.

A locked device has big advantages in protecting customers and Orange from poorly behaved apps pasted together by weekend developers. There are some very good games available now for the SPV. The vast majority of users will get along just fine without a variety of $5 tile puzzles.

The game consoles are locked. Who complains about that? The warez guys maybe. The developers for those platforms are happy they're locked.

Devices can be corrupted by even well intentioned programmers.
App signing can improve reliability and simplify customer support for any computing platform, especially one that is primarily supposed to be just a phone.

I can already say SPV is a flop. It's just a not-so-dumb-phones, but not a true smartphones.

The phone is shipping from one carrier for, what, 30 days? How can you possibly say it's a flop? :wink:

The SPV: I think they're shooting themselves in the foot. I'll be the first to say that there should be some kind of certification process to Smartphone2k2 products but as far as the charge...Microsoft or Orange have to eat it. That sounds bad (being I know they have to pay testers) but this early in the platform, while in competition with a fierce competitor, they need a Developer base far more than a $600 charge. BUT, we don't know that this wasn't one of the requirements that Orange insisted on...(since Microsoft has never been this stupid)

Palladium: Now, how did this get to be part of the discussion again? ;) Seriously, Palladium has as much bad to it as it does good (http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html) so I don't really see it as something worth waiting for.
Plus, there are some media implications to it that might inhibit many of it's advantages.

Symbian: I don't see what the outcry is about here. Is it such a stretch to think that people interested in PocketPCs might also be interested in Symbian? This isn't a case of PocketPC vs. Palm where one side is feature deficient, Symbian may very well have a more feature rich product in many ways and Series 60 may very well be a more intuitive interface (not saying that is the case, but it certainly isn't out of the realm of possibility).

The vast majority of users will get along just fine without a variety of $5 tile puzzles. :roll:

But a few of us like $5 tile puzzles.

"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Benjamin Franklin

I bet Ben liked $5 tile puzzles too! :P

"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Benjamin Franklin

I doubt ol' Ben would have considered an open wireless OS an "essential liberty" :D
It's not primarily a security issue for a carrier. I think it's more a reliability issue.

I bet Ben liked $5 tile puzzles too! :P
That would've been a whole weeks pay as a printer :P

Did you see the Ben Franklin biography that aired recently on PBS? Excellent :!:

Actually even Symbian warns out the user when it is installing something that has not been digitally signed but allows to continue the installation anyway. Of course a similar behaviour from Microsoft would have been too intelligent to accept so they preferred to lock everything down, after all when you are dealing with MS security they can't be sure of anything they are giving you and so it must be an all or nothing affaire.

By the way, signing an app for Symbian costs $400 from Verisign, so I guess the extra $200 for a Smartphone application goes to....

This is definitively a show stopper for most of the developers that were thinking about porting their application to Smartphone. The reassurance that developer support will come in a undefined 'soon' doesn't give any relief. The fact that to develop you need to buy a 'special' developer edition of the phone (which will not cost $300 of course) makes it a joke.

I could not comment until now because we were under NDA, but does anybody have really used the SVP? Eleven keystrokes just to shoot a picture? Crashes twice every hour, we had to get ours replaced three times owing to poor construction problems. While in use the phone seems to freeze every now and then for about 40 seconds and every action just show how this OS is inadequate for this kind of application. Did I forgot to mention that when you shoot a picture the shutter sound get played THREE seconds later? But you have got a PowerPoint viewer.... pleezeee! What a laughable system :D


Cheers,
Lev

I came across the below links that unlock the application signing security of the Orange SPV SmartPhone - allowing unsigned apps to be installed on it. I could see doing this as a big benifit among potential Smartphone developers so they can test their apps on a Smartphone before forking over the significant expense of getting it certified.

http://www.coolsmartphone.com/app-cert.htm

http://msmobiles.com/article.php/20.html