freeware signing for testing only

You don't need an ACS Publisher ID just for testing. You can get a free
developer certificate on www.symbiansigned.com that is bound to your
device.

Regards,
Gernot

> You don't need an ACS Publisher ID just for testing. You can get a free
> developer certificate on www.symbiansigned.com that is bound to your
> device.

Thanks for answering. However, I'm afraid you are wrong. If you do not enter
an ACS ID then the certificate request generator tool lists only ten
capabilities which do _not_ contain the two ones I mentioned in the first
post. So the issue is still unresolved: how to enable ReadDeviceData and
WriteDeviceData only for testing, without going for a full freeware signing
procedure?

JoeS wrote:[color=green]
>> You don't need an ACS Publisher ID just for testing. You can get a free
>> developer certificate on www.symbiansigned.com that is bound to your
>> device.
>
> Thanks for answering. However, I'm afraid you are wrong. If you do not enter
> an ACS ID then the certificate request generator tool lists only ten
> capabilities which do _not_ contain the two ones I mentioned in the first
> post. So the issue is still unresolved: how to enable ReadDeviceData and
> WriteDeviceData only for testing, without going for a full freeware signing
> procedure?
>
>[/color]
You can't do anything about it, you have to get the ACS ID

AMK

> > So the issue is still unresolved: how to enable ReadDeviceData and[color=green]
> > WriteDeviceData only for testing, without going for a full freeware[/color]
signing[color=green]
> > procedure?
> >
> You can't do anything about it, you have to get the ACS ID[/color]

If it is so, then the "freeware route to Symbian Signed", as propagated by
Symbian, ceases to exist as soon as the freeware application uses any of the
capabilities beyond the "cheap ten"...

A solution could be if it was possible to obtain an ACS ID from the
Publisher Certifier (like CellMania) in the testing phase already, before
submitting for final evaluation. Is this not possible? Someone from Symbian
could please confirm.

"JoeS" <[email protected]> wrote

> A solution could be if it was possible to obtain an ACS ID from the
> Publisher Certifier (like CellMania) in the testing phase already, before
> submitting for final evaluation. Is this not possible? Someone from
Symbian
> could please confirm.

No one taking?...

Also, I can't help noticing that so far it seems Symbian 9 is highly
efficient in "defending me" from my own code that I would like to run on my
own phone which I expected to be fully enabled for Symbian when I paid for
it. By the way, I'm not writing a virus or other malicious code against
myself (!), I just would like to implement an animation DLL.

Hi Joe

Yes, you're right. Its not possible to get the "yellow" set capabilities
without an ACS certificate, even if you are a freeware developer. As you
say, for someone who is only doing freeware this could well make development
prohibitive.

> Also, I can't help noticing that so far it seems Symbian 9 is highly
> efficient in "defending me" from my own code that I would like to run on
my
> own phone which I expected to be fully enabled for Symbian when I paid for
> it. By the way, I'm not writing a virus or other malicious code against
> myself (!), I just would like to implement an animation DLL.

Unfortunately since you've purchased a production model the phone has no way
of knowing that you are not writing malicious code, so it has to be able to
protect the user and network against all possible miss-use. It is possible
to do some powerful denial of service attacks with an animation DLL, because
these get key events from the window server before anything else.

Regards
Hamish

"JoeS" <[email protected]> wrote in message
news:[email protected]...
> "JoeS" <[email protected]> wrote
>[color=green]
> > A solution could be if it was possible to obtain an ACS ID from the
> > Publisher Certifier (like CellMania) in the testing phase already,[/color]
before[color=green]
> > submitting for final evaluation. Is this not possible? Someone from
> Symbian
> > could please confirm.
>
> No one taking?...
>
> Also, I can't help noticing that so far it seems Symbian 9 is highly
> efficient in "defending me" from my own code that I would like to run on[/color]
my
> own phone which I expected to be fully enabled for Symbian when I paid for
> it. By the way, I'm not writing a virus or other malicious code against
> myself (!), I just would like to implement an animation DLL.
>
>

Hi Hamish,

Thanks a lot for answering.

> Yes, you're right. Its not possible to get the "yellow" set capabilities
> without an ACS certificate, even if you are a freeware developer. As you
> say, for someone who is only doing freeware this could well make
development
> prohibitive.

So here is the exact point where it is obvious what is sacrificed. There was
a lot of discussions pro and contra about Symbian Signed, and I think now
the status became clear, at least for me. Future will tell us if the
restrictions made for phone operators' sake will let the OS itself living...

Anyways... What is the cheapest way of getting an ACS ID? Can't I borrow one
for signing just this one test app to see it on my device? 😊

Let me also comment on this one:

> Its not possible to get the "yellow" set capabilities without an ACS
certificate
....
> the phone has no way of knowing that you are not writing malicious code

I see a contradiction here. Why not issue a single-IMEI developer
certificate for any and all capability, without the need to pay for it?
Quite obviously a developer who goes for such option would only upload the
thus signed application only to his own phone for testing, so it's entirely
his own "risk" (if we call testing our own code a global risk that needs to
be handled at the OS level...).

So then why not allow this? Why a developer can not test his stuff without
any restrictions, when propagation of the "risky" code to other phones is
absolutely excluded? I can see a serious flaw in the system at this point.
Such option would enable developers to at least _decide_ if their code is
worth signing for money. The lack of such option indeed can kill small
developers' attitude towards this particular OS. Right or not?

Notwithstanding the discussion in the other part of this thread, you can
obtain a Developer Certificate for Freeware applications for any
capabilities.

The process is that you need to email CellMania (symbian @
staff.cellmania.com), copying to Symbian Signed (symbiansigned @
symbian.com) [remove spaces either side of the @], and specifying the
following:

- your name, email address and contact details (address, phone number)
- an overview of your application
- the IMEI number (one only) of the device you are using to test
- the full list of capabilities you require. For manufacturer-approved
capabilities, you need to briefly explain why these are required

We'll update the Freeware FAQ on www.symbiansigned.com with this information
in due course.

Mark
Symbian Developer Network

"JoeS" <[email protected]> wrote in message
news:[email protected]...
> Let me also comment on this one:
>[color=green]
>> Its not possible to get the "yellow" set capabilities without an ACS
> certificate
> ...
>> the phone has no way of knowing that you are not writing malicious code
>
> I see a contradiction here. Why not issue a single-IMEI developer
> certificate for any and all capability, without the need to pay for it?
> Quite obviously a developer who goes for such option would only upload the
> thus signed application only to his own phone for testing, so it's
> entirely
> his own "risk" (if we call testing our own code a global risk that needs
> to
> be handled at the OS level...).
>
> So then why not allow this? Why a developer can not test his stuff without
> any restrictions, when propagation of the "risky" code to other phones is
> absolutely excluded? I can see a serious flaw in the system at this point.
> Such option would enable developers to at least _decide_ if their code is
> worth signing for money. The lack of such option indeed can kill small
> developers' attitude towards this particular OS. Right or not?[/color]

If this certificate has the AllFiles capability, you could examine other
app's private folders, by buying the apps and installing these apps on your
device. The results of the investigation can then used to crack these apps.

You could also buy phones, get devcerts for them, install spyware and resell
the phones on eBay or other such sites.

--
Sander van der Wal
www.mBrainSoftware.com

"JoeS" <[email protected]> wrote in message
news:[email protected]...
> Let me also comment on this one:
>[color=green]
>> Its not possible to get the "yellow" set capabilities without an ACS
> certificate
> ...
>> the phone has no way of knowing that you are not writing malicious code
>
> I see a contradiction here. Why not issue a single-IMEI developer
> certificate for any and all capability, without the need to pay for it?
> Quite obviously a developer who goes for such option would only upload the
> thus signed application only to his own phone for testing, so it's
> entirely
> his own "risk" (if we call testing our own code a global risk that needs
> to
> be handled at the OS level...).
>
> So then why not allow this? Why a developer can not test his stuff without
> any restrictions, when propagation of the "risky" code to other phones is
> absolutely excluded? I can see a serious flaw in the system at this point.
> Such option would enable developers to at least _decide_ if their code is
> worth signing for money. The lack of such option indeed can kill small
> developers' attitude towards this particular OS. Right or not?[/color]

If this certificate has the AllFiles capability, you could examine other
app's private folders, by buying the apps and installing these apps on your
device. The results of the investigation can then used to crack these apps.

You could also buy phones, get devcerts for them, install spyware and resell
the phones on eBay or other such sites.

--
Sander van der Wal
www.mBrainSoftware.com

> Notwithstanding the discussion in the other part of this thread, you can
> obtain a Developer Certificate for Freeware applications for any
> capabilities.

Oooops.. Now THIS is what I dreamed about! THANKS, Mark

Hi Joe

Genuine concerns for all of us here at SymbianSigned.

Sander has summarised the key points here - you can do a fair bit even if
the capabilities are locked to a single phone.
The example that is normally given is that if you have DRM you can strip the
protection from any protected content. Manufacturers have agreements with
content suppliers to help prvent that sort of thing, with substantial
damages if they don't do the right thing.

I agree its a problem for Freeware developers, developing in some areas.
However not all that many freeware applications that I've seen would
actually need the yellow group capabilities. No "not ideal", but nor it is
crippling.

I'm not sure what an ACS ID costs. Try www.verisign.com

Regards
H

"JoeS" <[email protected]> wrote in message
news:[email protected]...
> Let me also comment on this one:
>[color=green]
> > Its not possible to get the "yellow" set capabilities without an ACS
> certificate
> ...
> > the phone has no way of knowing that you are not writing malicious code
>
> I see a contradiction here. Why not issue a single-IMEI developer
> certificate for any and all capability, without the need to pay for it?
> Quite obviously a developer who goes for such option would only upload the
> thus signed application only to his own phone for testing, so it's[/color]
entirely
> his own "risk" (if we call testing our own code a global risk that needs
to
> be handled at the OS level...).
>
> So then why not allow this? Why a developer can not test his stuff without
> any restrictions, when propagation of the "risky" code to other phones is
> absolutely excluded? I can see a serious flaw in the system at this point.
> Such option would enable developers to at least _decide_ if their code is
> worth signing for money. The lack of such option indeed can kill small
> developers' attitude towards this particular OS. Right or not?
>
>

Wow, that is great news!

"Mark Shackman" <-> wrote in message
news:[email protected]...
> Notwithstanding the discussion in the other part of this thread, you can
> obtain a Developer Certificate for Freeware applications for any
> capabilities.
>
> The process is that you need to email CellMania (symbian @
> staff.cellmania.com), copying to Symbian Signed (symbiansigned @
> symbian.com) [remove spaces either side of the @], and specifying the
> following:
>
> - your name, email address and contact details (address, phone number)
> - an overview of your application
> - the IMEI number (one only) of the device you are using to test
> - the full list of capabilities you require. For manufacturer-approved
> capabilities, you need to briefly explain why these are required
>
> We'll update the Freeware FAQ on www.symbiansigned.com with this
information
> in due course.
>
> Mark
> Symbian Developer Network
>
>
>

"Hamish Willee" <[email protected]> wrote:

> The example that is normally given is that if you have DRM you can strip
the
> protection from any protected content.
....
> However not all that many freeware applications that I've seen would
> actually need the yellow group capabilities.

DRM is a red capability, and I was talking about the yellow ones, so the
example is not quite right. Anyway... see below.

> Sander has summarised the key points here - you can do a fair bit even if
> the capabilities are locked to a single phone.
....
> Manufacturers have agreements with content suppliers to help prevent that
sort of thing

These assumptions take me a bit further... I definitely feel that paranoid
theory tries to win over reality. Do you guys at Symbian really think that
the security measures you introduce will prevent the _professional_ hacker
from getting into the system and cracking it if they really want? Will you
ever be better in terms of security than NASA and others? Is it really that
serious in the first place? I don't think so. It rather looks like Symbian
blindly follows conditions dictated by shortsighted copyright owners and
network operators.

At the same time, you are paying the price of effectively deterring
third-party programmers from working for this OS, by all the paranoia and
hassle you introduce. The OS will come to an end if there is no active
developer community! Do the decisionmakers at Symbian indeed know what they
are doing? Can you talk to them?

> Wow, that is great news!
>
> "Mark Shackman" wrote in message
> Notwithstanding the discussion in the other part of this thread, you can
> obtain a Developer Certificate for Freeware applications for any
> capabilities.

That's indeed a sign of move to the right direction. But is supporting the
test of a freeware app on a single device enough?

This was not a rant. I'm calling for thinking!

Hi Joe

I appreciate that any protection can be broken with sufficient time and
money. We're fairly confident that the cost of breaking the security will be
greater than the value in doing so for most hackers. It will certainly not
be susceptible to a break.

Technically your position probably is a rant
http://www.google.com.au/search?hl=en&lr=&defl=en&q=define:rant&sa=X&oi=glossary_definition&ct=title
You have a strong opinion that there is no point in security, or at least
its not worth the additional costs on developers. Most of the industry
disagrees with you.

Regards
Hamish

"JoeS" <[email protected]> wrote in message
news:[email protected]...
> "Hamish Willee" <[email protected]> wrote:
>[color=green]
> > The example that is normally given is that if you have DRM you can strip
> the
> > protection from any protected content.
> ...
> > However not all that many freeware applications that I've seen would
> > actually need the yellow group capabilities.
>
> DRM is a red capability, and I was talking about the yellow ones, so the
> example is not quite right. Anyway... see below.
>
> > Sander has summarised the key points here - you can do a fair bit even[/color]
if[color=green]
> > the capabilities are locked to a single phone.
> ...
> > Manufacturers have agreements with content suppliers to help prevent[/color]
that
> sort of thing
>
> These assumptions take me a bit further... I definitely feel that paranoid
> theory tries to win over reality. Do you guys at Symbian really think that
> the security measures you introduce will prevent the _professional_ hacker
> from getting into the system and cracking it if they really want? Will you
> ever be better in terms of security than NASA and others? Is it really
that
> serious in the first place? I don't think so. It rather looks like Symbian
> blindly follows conditions dictated by shortsighted copyright owners and
> network operators.
>
> At the same time, you are paying the price of effectively deterring
> third-party programmers from working for this OS, by all the paranoia and
> hassle you introduce. The OS will come to an end if there is no active
> developer community! Do the decisionmakers at Symbian indeed know what
they
> are doing? Can you talk to them?
>[color=green]
> > Wow, that is great news!
> >
> > "Mark Shackman" wrote in message
> > Notwithstanding the discussion in the other part of this thread, you can
> > obtain a Developer Certificate for Freeware applications for any
> > capabilities.
>
> That's indeed a sign of move to the right direction. But is supporting the
> test of a freeware app on a single device enough?
>
> This was not a rant. I'm calling for thinking!
>
>[/color]