Ewan has put his thinking kilt on and ponders whether the problem of the illegal software scene can be solved by a white night - Symbian Signed. It is a controversial area and amongst the AAS team there are a range of opinions.
Read on in the full article.
"white night" -> "white knight" 😉
Oops - thanks N/a. (I'll just go and stand in the corner now 😊)
We've discussed this a lot within DreamSpring, too. We were sort of disappointed to discover how easy it was to install an unsigned version of DreamConnect (all it needs is an appropriate app. UID -- easy to crack -- and the user saying "yes" to a single prompt during installation).
That put paid to our hopes of the Symbian Signed framework preventing piracy of our products (which have been for us, as for almost everyone, crippling). Sigh...
At least our beta testing is easier (we don't need to generate signed versions for our beta testers phones).
Was that done on/for Symbian 9 based devices or earlier version(s)?
If Symbian 9, did/does the app depend on a restricted privilege (capability)?
While the Symbian 9 Platform Security and signing has not been specifically designed to deter software privacy, it still means that if an application depends on a privilege/capability like MultimediaDD, a signed .sisx file including apps with such capabilities could be repacaged as a self-signed .sisx file, but it will then loose that capability and access to APIs protected by the capability.
Totally unsigned applications are not allowed at all, by policy, on Symbian 9 based platforms (S60 3rd Ed., UIQ 3.0), and self-signing does not give access to more privileged capabilities.
I doubt whether Symbian Signed alone, in its current implementation, can really help against pirating.
But I am convinced of the following: Given all the components that are already in place (secure OS, signing, encryption, authentication, etc) I think it would be rather easy for Symbian to add some functionality targeted at publishers of third-party apps that really would help against piracy.
E.g. take the small, but probably significant, problem of shareware with a trial time limitation: Circumvention is rather trivial now - just uninstall and install again and get another month of trial. Why? There is AFAIK no easy way for an application to leave something like a mark "I was installed here before" after uninstalling that could be checked at re-installing, just to reject another trial. Well, you probably can leave something already today, but it is probably easy to spot and easy to remove with any file manager.
Now, Symbian 9 introduced protected places in the file system, and I think reliably protected. Why not use this feature for offering a little database where applications can - with the help of a small new API - write marks like the mentioned "I was installed here before".
For me it is a little disappointing that Symbian errects a whole multipart framework "Symbian Signed" to solve one of its own problems (to relieve pressure by operators on Symbian to deliver phones that cannot cause trouble to the operators), but does not add support for protecting third-party apps against pirates as well.
Software piracy is a fact of digital life, symbian signed, white knight would prevent only casual user to install unsigned symbian application. Man is inquisitive by nature what is locked by others somebody would try by hook or by crook to open it. This white knight would only lessened software piracy but not totally eradicate.
Of course I agree with thepawn that nothing can eradicate piracy totally.
But you know, piracy threatens to totally eradicate some third-party application publishers now, so even a little improvement of the situation would probably help 😊
Ewan, you're right to notice that the combination of using Symbian Signed and not being able to install selfsigned apps will make it harder to install cracked apps.
However, solving the cracking issue isn't likely to be done by technical means only, although making an app much harder to crack will go some way in deterring a lot of people. I think that the big players in the Symbian ecosystem should make an issue of this. For instance, an ISP is much more likely to shut down a warez site if Nokia or Vodafone asks, compared to a shareware programmer asking it.
Will Web 2.0 come to the rescue? For certain kinds of apps maybe. If the bulk of the app is on a server, it will be hard to crack.
OTOH, supporting such a setup is harder (and more costly) than distributing sis files, and it won't work for a lot of popular app categories (like fast action games). What could work is a server sending bits of the code to a device, but with Symbian OS 9.1 it has become impossible to download executable code, unless it has been packaged in a sis file.
Anyway, if nothing happens, it seems likely that most of the programming scene will move to greener pastures. And that all the talk of smartphones being the next PC and the one (american ) billion smartphone devices by 2011 will be torpedoed by a couple of pirates. After all, why by a smartphone if there is no software for it? Could as well buy a feature phone.
I don't know why other third party developers don't do what Agile have done, link the app to the sim/phone number not the IMEI, correct me if I'm wrong but there are no 'cracked' versions of Agile Messenger either on S60 or S60 V3.
This also has the advantage of easy migration to a new phone, when you reinstall it rechecks the sim/phone number and away you go.
I don't know how AgileMessenger's protection works but since it's an online application, i guess that it checks online that you've got a valid license for your particular phone/sim.
Symbian Signed can help reducing software piracy but only if it's linked for some kind of online activation/license checking. A piece of software that only relies on a registration code inputed by the user to check for license validity can be easily cracked regardless on whether or not it's symbian signed.
Now, the problem is that online license checks is fine if the application needs to connect to the vendor's server to operate as it's the case for an IM software. In this case, the user won't mind if the application connects to check its license since the app needs to connect anyway.
But a lot of applications out there (media players, office suites, PIM apps, games...) are offline applications and users are going to get angry if the application connects every now and then to check if the user has a valid license as connecting to the internet takes time and costs money. Plus, a mobile device being by definition mobile, you don't always have a way to get online.
This is the issue currently faced by the developpers of CorePlayer, an audio and video player for windows mobile, palm and symbian (http://coreplayer.com/content/category/4/15/29/). They originally wanted the application to connect every few days to their servers to check for license validity. If the app could not connect, certain features would be disabled until it could connect again. This obviously caused a huge uproar on their forum. We don't know yet what they will eventually decide but it'll be interesting to follow that.
A piece of software that only relies on a registration code inputed by the user to check for license validity can be easily cracked regardless on whether or not it's symbian signed.
Well, as I already stated in another thread I believe that for certain things it can help to look at the situation in the world of Windows software, because on a fundamental level software is software, regardless of OS.
As I see it, Windows software shows that registration codes can help. If the app is protected enough so that it is difficult to just zap out the code part that checks registration info (and here Symbian Signed could help *a lot*, with only a few extensions), people have to rely on either a) keygens that generate fake, but valid codes, or else b) serialz, i.e. codes that escaped "into the wild".
Both keygens and serailz are a problem, but it seems a problem that is more or less under control in the sense that it does not threaten the survival of the software publishers themselves.
A few thought on recent article posted: http://www.allaboutsymbian.com/featu...tification.php
I find that symbian 3rd party software is often overly priced e.g. 20-60 USD for normal range of application and 8-19 USD for simple or small application. This is exactly the problem that encourage piracy. Supply and demand should match, although many people who owns hundreds dollar phone should theoritically afford such 20-60 USD software, they probably reluctant to pay.
Software developer should have approached Palm's approach. Cheaper 3rd party program and making money from people buying the software legitimately instead of using pirated software. Hey, if HandyClock is going at 10 USD, I'd buy it for sure ... but pricing it at 20 or more USD? many would think twice.
How about a dictionary from MsDict that costs 39,95 USD? Would you pay for it easily? I don't think so. If it is priced 10 USD, would it be more attractive?
To charge premium, the developer should really have a good value proposition. Software like from EPOCware for example, they are great ( handysafe ), but customer service? I can't say the same.
So I urge the software community to reprice their software so that it is no longer attractive for people to spend their time using pirated copies, but rather buy it...
my 2 cents of international currency....
(Having read previous comments posted, AgileMessager is another crazy example where 30USD for a year use of IM. I think I would go with freeware to chat...)
Very interesting proposition, mgoodson45: Not the pirates are the problem, no, the problem is that Symbian applications cost too much! Forget about Symbian Signed and the question whether it helps or not - just slash prices, and it is well.
I am a shareware author, hopefully releasing something for Symbian next year, and I constantly watch the rightmost third of the All About Symbian frontpage, where all the new software releases are listed, for over a year now. I cannot confirm at all your "normal" price ranges of 20 to 60 USD for full programs and 8 to 19 USD for simple programs.
Right at this moment 10 programs are listed there, 7 with a price below 8 USD and one freeware, and I scratch my head wondering how many of these programs will really make their authors any money, with a market as fragemented as the smartphone market and with all the difficulties that it takes to program and bring Symbian software to market.
With the free availability of warez and cracks you as an author with software for a price of X dollars basically compete with something that has a price of exactly Zero dollars. Does it really matter whether you want 10 dollars more than Zero or 20 dollars more than Zero?
N/A wrote:Was that done on/for Symbian 9 based devices or earlier version(s)?
DreamConnect 3 runs on UIQ 3, tested so far (in house) on the M600i and P990i -- both sourced from HK.
N/A wrote:Totally unsigned applications are not allowed at all, by policy, on Symbian 9 based platforms (S60 3rd Ed., UIQ 3.0), and self-signing does not give access to more privileged capabilities.
We've configured DC 3 with an app UID in the "unsigned" range, and DC 3 installs fine on UIQ 3 devices, with just that single prompt for accepting its capabilities (such as Read and Write User Data -- relatively "safe" capabilities, but still able to play havoc with the user's data, by definition).
Given my direct experience (and the fact that our beta testers can install this completely unsigned app -- built with makesis), I would say that your statement is factually incorrect. (Although, I must admit, it is what I thought until I tried building examples for the phones.)
Regarding the pricing debate -- yes, some Symbian apps are overpriced, especially considering how uncommitted the user is to the platform (S60 today, UIQ tomorrow, Windows Mobile the day after?). On the other hand, if something really adds value, and took a lot of effort to create, why not pay a few dollars (or tens of dollars) for it?
The (small) cracking community is not doing it because of the injustice of high prices. They're certainly not Robin Hoods, because I think much of the time they're stealing from the not-so-rich to give to the not-so-rich (in the smartphone world). I think they just do it because they don't have anything better to do, and to show that they can.
Oh, and comparing protection methods to the PC world is fruitless. The PC world has a far more complex architecture to hide things in, and their software STILL gets cracked. Even MS's elaborate online validation. 😞
Then, perhaps, Sony Ericsson allows totally unsigned apps? I don't know as I don't have one.
S60 3rd Ed. doesn't (they must be at least self-signed).
In other words, Symbian allows manufacturers to allow totally unsigned apps that call untrusted APIs, or to restrict those, too. And for S60 3rd Ed., at least, Nokia has decided to go for mandatory self-signing.
Anyway, if the app only needs/uses user-grantable rights/capabilities, then there's less of a benefit than if the signed app would require higher capabilities that requires Symbian Signing.
Rburner, Glad you agree with me with the high prices. But I disagree with your concern of competiting with '0' dollar.
Ok, I was in a rush and didn't really check the prices. What I'm trying to emphasis is never overpriced the software, it will encourage piracy. Underpricing may work well if the volume is large.
One may debate 'If I value my software 5 USD, how can I compete with pirated/cracked software with 0 USD'. Most of people who use cracked software, they would gladly pays if they are spared the trouble of finding the cracked version. They would also get benefits of support, updated software, etc.
I bought NERO Reloaded 6 and upgrade 7 for 60 Euros (approx, can't remember the exact price). This is well worth the money it has everything you need from burning, ripping, editing music, etc. There is lots and lots of key generators for Nero and I could have simply use it for "free". I like the value proposition and I like the support. I have a piece of mind knowing that I'm covered with updates, and the software is not modified by unauthorized 3rd party.
If Symbian software costs on average as their Palm's, many would be happy. Pricing application maximum. 15 USD would be attractive for a good-value software.
HandySafe is a good software but 29.95 USD is tad pricey.
rbrunner wrote:take the small, but probably significant, problem of shareware with a trial time limitation: Circumvention is rather trivial now - just uninstall and install again and get another month of trial. Why? There is AFAIK no easy way for an application to leave something like a mark "I was installed here before" after uninstalling that could be checked at re-installing, just to reject another trial. Well, you probably can leave something already today, but it is probably easy to spot and easy to remove with any file manager.Now, Symbian 9 introduced protected places in the file system, and I think reliably protected. Why not use this feature for offering a little database where applications can - with the help of a small new API - write marks like the mentioned "I was installed here before".
For me, being a user rather than a developer, this is positive.
I cannot accept modifications being made to my device I can't undo nor change.
Yes, shareware not being paid is a problem but this is not a good way to solve it.
What about selling the phone after a trial?
The new owner wouldn't be able to try the software himself and the software's author would probably lose a sale.
In some respects Symbian OS already implements DRM-like oddities.
Why can't I have a general file manager like FExplorer for my 9.1 phone?
It's my phone, let me do with it what I want!
Jack