Following on from Ewan's thoughts yesterday on the freedom in the Symbian/S60 developer world, I have to say that I take a slightly different view. Over and over, I'm finding that applications I download (from developer sites, from AAS, from Handango, etc) can't easily be installed, each coming up with 'Expired certificate'. Read on for a Steve rant....
Read on in the full article.
Simple solution to this problem. Hello Carbide should be preinstalled on all S60v3 devices.
If developers are indeed moving to greener pastures, don't expect the situation to improve much, if at all. Developers that have abandoned the platform won't spend a minute fixing even something rather trivial like an expired self-signed certificate.
What the ecosystem needs right now is an announcement from Nokia that they are going to do an AppStore too. It doesn't have to be ready ready this year (though that would be very nice), but a.t.m. Symbian is the only smartphone platform without an announced AppStore. I'm sure they would like to announce it at the Smartphone Show next month, but I think that's too late.
BTW, I think one year for a self-signed certificate is a bit short. Not all apps need to be updated all the time, and updating all the places on the web the sis file is stored is also quite time-consuming. A self-signed sis file won't get any safer or less safe it it expired after 10 years instead of one, because the system clock can be reset. It does indeed only adds to the nuisance factor of the platform.
Steve,
I fully agree with you on the "expired certificate" problem.
Having a self-signed or Symbian-signed application expire is just plain stupid. There is no added security here, only unnecessary hassle and costs for both users and developers/publishers.
When I asked about why Symbian implemented this feature and what to do with expired SIS files, they gave the advice to temporarily reset the date of the phone to allow the file to be installed!
With a self-signed application, the developer can opt for a long lifetime of the certificate ( like 100 years ). The default is set to 1 year, though, leaving us with a lot of "expired" theme packages, freeware and even commercial apps.
This obvious defect in the Symbian-signed regime doesn't mean the whole Symbian ecosystem is worse or inferior to the Apple Appstore approach, though.
Let me share my cretificate horror story. About a year ago I bought Soldier Ants UIQ game from Handango, they sent me code and download link from the manufacturer. I downloaded the game - and BINGO! the certificate expired and I coulnd not install it, hence I could not use the code. The Handango Support Monkeys monkeyed around me for about two months! They sent me to manufacturer for support, the manufacturer obviously did not have the right competence by then to help me! It took dozens of e-mail and then I started asking to refund me money, but no, they insisted on 'helping' me! So looked up more closely on Handango's site and found a section "Who's Who" and there I got the name of Customer Relations VP so I sent another e-mail asking the tech sup to refund, or I'll mail the Kelly Mulroney, that VP.
Bingo! Finally he agreed to refund, but refund NEVER CAME.
I would have called them here bad words BUT later on I found out that I can strip the certificate off the file with the help of SISTools Windows app. So I went out and finally helped myself to the game, 3 months after the purchase. I will NEVER, EVER BUY anything from Handango!
Talk to me against pirating after that! I will use whatever is easier. iTunes demonstrated that that is the only popular way. Only because buying music there is MUCH EASIER than pirating (looking all over the net, waiting, fetching lyrics, art) only usability rules people into actually getting stuff...
You could just hack your phone and then never worry about certificates again!
BTW, I think one year for a self-signed certificate is a bit short. Not all apps need to be updated all the time, and updating all the places on the web the sis file is stored is also quite time-consuming. A self-signed sis file won't get any safer or less safe it it expired after 10 years instead of one, because the system clock can be reset.
Absolutely, there are no anti-piracy benefits in certificates being restricted to 1 year compared to a more reasonable 5 or 10 (or indeed infinity as some have suggested).
It makes you wonder if some DRM restrictions aren't really about piracy at all, but some other hidden agenda. Was the 1 year restriction some way of forcing developers to keep coming back to Symbian for new certificates?
It's not just on Symbian, this seems to happen on every platform nowadays. The fuss made about the Windows game Spore for example has centred around the game disc only installing three times in its lifetime, after which it becomes useless. Does that really serve any anti-piracy function, or is it actually a way of destroying the totally legal second-hand and rental markets?
While I actually appreciate the whole signing-concept, I do not appreciate the fact that I cannot install an unsigned or 'expired' program on my own phone. In the end, it's Symbian/Nokia who decides what I may install on my device. That's really totally insane. As if Canon decides what I may photograph and what not with my very own camera.
There should be an option to override the whole thing. I don't mean a hack, but an official way to persuade my mobile to install unsigned/expired apps.
This DRM-thing isn't something they advertise with. In fact, I found out only after I bought my mobile. For my next mobile however, this kind of DRM is a instant dealbreaker.
When Symbian built the self-signing certificate generator for Symbian 9 they set it to produce certificates that are only valid for 1 year. They didn't provide an option to change that length of time and the fact that the certificate is only valid for one year is not obvious.
This may have been because their thinking was that all "proper" apps are Symbian Signed, but more likely it just wasn't thought through and the issue didn't become evident for a year. No one's perfect!
It is easy for developers to use something like OpenSSL to generate a certificate that is valid for many years - but in the main developers do not realise they need to do this until some time later.
But even without OpenSSL it is trivial for the developer to create a new 1 year certificate and re-sign the software, so Steve's points stand.
Symbian Signed apps are signed for 10 years from the date of signing, so should be fine for a while yet.
Symbian Signed apps are signed for 10 years from the date of signing, so should be fine for a while yet.
As a general principle, if I buy a product I think it's fair that I use if for as long as I like, without any time limitations.
Steve is spot on with this one. It's a total own goal by Symbian and needs to be fixed as soon as possible.
This is actually not a Symbian problem. It's an S60 problem.
Most S60 devices, for some bizarre reason, require everything to be signed, thus the prevelance of self-signing.
UIQ devices, on the other hand, don't require everything to be signed (only things that use certain capabilities).
Thus many UIQ applications can be completely unsigned (providing their UIDs are in the unsigned range), and there is not this weird prevelance of self-signed apps which is causing the problem in the S60 community.
Don't blame Symbian for something they didn't do (there's enough the DID do that we can blame them for). 😉
For my take on the App Store see The Happy Medium: Building a Smartphone App Store that Works
Well for example it is really hard to install any freeware to phone that requires signing. You have to go to symbiansigned.com and it really sucks big time. And sometimes you need to ask DEVELOPER to sign it for you. LOL thinking of millions of requests "coould you please sign it for me, my IMEI is..."