Symbian OS Platform Security -- FAQ
FAQ
- Is application signing mandatory in S60 3rd Edition?
- Is Symbian Signed mandatory for S60 3rd edition applications?
- How can one tell an application is signed?
- How do I know which capabilities a self signed application use?
- What are the different ways to sign a S60 3rd Edition application?
- How do I know which platform security capabilities my S60 3rd Edition application requires?
- What is a Symbian Developer Certificate and when do I need it?
- What are the differences between a developer-created certificate, a Symbian Developer Certificate, and Symbian Signed?
- The application I'm creating requires to have access to an API or functionality which use requires the Nokia Vendor ID (VID). How can I get the Nokia VID for my application?
- Do I need MultimediaDD capability to play/record audio or video in my application?
- Do I need AllFiles capability to retrieve attachments from the messaging inbox?
- Do I need AllFiles capability to move/delete/copy files in the file system?
- I'm not able to install Symbian SIS fle to Symbian OS v.9.x device? What should I do?
- For how long are TC Trustcenter Publisher ID and developer certificates valid?
- What are the requirements for becoming a Symbian Self Certifier?
- Is application signing mandatory in S60 3rd Edition?
- Yes, application signing is mandatory. Note that applications can be developer-signed, because Symbian Signed is not mandatory in S60 3rd Edition. An application can be signed with a developer-created certificate, which is created with the MakeKeys utility included in the S60 3rd Edition SDKs. If an application needs to gain access to certain Symbian OS platform security capabilities that are not user-grantable or certain market channels, it must instead be Symbian Signed.
- Is Symbian Signed mandatory for S60 3rd edition applications?
- A S60 3rd Edition application can be:
Self Signed- The developer signs the SIS package with a self generated certificate (SDK has the tools to do this or Carbide does this automatically)
- Required for the application to install
- The application can have a limited number of capabilities (ReadUserData, WriteUserData, NetworkServices, LocalServices & UserEnvironment)
- The developer signs the SIS package with a Developer Certificate from Symbian Signed web site
- The application can have capabilities
- The developer has sent the application through the Symbian Signed freeware path and it has been certified (the application does not display error messages)
- The application can have capabilities
- The developer has sent the application through the Symbian Signed path and it has been certified (the application does not display error messages)
- The application can have any capability
- The developer, who has received self-certification rights from Symbian, has tested and signed the application (the application does not display error messages)
- The application can have any capability
- How can one tell an application is signed?
- Check the installation message. The following installation messages reveal the signing:
Self signed:
Symbian Signed freeware (application name has been removed from the message heading)
Developer certificate signed:
Also notice that certified applications do not display any security warnings at application installation time. - How do I know which capabilities a self signed application use?
- You will see this in the installation message. Applications, which are self signed and require some user grantable capabilities will display a installation time message for the user to grant capabilities.
Explanations:- Use connectivity applications = LocalServices
- Read user data = ReadUserData
- Write user data = WriteUserData
- Use Camera or microphone= UserEnvironment
- Use network or make phone calls = NetworkServices
- What are the different ways to sign a S60 3rd Edition application?
- From technical point of view, Symbian Signed is not mandatory, if your application uses only unrestricted APIs or user-grantable capabilities. If your application requires access to some sensitive APIs and functions, then Symbian Signed is needed, as some of the capabilities are granted only through Symbian Signed. However, please notice that some sales channels accept only Symbian Signed applications.
- How do I know which platform security capabilities my S60 3rd Edition application requires?
- A The Help documentation in the S60 3rd Edition SDKs provides general guidance on which platform security capabilities are required for various APIs. The capabilities that an application requires can be confirmed in the S60 emulator. When the option "Enable Debug Security Messages" and "Enable EPOCWIND.OUT Logging" are selected in the emulator's Preferences dialog (or PlatSecDiagnostics set to ON and LogToFile set to 1 in the emulator’s epoc.ini file), a log file is created in the Windows “temp” folder called epocwind.out that includes warning messages indicating the capabilities needed by the application.
- What is a Symbian Developer Certificate and when do I need it?
- A Symbian Developer Certificate (DevCert) is required when an S60 3rd Edition application that needs certain platform security capabilities is to be tested on a device. These certificates can be requested via the Developer Certificates section of the Symbian Signed Web site. If sensitive capabilities (AllFiles, TCB and DRM) or more than 1000 IMEIs are required to be associated to the Symbian Developer Certificate, please use the manufacturer link at the bottom of the Symbian Signed web site's Request DevCert page to submit your request for a developer certificate.
- What are the differences between a developer-created certificate, a Symbian Developer Certificate, and Symbian Signed?
- Every S60 3rd Edition application must be signed with a certificate before it can be installed on a device. If the application does not need any platform security capabilities or it requires only user-grantable capabilities, it can be signed with a developer-created certificate, which is created with a utility in an S60 3rd Edition SDK. If other capabilities than user-grantable ones are needed, a Symbian Developer Certificate is required to allow the application to be tested on a device. If the application requires capabilities on a consumer's device, it can gain them only through Symbian Signed; in other words, it must be Symbian Signed for delivery to market. Symbian Signed also may be required for placing an application - whether or not it needs capabilities - in certain manufacturer or operator sales channels. In addition, Nokia recommends to customers that they install trusted applications only, a further reason why applications should be Symbian Signed.
- The application I'm creating requires to have access to an API or functionality which use requires the Nokia Vendor ID (VID). How can I get the Nokia VID for my application?
- The Nokia VID is used to protect sensitive areas of the system. These areas may affect the type approval of the device, for that reason Nokia VID use cannot be granted to anyone.
- Do I need MultimediaDD capability to play/record audio or video in my application?
- Not necessarily. MultimediaDD capability is needed only if you need to change the default priority given by the system. Playing/recording audio or video do not require it as such.
- Do I need AllFiles capability to retrieve attachments from the messaging inbox?
- No. There's a class called MMsvAttachmentManager in the messaging framework that should be used to perform the task.
- Do I need AllFiles capability to move/delete/copy files in the file system?
- No. AllFiles capability is not needed to perform those actions in nondata-caged directories. Data-caged directories are /sys/bin, /private, and /resource.
- I'm not able to install Symbian SIS fle to Symbian OS v.9.x device? What should I do?
- A Please check Symbian's FAQ item 1434 "How to diagnose SIS installation failures" at Symbian' s Web page www3.symbian.com/faq.nsf/SearchAll?OpenForm.
- For how long are TC Trustcenter Publisher ID and developer certificates valid?
TC Trustcenter Publisher ID is valid for one year. Developer certificate is valid for thirty six (36) months. When requesting developer certificate, check that your Publisher ID is valid. When signing an application with developer certificate, Publisher ID (.key) and developer certificate (.cer) must both be valid. You can check the certificate expiration date by double-clicking the .cer file in Windows explorer.
v
- What are the requirements for becoming a Symbian Self Certifier?
-
It depends on which capabilities your application needs. If it doesn't need any sensitive capabilities, you can discuss and agree on the Self Certification directly with Symbian (symbiansigned@symbian.com). But if your application uses some sensitive capabilities, then Nokia needs to support granting the Self Certifier rights. In that case, Self Certifier rights are granted for an application. The requirements are:
0. The developer is or is becoming a Symbian Signed Self Certifier. The developer needs to contact Symbian about this.
1. The case is presented to Nokia internal Capability granting steering group.
- Self certifier request is sent to to nokia.testing@nokia.com. Responsible: developer
- Internal capability request template is needed and presented to the steering group. Responsible: Nokia business owner
- Company evaluation is done with the business need to become a Self Certifier with manufacturer capabilities.
2. After capability approval, developer submits the application via Symbian Signed for Nokia. Application is tested against Symbian Signed and Nokia test criteria (excl. TPO test cases).
3. Symbian Signed for Nokia tests must be passed once.
4. Legal agreement is done. Resposible: Nokia business owner, developer.
5. After Symbian Signed for Nokia testing has been passed once and legal agreement is in place, Forum Nokia lets Symbian know that we accept the use of the requested capabilities in Self Certification.
Current cost is 10 000/year.
