Comments on: Signed Malware, Revoked

By: Joe Torres

Joe Torres — Thu, 13 Aug 2009 15:29:31 +0000

Cheers for all the help and tips, Symbian can be funny, imagiane if we had to do this kind of thing with Windows!

By: Symbian Speaks Out Against Smobile Study | Symbian-Guru.com

Symbian Speaks Out Against Smobile Study | Symbian-Guru.com — Sun, 02 Aug 2009 21:00:34 +0000

[...] will point out that a few recent known viruses have been Symbian Signed, it appears as though the Symbian Foundation is actually doing something about that, which is stinkin awesome. Share [...]

By: Pern

Pern — Sat, 25 Jul 2009 09:56:43 +0000

Hi Craig, just wondering whether the list of certified applications, and certificates that have been revoked can be found online. I am interested to look at the challenges of software installation from the user and economic perspectives. Thanks.

By: Craig H

Craig H — Tue, 21 Jul 2009 12:44:39 +0000

@gangs: There is an API which allows a revocation check to be done on an application after it has been installed, but I don’t think it can be accessed from the UI if I remember correctly. The API is the CheckRevocationStatus method of class Swi::RSisRevocationEntry. Perhaps someone could write and contribute a utility that iterates through the SIS registry performing a revocation check on each installed app?

By: gangs

gangs — Tue, 21 Jul 2009 09:24:28 +0000

Hi Craig,
Thanks for the quick update. I had a couple of queries:
so basically the issue can only be circumvented by revoking the certificate. Am I correct in stating that, OCSP being configurable because the medium of validation is GPRS poses a security issue? As far as I can see we have 2 issues here – one is preventing any one else from installing the app – by revoking the certificate that is what we have achieved.
Secondly, to prevent users who have already installed the app from running it – Doesn’t the installer store the certificate details associated with each installation? if yes, then can’t we provide the users an option later to perform OCSP check for already installed apps. Sure this does not solve the problem completely, but if the bad app has not done much harm the user has a chance to remove it from her device. She does not need to go to sites and check whether the apps installed in her device are all fine.
Does this sound doable?

gangs.

By: Craig H

Craig H — Sun, 19 Jul 2009 18:33:58 +0000

Thanks Petra! The place for discussion of future changes to Symbian Signed is the forum here. There's already a discussion there about possible changes to the test criteria.

By: Petra S

Petra S — Fri, 17 Jul 2009 10:04:03 +0000

Thanks Craig. Good job on acting fast on this case, and investigating further security measures on Symbian Signed. Please keep us posted on the findings, and if any changes are done. I am assuming this blog is the best place to follow on this topic?