| 25-04-2006 08:35 PM |
| steff2632 |
seams like nobody knows!!
|
| 21-04-2006 10:23 PM |
| slitchfield |
Good question - I'm hoping someone here with inside knowledge of how Symbian Signed apps are handled under OS 9 can leap in and answer this in plain English? Anyone? What's to stop some piece of malware from spoofing the hex that the OS needs?
Steve
|
| 21-04-2006 07:31 PM |
| steff2632 |
yeah i know that its not exactly like the keygens just a comparison at the time that ms thought there keys would be stop piracy,like symbain belives there platsec will stop malware.
& i dont quite understand about the file checksum.the file checksum for the sis file is stored in the sis file isnt it??not in the os(there not going to have aevery sis file's checksum in built into the os)
|
| 21-04-2006 06:04 PM |
| slitchfield |
No, it's not like Windows keygens - if there's ANY mismatch in the file checksum, the OS (which is in ROM, remember, so can't be changed or hacked) will refuse to run it.
Steve Litchfield
|
| 21-04-2006 04:24 PM |
| steff2632 |
oo o so apps can still be completely crap/useless.
no matter how safe it is it can still be cracked.nothing is 100%
look at the valdition key for windows they thought that was safe when it came out,no see how many keygens are out there,& you dont even need a keygen!
|
| 20-04-2006 04:38 PM |
| Rafe |
Sorry I didn't write clearly. Symbian Signed is secure in the signing process (Steve is exactly right here - any modification of a sis file will invalidate signing).
What I meant was that Symbian Signed guarantees who an application is made by. It does not necessairly indicate that it is good application (i.e. the usability may be poor). To pass Symbian Signed there are certain requirements (e.g. relating to low memory situations), but Symbian Signed does not test an application for easue of use / utility.
|
| 20-04-2006 04:06 PM |
| steff2632 |
so theres like either a file or line of code in the sis file which referes to the size of the file @ singing.
|
| 20-04-2006 01:43 PM |
| slitchfield |
No, no, signing an app does more than check identity, it also byte signs the SIS file itself. So altering even one byte will invalidate the app.
Steve
|
| 20-04-2006 01:10 PM |
| steff2632 |
Quote:
|
Originally Posted by Rafe
Bear in mind Symbian Signed only guarantees identity not the application is good... there's still potential for battery draining programs (not a big deal if it can distribute itself)... there are also J2ME virii in theory too...
|
hold on Platsec only guarantees id?so really a mailware ddeveloper could get hold off a well known & highly used app "crack it" but really put malware in it then destribute it as the cracked version therefore sending out malware with an app that ahs already been symbain signed, making the whole symbian singed & platsec thing worthless
|
| 19-04-2006 01:35 PM |
| svdwal |
Quote:
|
Originally Posted by bbj
Absolutely yes, malware/trojans can be written, pass Symbian Signing etc - the PlatSec does not stop this. However if caught I suspect the Symbian community would hear of it pretty quickly + the revocation service enacted - possibly on the one app - possibly on all that companies apps. Its a pretty good way of becoming hated + going out of business....
|
It is nowadays common for cybercriminals to extort websites by threatening them with DDOS attacks. I doubt such people would care much about being hated by the Symbian developer community.
Don't think of these people as misguided teenage hackers. They are criminals, and their frontend going out of business.... who cares. There are plenty of them to go around.
Sander van der Wal
mBrain Software.
|
| 19-04-2006 11:06 AM |
| bbj |
Perhaps it would be possible to determine from F-Secure eaxctly what kind of virus attacks their AV software is actually protecting against on OS9. From that a sensible decision on whether this is actually adding any value can be made.
Piece of mind can only occur if its known what protection is actually being offered compared to what is actually possible.
Its unclear why anyone belives that an AV product is in itself 100% reliable + therefore able to prevent all viral attacks. Indeed most AV companies issue updates on a very regular basis to counterattack the latest + greatest virus. Given there are (close to) 0 known viruses on OS9 at this time one assumes the current AV software cant actually offer much value at this time as it does not know how to counteract things that dont exist.
Absolutely yes, malware/trojans can be written, pass Symbian Signing etc - the PlatSec does not stop this. However if caught I suspect the Symbian community would hear of it pretty quickly + the revocation service enacted - possibly on the one app - possibly on all that companies apps. Its a pretty good way of becoming hated + going out of business....
|
| 19-04-2006 08:05 AM |
| puterman |
Steve, just like Jukka pointed out, that there's a security framework in place doesn't mean that a system is immune to any threat. There's no such thing as software that's completely bug-free, and bugs mean potential security hazards. There's no such thing as a computer that's immune to security threats, not even if you switch it off (or even better, smash it up really good) and lock it up in a bank vault.
I still agree that anti-virus software for Symbian OS devices is pretty much unnecessary right now, of course. 
|
| 19-04-2006 07:09 AM |
| svdwal |
Malware will still be possible
With PlatSec the the majority of kinds of malware will be (almost?) impossible, but I still see a 'bright' future for Trojans. This is how to do it:
1) create a company and write some apps. Make yourself known in the marketplace. Or buy some existing companies. Obtain an ACS from Verisign.
2) Now, create an app that has a understandable need for examining the Agenda, contacts, whatever, on the device. You also add to this app a module that sends the user's data to some server. Ths siphoning off doesn't start to happen right away, or in large quantities. The trojan can examine the data and look for interesting stuff (like home addresses in expensive neighbourhoods, or function titles like CEO, CFO, ....).
3) give the app a good reason to regurarly connect to some server. You can for instance use a licensing model such as pay-per-use, pay-per-month, or looking for upgrades. Encrypt the data stream. You can now send off the data, and get new instructions back.
4) Get the app on as many devices as possible. This is the hard part.
5) Wait for the data to come in, and act on it in such a way that nobody expects your app for a long time.
Sander van der Wal
mBrain Software
|
| 19-04-2006 06:51 AM |
| slitchfield |
I know you work for Nokia, but I just don't agree. When the whole concept of firewalls became vital, it was because Windows left half its TCP/IP ports open. ZoneAlarm and the like did the job until Windows XP's built-in firewall came along, but since then there's been no need for third party software.
Similarly with Symbian OS, except that it's had stealthy ports from day one. No need for a third party firewall.
And I STILL don't buy the 'we are not the average user' argument. PlatSec means that ALL Symbian OS 9 devices are IMMUNE from warez/malware/trojans, by definition. So however stupid the user, the worst they can do is screw up their own phone a little bit. In the worst case, should they install a trojan that's unsigned and should they ignore all the warnings, it'll simply flap about a bit on their device and then no be able to transmit itself. They can then simply follow usual 'start afresh' procedure (e.g. three finger startup) to wipe the trojan.
Come on guys, I know F-Secure has a *brilliant* marketing and PR team (and probably lots of money), but this is a case of the emperor's new clothes and I feel like the little boy at the back of the crowd shouting....
Steve Litchfield
|
| 19-04-2006 06:24 AM |
| jukkaeklund |
Steve, you're being too straight-forward here. Windows has also lots of internal security systems in OS level, and still we need anti virus software. The need might not be as urgent with smartphones (especially with Symbian 9), but the need is still there. You or I won't be needing that, but we are not the average user.
|
