Operators locking handsets to Symbian Signed

Published by at

Simon Judge is reporting on his blog that some operators (Vodafone Japan) are locking down S60 3rd Edition handsets so that only Symbian Signed applications can be installed. This means that self-signed applications can not be installed.

With the introduction of Symbian OS 9 Symbian introduced a new platform security model. This associates phone functions (such as writing files to the phone's memory, use of Bluetooth, access to certain APIs etc.) as capabilities. Signing an application allows it to use given capabilities on the phone. 

All applications and install files for Symbian OS 9 must be signed in some way. The two main ways to do this are through Symbian Signed and via self-signing. Symbian Signed costs between £75 and £200 per signing instances (and additional set up costs of around £400). Self-signing is free.

Symbian Signed allows access to all but the seven most resticted capabilities on the phone (these capabilities can only be accessed with an extra level of manufacturer approval). Self-signing allows application access to a more limited set of capabilities than Symbian Signed. General capabilities that are not considered a major security risk can be access via self signed applications. Where there is a small security risk (such as the use of Bluetooth or use of the Network to retrieve data) self signed application must gain user permission to access these capabilities (in the form of a dialog that asks user the grant these capabilities to an application).

If a user attempts to install a self signed application and the phone security permissions are set to not allow self signed application install the phone will throw the error message: 'certificate error, contact application provider'. In most cases it is possible to change the security settings of the phone to allow such applications to be installed. In App Manager -> Options -> Settings, Software Installation should be set to All (from Signed). This will allow self-signed applications to be installed.

However Symbian does allow operators to lock this down. Theoretically operators could lock things down so that no application (even Symbian Signed) could be installed. Many operator operators choose to not allow self-signed application by default, but DO allow user to change this setting. However in the case of Vodafone Japan this is NOT allowed. The Software Installation option in App Manager settings is not present and therefore is not possible to allow self-signed application to be installed (see screenshots on Simon's blog).

Self-signed application are mainly freeware or application and games from smaller developers. Nearly all third party themes are also self signed. However it is worth noting that self-signed application are quite safe, especially when compared to other platforms and previous versions of the Symbian OS.  Because of both the restricted set of capabilities and the requirement to gain user permission before using basic capabilities self-signed applications are much safer than their equivalents on other platforms. They are much safer than self signed applications on previous versions of Symbian OS and are arguable safer that Symbian Signed applications from pervious versions of the OS (prior to Symbian OS 8 Symbian Signed only guaranteed identity).

Locking out self-signed application reduces the number of applications available to users and raises the cost of development for niche products. Although signing costs are relatively small the investment is required before application sales can begin and therefore may make development economically impossible for applications with a small target audience. 

If your operator has restricted your handset we are interested in hearing from you. Please leave a note in the comment thread or contact us directly. 

Summary of Symbian OS 9 Phones Security Levels:

  1. Open Phone - can install both Symbian Signed and self-signed install files by default.
  2. Open 'Locked' Phone, self-signed restricted  - Symbian Signed by deafult only, self-signed via settings change.
  3. Closed 'Locked' Phone - Symbian Signed install files only.

Currently most SIM free and some operator phones fall into category 1. Some SIM free phones and many operator phones fall into category 2. Category 2 is less desirable because of unclear error messages and user intervention required to allow self -signed applications to be installed. Branded phones from Vodafone Japan (N71) fall into category 3. Category 3 phones are the least desirable because they restrict the number of applications that can be installed.


As one of our commentators correctly points out this limitation was also present in the Nokia 6630 variant that shipped on the Vodafone Japan network. Japan does have a different approach to mobile platforms and software than the rest of the world. The two major phone platforms in Japan (Symbian MOAP and Linux) similarly do not allow the installation on uncertified third party software.