'Ecosystem expired'?
Published by Steve Litchfield at 9:59 UTC, September 17th 2008
Following on from Ewan's thoughts yesterday on the freedom in the Symbian/S60 developer world, I have to say that I take a slightly different view. Over and over, I'm finding that applications I download (from developer sites, from AAS, from Handango, etc) can't easily be installed, each coming up with 'Expired certificate'. Read on for a Steve rant....
Now look, I understand the reasons for certificates on SIS files - the idea is to a) validate who produced the application and b) specify a time period over which the install is valid. While the second parameter may seem a bit odd, any active developer will be producing new versions and builds over the course of a year and so even a '1 year' certificate should easily be enough, with a newer certificate superceding it long before the old one runs out.
What's been happening in the Symbian world is that, for one reason or another (defecting developers looking for shiny new platforms [cough - Android, iPhone]? all decent application ideas now already produced? - discuss), more and more applications are being left to rot, as it were. You can just about excuse a SIS file on a software store (e.g. Handango's) being out of date - after all, maybe the developer simply never got round to uploading the newer versions to all the appropriate stores - but there's no excuse at all for letting the certificate in the master SIS file, on the developer's own web site, expire.
And, of course, it adds yet another barrier to a new S60 user being able to install third party applications. As if the 'Find on desktop web/Download/Install with PC Suite/Ignore warnings from S60 Installer' route wasn't long enough already, users are now faced with having to know how to 'hack' their phone's date temporarily back a year, just to install an application that the developer web site assures them is 100% compatible.
Now, all this doesn't apply to the biggest boys in the Symbian world. Nokia themselves (of course), Google, Epocware, Quickoffice, Dataviz, and so on. Each of these can afford full Symbian Signed status for their applications, along with 3 or 10 year certificates. And their applications are, as a result, less prone to 'expired' syndrome. But for the rank and file in the developer world, self-signing certificates for their apps, they've got to stay relatively active and building install files... and it seems many are not.
With the slickness of the Apple iPhone AppStore as a rather good yardstick, the current situation doesn't look good. Now, go back a couple of years, with S60 3rd Edition new and shiny and every application freshly certified and there wasn't a problem. And look forwards a couple of years and all Symbian applications will have much longer certificates [Rafe shouts '10 years' from the back office] and, again, there won't be a problem.
But in the meantime, we've got a lull. A hiatus. An embarrassing gap.
In which only the biggest and most obvious S60 applications download and install seamlessly. While an ever-increasing number of smaller developer applications, rather than generating sales now that they're mature and bug free, are instead causing installation problems while the developers and (arguably) Symbian are asleep at the wheel.
In an AppStore-mad world [2008], this is perhaps the wrong time for the Symbian third party software world to be having a mid life crisis.
Steve Litchfield, All About Symbian, 17 Sep 2008
PS. Another justified rant at the stunted mess that's Nokia's AppStore-competing, on-device Download! system is probably appropriate here, but it turns out that I did this a couple of months ago...
Share This (Digg, del.icio.us, Facebook, etc.)
Categories: Software, Developer, Industry, Editorial Thoughts
Platforms: S60 3rd Edition
News Discussion
Hardeep1singh
Simple solution to this problem. Hello Carbide should be preinstalled on all S60v3 devices.
svdwal
If developers are indeed moving to greener pastures, don't expect the situation to improve much, if at all. Developers that have abandoned the platform won't spend a minute fixing even something rather trivial like an expired self-signed certificate.
What the ecosystem needs right now is an announcement from Nokia that they are going to do an AppStore too. It doesn't have to be ready ready this year (though that would be very nice), but a.t.m. Symbian is the only smartphone platform without an announced AppStore. I'm sure they would like to announce it at the Smartphone Show next month, but I think that's too late.
BTW, I think one year for a self-signed certificate is a bit short. Not all apps need to be updated all the time, and updating all the places on the web the sis file is stored is also quite time-consuming. A self-signed sis file won't get any safer or less safe it it expired after 10 years instead of one, because the system clock can be reset. It does indeed only adds to the nuisance factor of the platform.
Jan Ole Suhr
Steve,
I fully agree with you on the "expired certificate" problem.
Having a self-signed or Symbian-signed application expire is just plain stupid. There is no added security here, only unnecessary hassle and costs for both users and developers/publishers.
When I asked about why Symbian implemented this feature and what to do with expired SIS files, they gave the advice to temporarily reset the date of the phone to allow the file to be installed!
With a self-signed application, the developer can opt for a long lifetime of the certificate ( like 100 years ). The default is set to 1 year, though, leaving us with a lot of "expired" theme packages, freeware and even commercial apps.
This obvious defect in the Symbian-signed regime doesn't mean the whole Symbian ecosystem is worse or inferior to the Apple Appstore approach, though.
Sergey Zak
Let me share my cretificate horror story. About a year ago I bought Soldier Ants UIQ game from Handango, they sent me code and download link from the manufacturer. I downloaded the game - and BINGO! the certificate expired and I coulnd not install it, hence I could not use the code. The Handango Support Monkeys monkeyed around me for about two months! They sent me to manufacturer for support, the manufacturer obviously did not have the right competence by then to help me! It took dozens of e-mail and then I started asking to refund me money, but no, they insisted on 'helping' me! So looked up more closely on Handango's site and found a section "Who's Who" and there I got the name of Customer Relations VP so I sent another e-mail asking the tech sup to refund, or I'll mail the Kelly Mulroney, that VP.
Bingo! Finally he agreed to refund, but refund NEVER CAME.
I would have called them here bad words BUT later on I found out that I can strip the certificate off the file with the help of SISTools Windows app. So I went out and finally helped myself to the game, 3 months after the purchase. I will NEVER, EVER BUY anything from Handango!
Talk to me against pirating after that! I will use whatever is easier. iTunes demonstrated that that is the only popular way. Only because buying music there is MUCH EASIER than pirating (looking all over the net, waiting, fetching lyrics, art) only usability rules people into actually getting stuff...
hypochondriac
You could just hack your phone and then never worry about certificates again!
Tzer2
Quote:
|
BTW, I think one year for a self-signed certificate is a bit short. Not all apps need to be updated all the time, and updating all the places on the web the sis file is stored is also quite time-consuming. A self-signed sis file won't get any safer or less safe it it expired after 10 years instead of one, because the system clock can be reset.
|
Absolutely, there are no anti-piracy benefits in certificates being restricted to 1 year compared to a more reasonable 5 or 10 (or indeed infinity as some have suggested).
It makes you wonder if some DRM restrictions aren't really about piracy at all, but some other hidden agenda. Was the 1 year restriction some way of forcing developers to keep coming back to Symbian for new certificates?
It's not just on Symbian, this seems to happen on every platform nowadays. The fuss made about the Windows game Spore for example has centred around the game disc only installing three times in its lifetime, after which it becomes useless. Does that really serve any anti-piracy function, or is it actually a way of destroying the totally legal second-hand and rental markets?
Unregistered
While I actually appreciate the whole signing-concept, I do not appreciate the fact that I cannot install an unsigned or 'expired' program on my own phone. In the end, it's Symbian/Nokia who decides what I may install on my device. That's really totally insane. As if Canon decides what I may photograph and what not with my very own camera.
There should be an option to override the whole thing. I don't mean a hack, but an official way to persuade my mobile to install unsigned/expired apps.
This DRM-thing isn't something they advertise with. In fact, I found out only after I bought my mobile. For my next mobile however, this kind of DRM is a instant dealbreaker.
mike_brock
When Symbian built the self-signing certificate generator for Symbian 9 they set it to produce certificates that are only valid for 1 year. They didn't provide an option to change that length of time and the fact that the certificate is only valid for one year is not obvious.
This may have been because their thinking was that all "proper" apps are Symbian Signed, but more likely it just wasn't thought through and the issue didn't become evident for a year. No one's perfect!
It is easy for developers to use something like OpenSSL to generate a certificate that is valid for many years - but in the main developers do not realise they need to do this until some time later.
But even without OpenSSL it is trivial for the developer to create a new 1 year certificate and re-sign the software, so Steve's points stand.
Symbian Signed apps are signed for 10 years from the date of signing, so should be fine for a while yet.
Williamoni
Quote:
|
Symbian Signed apps are signed for 10 years from the date of signing, so should be fine for a while yet.
|
As a general principle, if I buy a product I think it's fair that I use if for as long as I like, without any time limitations.
Steve is spot on with this one. It's a total own goal by Symbian and needs to be fixed as soon as possible.
lithgow
This is actually not a Symbian problem. It's an S60 problem.
Most S60 devices, for some bizarre reason, require everything to be signed, thus the prevelance of self-signing.
UIQ devices, on the other hand, don't require everything to be signed (only things that use certain capabilities).
Thus many UIQ applications can be completely unsigned (providing their UIDs are in the unsigned range), and there is not this weird prevelance of self-signed apps which is causing the problem in the S60 community.
Don't blame Symbian for something they didn't do (there's enough the DID do that we can blame them for). ;)
For my take on the App Store see
The Happy Medium: Building a Smartphone App Store that Works Unregistered
Well for example it is really hard to install any freeware to phone that requires signing. You have to go to symbiansigned.com and it really sucks big time. And sometimes you need to ask DEVELOPER to sign it for you. LOL thinking of millions of requests "coould you please sign it for me, my IMEI is..."
Full thread: 11 Comments / Post New Comment