Home > Archive > Smartphone Developer Forum > December 2005 > Smartphone and security
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Smartphone and security
|
|
|
| I would like to know how people address smartphone security and signing
problems. Many carriers have their own signing, VerizonWireless uses it own
certificate, Orange its own and Sprint and other uses Verisign for windows
mobile smartphones. How to develop and install application to run on any
smartphone? does it mean the solution is to have multiple binaries of the
same app signed with different certificates and install binary files
depending on carrier? How do you verify from what carrier is the smartphone
you are going to install your app on? Do you just prompt user or there is
some programmatic way to determine carrier before installing the app? This
problem does not seem to exist for Pocket PC devices and new WM 2005 devices.
| |
|
| Sasha wrote:
> I would like to know how people address smartphone security and signing
> problems. Many carriers have their own signing, VerizonWireless uses it own
> certificate, Orange its own and Sprint and other uses Verisign for windows
> mobile smartphones.
> How to develop and install application to run on any
> smartphone?
Microsoft has tried to work with carriers to develop the Mobile2Market
signing service, which priviledge signs your code if it needs to used
priviledged APIs. If it doens't used priviledged APIs you can just get a
normal certificate from Verizon/eTrust etc. Either way should work on
all phones.
> does it mean the solution is to have multiple binaries of the
> same app signed with different certificates and install binary files
> depending on carrier? How do you verify from what carrier is the
smartphone
> you are going to install your app on? Do you just prompt user or
there is
> some programmatic way to determine carrier before installing the app?
SmartphoneNotes used to have multiple binaries, before Mobile2Market,
i'm not sure what they do now - but that would be a good app to have a
look at:
http://www.syncdata.it/sphnotes.html
> This
> problem does not seem to exist for Pocket PC devices and new WM 2005 devices.
Yes this problem does exist for all WM5 devices. older PocketPC devices
didn't have this issue. This is bought about, in part, as some carriers
want control over that applications have access to cell network - and
don't want unauthorised apps running.
riki
Don't ask me; I was hired for my looks.
By Night:
ThemeChanger for Smartphone : http://homepages.inspire.net.nz/~gambit/
AbstractStart for Smartphone :
http://homepages.inspire.net.nz/~gambit/AbstractStart/
Latest Betas have WM5 layout and speed dial support
| |
|
| I am not sure what you mean by "just get a normal certificate from
Verizon/eTrust "? If any of our binary or installation cabinet file is not
signed with Verizon certificate (privileged or unprivileged) it cannot be
even installed on a VerizonWireless smartphone. The same with Orange but they
have their own certificate. For Orange it is even worse since we had to send
them application for testing and only then they signed it with their
certificate. For VW we can buy signing from Verisign and sign ourselves.
Sprint and others use Verisign WM smartphones certificate. Our greatest
challenge right now is to determine programmatically which carrier is
connected smartphone from so we can install appropriately signed app.
"riki" wrote:
> Sasha wrote:
>
>
> Microsoft has tried to work with carriers to develop the Mobile2Market
> signing service, which priviledge signs your code if it needs to used
> priviledged APIs. If it doens't used priviledged APIs you can just get a
> normal certificate from Verizon/eTrust etc. Either way should work on
> all phones.
>
> smartphone
> there is
> SmartphoneNotes used to have multiple binaries, before Mobile2Market,
> i'm not sure what they do now - but that would be a good app to have a
> look at:
> http://www.syncdata.it/sphnotes.html
>
>
> Yes this problem does exist for all WM5 devices. older PocketPC devices
> didn't have this issue. This is bought about, in part, as some carriers
> want control over that applications have access to cell network - and
> don't want unauthorised apps running.
>
> riki
>
> Don't ask me; I was hired for my looks.
> By Night:
> ThemeChanger for Smartphone : http://homepages.inspire.net.nz/~gambit/
> AbstractStart for Smartphone :
> http://homepages.inspire.net.nz/~gambit/AbstractStart/
> Latest Betas have WM5 layout and speed dial support
>
| |
|
| Sasha wrote:
> I am not sure what you mean by "just get a normal certificate from
> Verizon/eTrust "?
a normal unpriviledged certificate.
>If any of our binary or installation cabinet file is not
> signed with Verizon certificate (privileged or unprivileged) it cannot be
> even installed on a VerizonWireless smartphone. The same with Orange but they
> have their own certificate. For Orange it is even worse since we had to send
> them application for testing and only then they signed it with their
> certificate. For VW we can buy signing from Verisign and sign ourselves.
> Sprint and others use Verisign WM smartphones certificate. Our greatest
> challenge right now is to determine programmatically which carrier is
> connected smartphone from so we can install appropriately signed app.
Smartphone Notes used to just ask the user when it installed: again try
downloading their app and running it. I don't think there is any
unpriviledged APIs you can call to determine the carrier.
Robert, i don't support you know?
Riki
A great many people think they are thinking when they are merely
rearranging their prejudices.-- William James (1842--1910)
By Night:
ThemeChanger for Smartphone : http://homepages.inspire.net.nz/~gambit/
AbstractStart for Smartphone :
http://homepages.inspire.net.nz/~gambit/AbstractStart/
Latest Betas have WM5 layout and speed dial support
| |
|
|
"Sasha" <Sasha@discussions.microsoft.com> wrote in message
news:8D8310F2-1189-4A55-8AB0-26105AA2407F@microsoft.com...[color=darkred]
>I am not sure what you mean by "just get a normal certificate from
> Verizon/eTrust "? If any of our binary or installation cabinet file is not
> signed with Verizon certificate (privileged or unprivileged) it cannot be
> even installed on a VerizonWireless smartphone. The same with Orange but
> they
> have their own certificate. For Orange it is even worse since we had to
> send
This is not true, both Orange and VZW phones will install an unprivileged
application if it's signed with a Mobile2Market unprivileged certificate.
The real challenge is when you have a privileged application. In this case,
to support the largest share of Smartphones of the market, you will need to
submit your application for testing to VZW, Orange and Mobile2Market.
--
Giuseppe Govi
g.govi <at> vodafone . it
|
|
|
|
|