Cracked by BiNPDA

S60 3rd Edition requires all Symbian applications to be signed, that’s one of the bigger changes that came with Symbian 9.1 operating system. This has led to some confusion among developers, who think they need to apply for a certificate (which costs money and takes time) even to be able to show a ‘Hello world’ on the screen. This was very confusing for me too for some time, but now I got it. Hope this helps somebody out there.

Self signing with own certificate
To sign an application you can create your own private certificate, with the tools and instructions that come with S60 SDK. For step-by-step instructions, look for “How to Sign .sis files” on SDK docs folder (no online link, sorry). The catch is that even though your application will be installable, it’s still treated as ‘untrusted’ and has some limitations applied by the platform security. One limitation is that the application cannot get any capabilities other than those which are user grantable (ie. ReadUserData, WriteUserData, NetworkServices, LocalServices and UserEnvironment). I don’t really know how limiting those 5 capabilities are for real-life applications. What I do know is that some s60 apps are signed with a self-created certificate, and that application does stuff like read files and access network.

There are also some usability issues with self signed applications. The user will get an intrusive security warning (pictured below).

If you chooses to take the risk and Continue, he will be asked to confirm the capabilities that the application wants to use (pictured below). To me this dialog is not really understandable. Its purpose is to ask from the user, but I guess on the sake of usability there is no question but just Continue/Cancel choice. I don’t think an average user will understand what he just did after pressing Continue.

This was the default case for self signed applications. On some S60 devices (at least Eseries) there might be one additional step to make. There is a setting on Application manager that controls whether untrusted applications can be installed at all. If this setting is ‘Signed only’, there will be an error dialog shown and application won’t install (see below). The user needs to change the setting to ‘All’ to allow self signed apps to install.

That’s it about self-created certificate and signing. To make the picture full, I’ll mention the other options that lead to a ‘trusted’ application that can have more capabilities, and doesn’t ask anything from the user.

Freeware certification
Special route for freeware applications, that doesn’t cost anything but can take some time. More at Symbian Signed.

Symbian Signed certification
The “default” way of signing a commercial application. See more here. Cost is $350 /year for ACS Publisher ID and testing cost starting from 185€/round.

Self certification
The heaviest option for bigger developers, cost $10000 /year.

Popularity: 25% [?]

More interesting posts:

• Interpreting Signing Error Messages in S60 3rd Edition
• Hack the N95’s News reader template!
• Deleting “Stuck” Installer Files in S60 3rd Edition
• Debranding Nokia BB5 Handsets
• Simple hack to update your Nokia n73 to Music edition