Symbian signs malware app by mistake
The Symbian Signed process is supposed to weed out malicious and otherwise unpleasant applications, but failed in the case of Sexy Space.
As reported over on CNet, the Foundation admitted to digitally signing the Sexy Space Trojan horse application without fully checking its capabilities – a bit of a problem when you realise that the application has been expressly developed to create a mobile information gathering botnet.
All applications installed on a handset running Symbian OS must be digitally signed in order to prevent malware and stop users installing pirated versions of popular apps: while tech-savvy users used to be able to sign their own applications via a developer certification, this has recently been made more difficult – and does not give full access to the inner workings of the 'phone. Instead, developers are expected to submit their applications to the Symbian Foundation who – supposedly – vet the software and issue a digital signature. Once signed, the application can be installed on any Symbian handset without any warning messages being displayed beyond the usual “Are you sure you wish to install...”
Chief security technologist at Symbian, Craig Heath, has stated that the company does “try to filter out the bad eggs” as part of the signing process, and readily admits to a failure of the system in the case of Sexy Space. The issue was two-fold: as the application was not detected by automated virus scanners, the issue was not found until after the signature had been issued; this was compounded by an error in the certificate revocation servers which allowed the application to remain available for a week after the issue had come to light.
In order to prevent this kind of embarrassing slip-up, Heath has said that the company is looking to improve its automated scanning infrastructure, as well as improving the human element of the checks as well.
Does this demonstrate the truth behind DRM, or is it just an easy mistake to make on the Symbian Foundation's part? Share your thoughts over in the forums.
Previous Article
9 Comments
Discuss in the forums ReplyOk, operating sytems that don't do anything other then very basic tasks. I swore off assembler years ago. I wouldn't use the kinda phone that does email or im or browse the web if you call it that because I have yet to see a phone that does it decently. Screen is just too small to make use of it, I really don't see how people can use such a tiny thing, it's slow and frustrating as can be. Not to mention the costs locked to metered times/data are laughable to me. You have to pay for the right to pay, that is hilarious. Also I won't pay more then my rent per month for a damn phone lol.
$50 a month for internet, my cable internet costs less then that, is way faster, has no caps (or at least are silly high). That phone does seem reasonable in cost though I will admit that. Still though once you add up all the mobile charges at the bottle line in the monthly bill it comes out to be way too much to justify for a damn phone.
Well I have free wifi and cable, so I don't really factor that in. I don't get/use cable due to most of my favorite shows being online or I that i never watched that much television in the first place.
Yes I do agree that you pay a shitton of money through cellular contracts, mine is $600 a year and the cost of the phone. But that includes all of the above, and a nifty device that I can play the Sims on if I get bored at some conference.
Q: did Symbian screw up?
A: Yes.
Q: was it any different from the mistakes that any other big OS company/programmer made (or will make)?
A: not so much
Human error is what it all boils down to, the programmers missed the flaw in the OS before they went live with it, and the "automatic scanning" was another human programed mistake (if ya didn't see the flaw in the OS, why would you program the scanner to find it?)
Net result: OS programmers: -1, smart boys and girls hacking said OSes: +1
My verdict is that yes, Symbian messed up, but it wasn't exactly massive... just human error.
there is no such thing as a secure OS, just ones that nobody bothers to hack
Why not just rely on payphones then? You complain about a phone that should do its job but it having a too small screen, surely you want it to fit in your pocket?