Securing the Mobile Enterprise

September 1, 2009

Symbian Security Model

Filed under: Mobile Security — Balaji Prasad @ 10:48 pm

A recent article in eWeek claimed that 1 in 63 smartphones are infected with some form of malware – viruses, worms or Trojans. For the most part the users are unaware of the infections. A bulk of this malware enters the device when users install applications that are (often) unsigned. This problem is all the more aggravated given that Symbian phones do no have a centralized app store that can vet applications. It is not that the security model for Symbian is weak. In fact from an architectural perspective – there are 4 levels with increasing privilege levels.

Symbian Security Model

Symbian Security Model

As can be seen the Symbian signed applications / modules have the most widespread system privileges. These are the ones that are allowed unrestricted access to system internals and the underlying hardware. However recently we have seen mobile malware that has a legitimate digital signature.  This has raised serious questions about Symbian’s automated approval process. Symbian has since revoked the certificate and published it on their CRL server. However these will only be picked up by the handset if they are configured to receive revocation certs. By default this is disabled in the Application Manager settings.

On S60 3rd and 5th edition, the setting to turn on revocation checks can be found in the application manager, for example:

Tools →Settings →Applications →App. manager →Online Certificate Check

More gory details about the app signing process can be gotten from here.

Advertisements

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: