|
» Subscribe » Favorite Links » What is S60? » Freeware & Trials » S60 devices » Hints and tips » About this blog |
» Application Reviews (6) » Commentary (67) » Device Previews (14) » Freeware (13) » Fun (13) » Hints & Tips (32) » Multimedia (25) » Quiz (2) » S60 Events (53) » S60 News (65) » Software development (6) » User Experience (7) |
|
Subscribe RSS 2.0 feed |
Subscribe Atom feed If you wish to receive email notification, please here » |
« Previous Post | Main | Next Post »
I'm sure that the dark side of computing was not in marketing's mind when they came up with the slogan "It's what computers have become." Phones are becoming more and more like computers every day, so it's not surprising the underbelly of the computing world is also going mobile!
Thru Engadget Mobile, I found out that there is a trojan horse program out there that sends messages to a premium SMS number in the background, thus costing you a ton of money. According to the Unwired View article, this is the first time that a particular trojan horse was written specifically for S60 devices.
In S60 3rd Edition, which is used by all of the Eseries and most of the Nseries devices, it became a requirement for all applications to be signed else the apps could not be installed. Furthermore, depending on how the application is signed, the application will be restricted to specific functions only. Details are explained in the S60 Platform Security FAQ, if you're interested.
For certain capabilities, applications need to be signed by Symbian or a trusted third party. This ensures that applications perform to specific requirements. However, it is also possible to release a piece of software self-signed, which is primarily designed for limited testing purposes. However, self-signed software is widely available from a number of sources.
What can a self-signed application do? According to the Capability Descriptions on Forum Nokia, quite a lot, actually. Capabilities include: reading/writing user data (e.g. contacts/calendar), Bluetooth/Infrared, user environment items like the microphone and camera, location information (from the mobile network), and network services, such as the ability to make a call or send an SMS.
If this trojan program was designed for S60 3rd Edition, it could easily be a self-signed application since self-signed applications are permitted to use SMS. What I am having an issue remembering at the moment is whether or not the user is prompted before SMS is used--someone more familiar with this aspect of S60 security should contact me or post corrections in the comments. I also know that some of the details about what self-signed applications may be allowed to do and what they are prompted to do is controlled through operator firmware variants as well, so the details of enforcement may differ somewhat from version to version.
I do know that with some unsigned applications, it is possible to go into the Application Manager (Tools > App Mgr) and explicitly disable access to unneeded services or change the prompting levels for services that are allowed. In Application Manager, scroll down to find the application in question. Hit the Options soft key and select, if available, Suite Settings. From here, you can adjust the permissions levels.
You should always be warned when you install a self-signed application that the application is untrusted and may be harmful to your phone. Given what a self-signed application has access to, if you're at all unsure about the origin of the application. by all means don't install it! Furthermore, you can prevent the installation of self-signed applications by going into the Application Manager, hitting the Options soft key and select Settings. From there, change the Software installation option to Signed only.
The only other piece of advice I can offer is to be observant and verify what the phone does by checking your call logs and sent message logs in the phone to ensure that no unauthorized calls or messages. Read any messages you get while running an application carefully. If you don't understand what it's asking, the safest thing to do is to not allow the action.
Is there any other hints you can give people to ensure their device doesn't get pwned by nefarious elements? Post your thoughts in the comments.
Comments
ohh goodie. just when we thought the security model in the S60 3rd edition platform was going to spell the end of all hacks n viruses...!! Maybe the antivirus companies making antivirus software for the 3rd edition needed something to coax people into buying their stuff.
Posted by: Ray | May 25, 2007 03:21 PMYes, a self-signed application can send SMSes without prompting the user.
Posted by: Jukka Laurila | May 25, 2007 03:56 PMEach time I connect to Yahoo mail with my Nokia E61 a file called "st" is downloaded. I'm afraid this could be a virus and therefore each time have to make manipulations to delete it to avoid to being saved. Any hints? Thanks.
Posted by: Pierre MarounIf Yahoo were distributing viruses, it would make the news. My guess is that this is just some extra cruft that the S60 Mail application doesn't know what to do with.
Posted by: PhoneBoyI just got a data plan on my mobile. I pretty much do not need my computer anymore since I do so much with my mobile phone. The neatest thing is that I can even watch naughty movies:) It is pretty neat, it's called Mobile TV. All I do is point my phone to sexoncell.com and they have adult mobile movies in different formats like 3gp movies, symbian, pda or whatever. If you have any other cool sites, please let me know! This one, though, even has a free daily mobile movie.
Posted by: Lostminer | May 27, 2007 02:22 PMOnce again, if the PlatSec would have been done as I've described many times, this wouldn't be possible. But since it's not, this is what you get.
Ask the user. Ask the user. Don't trust the software. Don't trust testing houses. Ask the user. Let them decide, allow/deny, once/always. Simple.
If the user gets a message saying "Program XYZ wants to send an SMS, do you want to allow this?" I really think most people would say NO! But now the user doesn't have any possibility to say anything or even know this is happening.
How many apps like this have to appear before my suggestion is taken seriously and implemented, naturally also in older devices?
Posted by: Symbiatch | May 28, 2007 02:29 PMSymbiatch, you should really apply for a job at Nokia and/or Symbian we could use your knowledge :)
Posted by: Jukka Eklund | May 28, 2007 09:06 PMJukka: I don't want to work for either, but I'm available for subcontracting :)
And I would be very willing to consult on this matter since it's one of the major pains in the donkey for me personally. Feel free to contact me :)
Posted by: Symbiatch | June 1, 2007 03:28 PM