It’s not just Symbian that runs into some criticism over the operation of application certification and signing programs. (See eg the discussion on “Rogue Android apps rack up hidden charges“.)
This is an area where there ought ideally to be a pooling of insights and best practice across the mobile industry.
On the other hand, there are plenty of conflicting views about what’s best:
- “Make my network more secure? Yes, please!”
- “Make it easier to develop and deploy applications? Yes, please!”
If we go back to basics, what are the underlying requirements that lead to the existence of application certification and signing schemes? I append a list of potential requirements. I’ll welcome feedback on the importance of various items on this list.
Note: I realise that many requirements in this list are not addressed by the current schemes.
a. Avoiding users suffering from malware
To avoid situations where users suffer at the hands of malware. By “malware”, I mean badly behaved software (whether the software is intentionally or unintentionally badly behaved).
Examples of users suffering from malware include:
- Unexpectedly high telephone bills
- Unexpectedly low battery life
- Inability to make or receive phone calls
- Leakage without approval of personal information such as contacts, agenda, or location
- Corruption of personal information such as contacts, agenda, or location
- Leaving garbage or clutter behind on the handset, when the software is uninstalled
- Interference with the operation of other applications, or other impact to handset performance.
b. Establishing user confidence in applications
To give users confidence that the applications they install will add to the value of the handset rather than detract from it.
c. Reducing the prevalence of cracked software
To make it less likely that users will install “cracked” free versions of commercial applications written by third parties, thereby depriving these third parties of income.
d. Avoiding resource-intensive virus scanners
To avoid mobile phones ending up needing to run the same kind of resource-intensive virus scanners that are common (and widely unloved) on PCs.
e. Avoiding networks suffering from malware
To avoid situations where network operators suffer at the hands of malware or unrestricted add-on applications. Examples of network operators suffering from such software include:
- Having to allocate support personnel for users who encounter malware on their handsets
- The network being overwhelmed as a result of data-intensive applications
- Reprogrammed cellular data stacks behaving in ways that threaten the integrity of the wireless network and thereby invalidate the FCC (or similar) approval of the handset
- DRM copy protected material, provided or distributed by the network operator, being accessed or copied by third party software in ways that violate the terms of the DRM licence
- Revenue opportunities for network operators being lost due to alternative lower-cost third party applications being available.
f. Keeping networks open
To prevent network operators from imposing a blanket rule against all third party applications, which would in turn:
- Limit the innovation opportunities for third party developers
- Limit the appearance of genuinely useful third party applications.
g. Avoiding fragmentation of signing schemes
To avoid network operators from all implementing their own application certification and approval schemes, thereby significantly multiplying the effort required by third party developers to make their applications widely available; far better, therefore, for the Symbian world to agree on a single certification and approval mechanism, namely Symbian Signed.