Today, the 18th May 2009, it is 5 years since the launch of the original Symbian Signed web site and services. One of my colleagues baked this cake for the occasion, a work of art!
Cutting the cake...
Invisible Man cutting cake...
I thought this an appropriate day to look back at what has happened to Symbian Signed over the years and how it has evolved.
During 2003 Symbian OS version 9 was under development and introducing what is now known as “Platform Security” to Symbian OS. This was a major change to the operating system introducing the concept of a capability model and mandatory signing for third party applications. (See this document for more information about Platform Security and Symbian Signed)
It became clear that there needed to be a way of granting these capabilities whilst providing a level of traceability between the software and the person who wrote the application. This means the user installing the application knows where it came from.
Symbian Signed was born replacing other signing processes that existed and providing a single signing path for all Symbian applications.
During the first year of Symbian Signed in 2004 only “pre-v9” phones existed in the market and the signing was simply to remove a warning that existed when installing applications. During this year there were 877 sis files signed and signing was a nice to have, quality focused, process.
In 2006 signing for “v9” Symbian devices became mandatory with Epocware HandyWeather the first “v9” application to be signed in 2006. During the first year of “Platform Security” 9697 sis files were signed.
It became clear that mandatory independent testing was increasing time to market for developers and in December 2007 Express Signed was introduced. This provided a way for developers to get signed without having to go through an independent Test House. This had a great effect on the number of applications being signed with the number of files being signed growing from 800 in November 2007 to 1200 per month in the space of 4 months.
In 2008 over 16000 sis files were signed through Symbian Signed equating to 43 sis files being signed every day.
One of the main objectives of Symbian Signed was to replace existing signing programmes and provide a single route to market for developers.
This objective is as relevant today as it was 5 years ago, one signing route allowing distribution into many places and many devices. That was the goal 5 years ago and continues to be the goal now.
So how do we evolve Symbian Signed in order to make sure that the above goal is met but at the same time provide the simplest route to market for developers?
Well, we are working on various initiatives during 2009 that will retain the level of trust for users but also make the signing process as straightforward as possible.
Lower cost Publisher IDs available to anyone
Lower cost signing and lower barrier to signing
A revamp and rethink of the Symbian Signed Test Criteria
I have had lots of interesting discussions about Symbian Signed so please get involved and comment on where you want to see these initiatives going.
The team will keep everyone updated on the progress of these initiatives as well as talking to the community about the finer details, so stay tuned…
Happy Birthday Symbian Signed!!! Nice cake!
Whilst you celebrate Symbian Signed, most developers that I’ve talked to curse it on a daily basis. Users curse it as well, because Symbian Signed is the reason that we now have unsigned applications floating around, which has caused confusion and frustration for many, many Symbian users. Developers are upset because of the costs involved with Symbian signing, as well as the time spent while applications are being signed.
Given that it’s the birthday, I’m anxious to hear how Symbian Foundation plans to change Symbian Signed away from being a curse for developers, specifically independent ones.
As a consumer, I have simply resorted to using foreign (usually Chinese or Russian) sites to generate a certificate and key for my specific IMEI, and then using tools to individually sign each application for each of my phones. Others have taken to ‘hacking’ their phones in order to completely remove the Platform Security, so that they’re able to install *any* application, signed or unsigned.
I understand the benefits of the *idea* of Symbian Signed, but can easily understand the frustration that is felt around how the idea has been implemented and executed over the years. What is Symbian Foundation doing to fix Symbian Signed?
It may be occasion for you to celebrate but not for me on ther other side of the table (developer).
>>providing a level of traceability between the software and the person who wrote the application.
The statement must be providing a level of traceability between the software and **company** who wrote the application.
If you could understand the different between 2 statements above you would have simplified the procedure on first birthday. Publisher ID can not be obtained without setting up a company i.e. having so many legal obligations and paying thousands of dollars to accountants for fulfilling all legal requirement of a company. Hope SF will learn someday from other platforms.
>>This objective is as relevant today as it was 5 years ago<>make the signing process as straightforward as possible.
>>Lower cost Publisher IDs available to anyone
Its not only $200 one has to pay for publisher ID, its thousands of $ paid unnecessarily to accountants to fulfil requirement of corporates. Individual has no place in Symbian
>>Lower cost signing and lower barrier to signing
Express signed must be free of cost as there is no manual work invloved. Agreed that manual testing could be paid. If you argue about server capacity to handle traffic it would be a joke for such a big organization to handle application siging traffic
>>A revamp and rethink of the Symbian Signed Test Criteria
I hope this revamp will also take community concerns. Signing must meet objective not hinder the progress. Community is the best place to discuss what objective individual test have and if that object can be met with simplified test. Infect I would argue current objectives itself. For example consider an objective that that application must not drain battery excessively, I do not see any test meeting that objective. There could be many more example that community may come up with.
The intention of the statement
Lower cost Publisher IDs available to anyone
does mean what it says. We are proposing that any individual should be able to get a Publisher ID with no company required.
Apple’s apparently facing the similar challenges as what the signing process was built for: http://gizmodo.com/5256821/rumor-apple-considering-iphone-background-apps.
This dilemma is about maintaining the device integrity and predictable behaviour whist offering powerful options for application development.
Aspects of security generate excess burden both for device manufacturers and 3rd party developers. We need to take that burden as it boils down to securing the long term business sustainability. Device security simply cannot be compromised or otherwise we can forget about compelling future megatrends such as mobile payments and access right control.
Devices already serve as trusted storages for personal content and they are also subject of critical stability requirements. These factors alone require serious efforts for maintaining an image of secure companion.
The impression of security is hard to develop – but can be lost overnight. Understanding both the immediate burden related signing process and the abovementioned long term objectives – we should be able to review current practises and come up with feasible compromise. Which shall not be a compromise to the security of the devices
Happy Birthday Symbian Signed! and keep on improving the service.
Hi Rodburns,
>>Lower cost Publisher IDs available to anyone
does mean what it says. We are proposing that any individual should be able to get a Publisher ID with no company required.
Finally there is a light at the end of the tunnel. Excellent.. thanks.
/me sings Unhappy Birthday by the Smiths.
happy birthday symbian sign
I remember drafting the press release 5 years ago – it’s come a long way and has had as much indutry company support as developer grumbles. Happy Birthday! yummy cake Dan.
why are we celebrating this abomination?
I look forward to 5 more years of Symbian whined.
blah symbian signed should be gone. But then that’s why I hacked my phone which actually i like it better that way, I get to change all sorts of things on s60 v3rd and now it seems more “open”.
@Lu – How exactly was Symbian Signed affecting you and what have you solved by ‘hacking’ the phone?
@’The Guru’ – Symbian Signed has indeed a negative impact on some hobbyists but they have always the freedom of chosing another sw. platform. As for you as a consumer to get involved in signing applications that is IMHO plain stupid. What’s next, are you going to write some code yourself? Why didn’t you simply demand that the application presented to you to be properly signed by its developer?