Antony’s Mobile Blog

I am just wondering why we don’t have Recovery CD for mobile phone. Well, may be Recovery Memory Card would be more appropriate.

The reason why I brought up this issue is because I just had a problem with my Sony Ericsson P990i. Yesterday, I tried updating the firmware release of my phone using Sony Ericsson Update Service. Guess what… The update failed and now my phone cannot boot at all. It is completely dead.

Even worse, since Sony Ericsson P990i is not sold in Canada; nobody is able to help me. I tried to call Sony Ericsson Support (1-866-766-9374). They recommend me to call another toll-free number. Calling that number didn’t help either. The guy on the phone just said, “Sorry, we couldn’t repair that particular model”.

What should I do now? I am thinking to send the phone to Sony Ericsson Service Center somewhere in the world who can re-flash my phone. The cost may be quite expensive though.

I have a dream…. that someday phone manufacturers ship Recovery Memory Card so that we can recover our phones without going to the Service Center any more.

Note: For you who want to use Sony Ericsson Update Service, do not do anything while updating. If your computer crashes during updating, your phone will become unusable.

Some of you may now know that I used to a Windows developer (not mobile version, but desktop one). The software that I have developed is still sold on the Internet although the volume has dropped significantly because I don’t maintain it any more.

Recently, I received massive amounts of emails from my customers. They are all complaining that my application does not work any more on Windows XP Service Pack 2 after latest security update 925902 (MS07-017) and security update 928843 (MS07-008). Each time, my application is launched, Windows XP complaints:

The system DLL user32.dll was relocated in memory. The application will not run properly. The relocation occurred because the DLL C:\Windows\System32\Hhctrl.ocx occupied an address range reserved for Windows system DLLs. The vendor supplying the DLL should be contacted for a new DLL.

It affects not only my application, but others too, for instance Realtek HD Audio Control Panel. A binary breaks has happened in Windows XP Service Pack 2. Who should fix the problem? Microsoft or developer? For this specific case, Microsoft released a fix to their latest patch.

If we look at mobile world, especially Symbian OS, we have seen so many binary breaks. Even after Symbian and other manufacturers have promised for binary compatibility starting from version 9, this does not happen in reality. There are still some breaks on many different phones.

So, if something breaks on Symbian OS or UI variants, S60 or UIQ, who should fix it? Symbian (phone manufacturers) or third party developers?

Bonus Links

• Binary Compatibility - Is It Really Important? - from Antony’s Mobile Blog.
• Time to start taking good care of S60 backward compatibility - from Tommi’s Application Blog (S60).
• Application Compatibility - from SymbianExample.com.

Trend Micro has just released a new version of their anti virus for S60 3rd Edition devices. As you may know, S60 3rd Edition is based on Symbian OS 9. One of the new features on this new operating system is Platform Security (PlatSec), which is supposed to protect our devices for malicious programs.

One aspect of these changes is the platform security enhancements. These represent an evolution of the existing perimeter security model of Symbian OS and help ensure the stability of the platform, providing even greater protection against malicious or badly-implemented programs.

If PlatSec is designed to protect us against malicious programs, do we need an anti virus application? Until today, I haven’t heard a virus that attacks Symbian OS 9 devices yet. If you check virus definition database from Trend Micro web site, there are some viruses for Symbian OS already, but all of them attack pre-Symbian OS 9 devices. There is a Java malware application, called J2ME_REDBROW.A that may attack Symbian OS 9 devices, but I am not really sure about that.

Can virus attack Symbian OS devices? I am not a security expert, but I will give my opinion based on my experience doing Symbian OS 9 development. Since the introduction of PlatSec, all applications that use sensitive features of the device need to be signed. For example, an application that is capable of reading contacts from the phone book must be signed. Furthermore, there are some features that need device manufacturer’s approval. For example, an application that tries to access protected folders on the device needs to get manufacturer’s approval. Protected folders here include executable folder and application’s private folder.

What does signing mean? We can look it from two different things here. Firstly, signing means that the developer of an application can be verified. Secondly, signing also guarantees that the application on the user’s side is the same as the one from the developer. It other words, nobody has ever modified the application, for example by adding malicious behavior. Who is doing signing? There are several root certificates installed on Symbian OS 9 devices that can be used to verify application’s signature. Normally, Symbian’s root certificates and device manufacturer’s certificates, like Nokia, are available on the device. It means an application can be signed by Symbian or manufacturer (see also SymbianSigned.com for more information signing).

If Platform Security requires signing, can a virus get into a device? A virus that does not use sensitive features of the device, which means do not need signing, may get into a device easily. For example, a virus that displays annoying messages. Unfortunately, a virus that makes a phone can get into a device easily too because it does not need signing. How about dangerous viruses? There are still possibilities for them to get into a device. Someone must find a way to 1) sign the virus; or 2) install a root certificate to the user’s device that can verify virus’ signature. Both of them are not trivial tasks.

There is another possibility for advanced users to get infected by trojan. They may sign trojan themselves using developer certificates. It sounds silly, but it may happen that someone install trojan that is signed by himself. Why? There are some developers that release distribute unsigned version of their applications. How do we sign them? We can sign them using developer certificates that are bound to our devices (see also these instructions on Mobile9).

Back to the original question, do we need anti virus on Symbian OS 9 devices? Personally, I am not too worried about virus because of the reasons that I have explained above. As long as we always install application from trusted sources, we should be fine. However, if you are a little paranoid or don’t really know how to differentiate between “trusted” and “unknown” sources, having an anti virus may be a good idea.

What I find more useful is actually anti-spam application, which is part of Trend Micro Mobile Security too. It protects us against spam that may come from SMS, for example. This may not be a critical issue either because network operators should be aware of this threat. They should have “something” that prevents their customers from receiving spams, but who knows…