Symbian signed malware – does signing matter?

From the ‘who can you trust‘ files:

The Symbian mobile OS is used by millions of phones globally and thanks to a (now corrected) oversight they could have potentially installed malware – with Symbian’s approval.
Symbian has a program called Symbian Signed – which digitally signs applications that meet the approval of Symbian. That system was thwarted and a piece of mobile malware known as Transmitter.C  (aka Sexy Space and Sexy View) was signed. Symbian admitted the signing on Thursday and also provided a fix which demonstrates the power of the signing process.

“As soon as we were notified of that (the following day) we revoked both
the content certificate and the publisher certificate used to sign the
malware,” Symbian security chief Craig Heath blogged. “That means that the Symbian software installer will not now
install the malware, providing that revocation checking is turned on.”

Ok so Symbian signed a bad piece of code – that’s bad – but the signing system does work as it should, doesn’t it?

You see with a digital signature or certificate there is always a signing authority. That authority not only signs the app but it is also where browsers (in this case the mobile phone) checks to ensure the authenticity of the signature or certificate. The signing authority can revoke a certificate/signature which is exactly what Symbian is doing in this case.

The system works (or does it?).

News Around the Web