How Did Symbian OK Mobile Phone Malware?

Netstat -vat by Sean Michael Kerner (bio) A command line view of IT

From the “Who can you trust?” files:

The Symbian mobile OS is used by millions of phones globally and thanks to a (now corrected) oversight they could have potentially installed malware — with Symbian’s approval.

Symbian has a program called Symbian Signed — which digitally signs applications that meet the approval of Symbian. That system was thwarted and a piece of mobile malware known as Transmitter.C  (aka Sexy Space and Sexy View) was signed. Symbian admitted the signing on Thursday and also provided a fix which demonstrates the power of the signing process.

“As soon as we were notified of that (the following day) we revoked both the content certificate and the publisher certificate used to sign the malware,” Symbian security chief Craig Heath blogged. “That means that the Symbian software installer will not now install the malware, providing that revocation checking is turned on.”

OK, so Symbian signed a bad piece of code — that’s bad — but the signing system does work as it should, doesn’t it?

You see, with a digital signature or certificate there is always a signing authority. That authority not only signs the app but it is also where browsers (in this case the mobile phone) checks to ensure the authenticity of the signature or certificate. The signing authority can revoke a certificate/signature which is exactly what Symbian is doing in this case.

Next page: The system works. (Or does it?)

[Continue reading this blog post at Netstat -vat by Sean Michael Kerner]