Who would donate money towards app signing[UPDATED 27/03/03]

[Guest MBoden]

If the certificates is Oranges way of stopping freeware, wont this way be the best way to show them that the certificates is a joke ?

[Guest Monolithix [MVP]]

It's not. Its to make the general, non-technical, public feel safer in the knowledge that all the viruses they hear about/get on their home PC's aren't going to be running rife over their mobiles as well.

[Guest]

At the end of the day, Orange have instigated a certification policy meaning that all software developed and to be used on the SPV will have to be certified by them.

Those are the rules they've laid down - they won't remove certification, so it's up to us to find the best way to work with what we've got.

My two cents.

[Guest cseilern]

Hi Monolithix,

no worries, no flame taken ;) ! I guess we all want the same thing anyway - a thriving forum for app development. What you (-and this thread) are proposing would better address the needs of the spv community right now (i.e. the ability to develop apps on the spv without having to hack it), and at the end of the day It will benefit me as a user, so who am i to whinge!

However, I still want Orange to drop app signing, because I am sure another mobile operator in the uk will come out with a MS Smartphone with NO app signing - developers and users will have a great platform, but spv users will either have to suffer no apps or switch! hope this does not happen...

[Guest DJHope]

Since the chat that went on through the quake post ill say it again, i want to give suport to the SPV Freeware community any way i can. Id like to prove to orange that a freeware community exsists and can operate without their support, also its nice to see that people WANT this.

DJ Hope

[Guest Monolithix [MVP]]

I think until another operator releases certificate free SmartPhones, Orange is unlikely to change their stance on the matter at present. They hold market domination and are creating large amounts of revenue from it, "if it aint broke don't fix it".

We just need to wait for another service provider to "break" it ;)

Having said that, didn't T-Mobile say they were planning of putting certificate locks on their first SmartPhones?

[Guest Matt Whitfield]

I've just voted for £10, but might be prepared to give more if it seemed worth it or necessary.

I agree with all the comments about the need for organisation and management of the process and using a limited company, but hopefully that wouldn't be too challenging - this is effectively a pseudo-open source/community project with money involved only because Orange has forced the issue.

It's a shame that Orange have gone down the certification route as I think they are stifling the SPV as a development platform (and MS really needs the SPV to be a success in order to get a foothold in the mobile world...). You can run anything on the Nokia 7650 but people are still making revenue from Java game downloads for that phone - the 7650 has the best of both worlds.

If you think about it though, MS has always tried this certification thing to make up for the lack of security in their platforms - remember certified ActiveX controls? At least Java has a sandbox and therefore provides a decent level of security whilst allowing people to develop whatever they want.

However, if all the radio interface stuff really is inaccessible on the SPV I think Orange/MS needs to take a look at this again properly in that perhaps there really isn't any serious security risk at all. In the security world you look at attack trees (all the attack scenarios you can think of) then you rate each with an effort required to perform the attack and the likelihood of the attack. From there you decide what you actually need to defend yourself from/lockdown. If MS/Orange hasn't done this already they should do. If the SPV isn't really all that exploitable, maybe they should make a statement to the press to that effect rather than make another blunder and permanently enforce certification. They should also consider the very valid point from member of this forum that lots of PDAs that let you write whatever you want also have access to GPRS networks, so perhaps they network operators should be more concerned about that instead...

[Guest Deemon]

Id put some in depending on the project...Id also volunteer to help out with whatever applications would be developed...Im a Graphic Artist with EA so I have some experience in the games industry ! although it would have to be done unoficially of course :-)

[Guest yatpeak]

If Orange charges $600 to certify a program, how come it's possible to certify them for so much less?

[Guest spacemonkey]

Orange certification provides 2 things... Orange presumably testing the app, and access to privileged functions if Orange signs the apps. You would also I presume have access to Orange branding, as in "This app is designed for the Orange SPV".

Baltimore signing only gives you access to the unprivileged functions of the phone.. so no radio. All they are doing is tracking who you are, they don't test the app themselves at all. I would think if you baltimore signed the app you'd need to be careful about any direct references to Orange that you put in your advertising.

[Guest DJHope]

Yeh and aprently according to batimore the app can be "switched off" by means of an update sms/orange update entry. They simply tell the smartphone that a signature on one of your programs is no longer trusted theirby stopping it from running.

DJ Hope

[Guest Monolithix [MVP]]

Heh, so if Orange do get arsey about our little ploy they could put a stop to it whenever they feel fit.

[Guest DJHope]

i think that it would be baltimore who would investigate since you brought the certification from them, surely since you made no transaction with orange they have no right revocate your signature.

DJ Hope

[Guest Will]

can't fing the baltimore t+c's. could someone post a link.

My personal take on all this is GREAT, but needs a management/board structure, so the apps can be voted into the scheme.

$0.02

Depending on the t+c's could we not bundle several apps together to produce a suite, (like ia album and the camera). so that 1 'app' had several functions?

ie a gaming suite, with tetris, doom, etc on it.

an office suite, with a notepad, word viewer,etc

Will

[Guest lutzh]

i would give more than 10 if i could also vote on wich apps would be certificated first...

cheers, lutz

[Guest Monolithix [MVP]]

http://malvern.hamlesh.com/~chris/geotrusttc.txt

Is the GeoTrust conditions of application. GeoTrust are the company _actually_ issuing the certificates, under Baltimores authority.

Not had chance to read it yet though :/

[Guest rocknsock2k]

Are we planning on that any one who donates to this scheme will have access to all programs certified under it, or only to a limited number depending on how much they have donated? I would be willing to donate a fair bit to this is it was for unlimitted acess and a say in what was happening.

[Guest spacemonkey]

The idea is that all apps in this program would be freeware. As in while they are unsigned they would be available to EVERYONE but only people with unlocked phones could run them.

Once signed they would be available to EVERYONE and at that point would run on any Smartphone 2002 device.

[Guest Monolithix [MVP]]

Yes thank you, I think a freeware definition was in order there.

Either way most people seem to want to donate a tenner, making it fairly equal in general. Then the rest of the SPV community would have access to the 75 freeware app's that would ultimately result from it.

[Guest spikex]

I think Orange should keep the app-signing but at the same time allow un-signed apps to work. Users can be given warnings (like in XP when a driver is found to be un-signed by Microsoft) that a app hasn't been signed and certified by Orange so they can't be blamed for any damage done to the phone.

Does that sound fair?

[Guest Bazz]

How would they enforce that? If your phone breaks who ya gonna call? Orange. Who ya gonna demand a replacement off? Orange. Orange aren't going to find out that you installed another app until they get the phone back from you by which time you've got a new one. Who ya gonna complain to in the unlikely event an app started making calls and charging you? Orange.

I don't agree with it, but I see why they're doing it. They're panicky in case something MIGHT happen...

[Guest DJHope]

Right i rekon if you donate you should be entitled to test the apps and have a vote on what apps get signed, sound fair?

Barry: the point is they dont give us the choice, maybe if they gave a disclamer which said screw your phone up loose your warantee and we wont help you.

Besides if your doing this all properly YOU SHOULD BACK YOUR BLEEDIN FONE UP, besides barry what cant be fixed through a good ol hard rest anyways? cept deletin the boot sector but app signing wont have an effect on that.

Also the chances of a piece of software getting to the network layer are like zero, thats why phreakers disappeared its VERY secure these days, am i wrong?

DJ Hope

[Guest spikex]

I'm still sticking with what I said before. Warn the user if the app is un-signed and un-certified by Orange, but if the user does break the phone then it's their own fault. A software reset can be done (but just like with a P.C when you fiddle around with it, you should backup important data!) if the worse comes to worse.

You can't blame Orange for their point of view on their side of things. Microsoft are trying to build up their reputation of being trustworthy and reliable in the security sense. Orange are just trying to protect their precious network that they've spent so much money on. Theirs probably other reasons for it as well. No doubt we will see a spur of viruses, etc, etc floating around in future. Just give it time unless Orange really do something about this security hole.

[Guest Zorglub]

Actually this is what the P800 does. When you install an app it tells you if it is signed or not. If it isnt you get a warning saying that installing unsigned apps yadda yadda...

Not wanting to be a troll on an SPV forum but I just got my P800 last week and it is absolutely amazing. Specially after reading about all the SPV problems on this forum. Mind you I dont have an SPV so I cant compare. I'll be checking it out when they sell it in NL, meanwhile I'll just have to keep reading the stories from here.

[Guest Bazz]

Barry: the point is they dont give us the choice, maybe if they gave a disclamer which said screw your phone up loose your warantee and we wont help you.

My point was that if you agreed to the disclaimer and screwed the phone, you're still gonna try your luck with Orange. Admit it, if a hardreset doesn't work are you gonna accept that or try and get a new phone off Orange? Besides who really reads the T&Cs when installing software?

Orange have no way of knowing if your phone is actually faulty or whether you screwed it by installing an app. So they are gonna have to try and help either with support or replacing your handset. And God knows they have a hard enough time supporting the phone at the minute!