Orange's response to bugs + digital signatures - Your say!

[Guest chewie]

Well that was a bit vague, the first part about the updates is good news, but then again how many of the bugs are they going to fix?

I still think the second part sounds ominous, i dont think that orange are gonna get rid of this stupid certificate thing, maybe they could have a section where "bedroom" developers can submit there software which is then torn apart and checked for bugs!

[Guest Paul [MVP]]

I agree.

It seems unlikely that Orange are going to change their mind, but the problem is - if I want to play around with the SDK, I can't test my apps on the device!

No amount of streamlining of the certification process is going to fix that.

The key points I personally would like to raise in the reply are:

- Will I be able to install a certificate on my device, so I can deploy to my device for development and testing using the SP2002 SDK? (Bedroom development :D)

- For an update to be released before the end of the year, it must surely already be in testing. What does it cover? Would it be useful for real life forum members to assist in testing? (Me suspects fix will slip!)

- Is the HP Jornada 928 on Orange going to be locked down with the same digi-signature issues? (If so, expect mass uproar on an even larger scale from the 928 buyers!) If not, why not? Double standards?

Thoughts and suggestions welcome....

P

[Guest DJHope]

Good news on the updates sounds like a substansive answer :D On certification what id like to know is :

"Will your certification process be cheep enough for the adverage FREEWARE developer to take advantage of, remeber you guys were banging on about doom, all modifications for the doom code have been made by FREEWARE developers?"

AND

"Why dont you get microsoft to look into a certification process which allows any application to be run as long as Radio is turned to off before the application is run, this would allow ANYONE to develop non-radio appplications and test, then you could certify these if they are proven to be safe? This surely could in NO WAY affect your network as radio is turned off, if your concern is the phone surely we should be able to take on that responsiblity?"

DJ Hope

[Guest Third_of_Five]

Humm... whilst the updates is good news (especially one before the end of the year, which makes you wonder how long they have had that in the pipeline, from before the SPV launch I suspect), the certification issue is not looking good.

No home brew apps certainly.

Small business and corporations won't be able to deploy custom apps to their employee's devices or develop bespoke applications for the device and so probably wont choose this platform.

[Guest wirefree90]

Presumably Orange have their own root certs on the handset and would be able to sign applications for corporate customers.

[Guest xanadu]

From an SPV users point of view, I am all in favour of Orange requiring a Licence for all applications.

I don't want see any more bugs or viruses in my phone from any source, and this is just a way of Orange protecting their own customers.

If Orange reduced the cost of the Licence to say £100 for admin purposes, I think that most developers could afford this.

I realise it may be inconvenient for developers to wait for Orange to have to test every piece of software that is released, but surely it is a small price to pay to have your software running on thousands of phones across the world, and giving customers piece of mind.

[Guest Third_of_Five]

I don't want see any more bugs or viruses in my phone from any source, and this is just a way of Orange protecting their own customers.

So don't install unsigned software then. But many of us want the option.

[Guest srcshelton]

We are working on one update to be sent before the end of the Year, and a further update to be sent before the end of Q2 2003.

Well, I reckon my SPV's going back then.

If they're already planning a 2nd update, then it sorta indicates that there's still going to be major problems left unfixed after the 1st.

And Q2 2003 - The P800 will definitely be out by then (apparently - release date September 2002, dontyaknow :D). I'm also assuming a Nokia-style release schedule, where if they say a phone will be released "towards the end of 2002" then you can bet that it'll be released on New Year's Eve at five to midnight... :(

Nope - the sheer cuteness of the SPV makes me want to keep it, but if I have to wait until the middle of next year for it to work then I reckon it's going back before my 14 days are up.

If the 1st update fixes most problems, I may consider buying another one - but if things stay as they are then it's only got 5 days left...

[Guest Dave Abrey]

Let's hope that the updates aren't so big that we break the 10MB/month limit on the 6£ GPRS package :D. Maybe they could make it available as a download on their website, with an appropriate installer?

Dave.

[Guest Third_of_Five]

Presumably Orange have their own root certs on the handset and would be able to sign applications for corporate customers.

But at a cost probably, one prohibitive to the smaller company.

Also, can you imagine having to get it re-signed each time you do an update?

What a nightmare for both Orange and the developer.

[Guest PolarBear]

Presumably Orange have their own root certs on the handset and would be able to sign applications for corporate customers.

Don't think this is what they want to do. MS presentations I have seen suggest that ANYTHING on the phone can be pushed by the carrier, including code signing certificates. If Orange have acorporate with a suite of in-house apps that want to tweak every couple of months it is just a pain for Orange. More likely they will have a service to push the cert of your choice to your phone(s). That way they get $$ for minimum effort. It also means that users can request to have a cert pushed to their phone for a publisher (you'd pay a pound or two for that, right ?) - one cert could be used for many freeware apps, developers can have their own private cert.

Also remember if Orange can push certs, they can revoke them too. Suppose there's a buggy bit of freeware out there - far better to revoke a cert that affects a few programs, than to have to pull every bit of Orange's own software and re-issue it with a new signature.

[Guest PolarBear]

Well, I reckon my SPV's going back then.

If they're already planning a 2nd update, then it sorta indicates that there's still going to be major problems left unfixed after the 1st.

Not really its a bit like the End User Updates for Pocket PC, or Microsoft's other service packs. They come out on a particular date and every 6 months is about typical. Most of the bugs get seen and fixed pretty early, so the first update is usually the biggest one - this early is too soon for my liking. MS don't make the code available for PC, you have to go to HP/compaq etc. I'm guessing that for SPV, ms-code goes to HTC, who do a new build with their drivers (e.g. they write the radio stack), which goes to Orange for them to do their stuff, which goes back to HTC for new phones. Orange work out the differences from whats on phones out there and send them out.

[Guest DJHope]

Let's hope that the updates aren't so big that we break the 10MB/month limit on the 6£ GPRS package . Maybe they could make it available as a download on their website, with an appropriate installer?  

Dave

You can use your computers internet connection to receieve updates through the cradle using pass through so whats the problem?

[Guest DJHope]

Arg, how annoying, posted twice!

[Guest BenS1]

Will Orange update be free if done from your phone?

What I'm interested in is can I develop and test stuff for my own use on my own SPV without having to pay anyone a penny?

In my opinion there are three types of potential development for the SPV:

1) Commercial applications to be sold to SPV owners,

2) Freeware development by the 'community' to create apps that all SPV owners can use for free,

3) Personal development. Bedroom developers developing applications for their own personal use, not to be shared with other SPV users.

Orange appear to be only catering for 1, commercial development! Type 2 has the risk of unchecked software being run on many handsets, thereby causing a potential security problem, but equally this is the type that is likely to develop a large software base and an feeling of a 'community' which will no doubt boost sales significantly.

Bedroom development could be done by Orange giving each bedroom developer their own cert and the ability to sign their own apps to run under this cert... as each developer will have a different cert they will only be able to run their own applications. This way there is no security risk.

Going back to type 2, Freeware development... this could be done simply by Orange signing apps for free and ensuring that they have proof of ID, so if any signed app did turn out to be malicious then they would know exactly who is responsible.

Thanks

Ben

[Guest Dave Abrey]

You can use your computers internet connection to receieve updates through the cradle using pass through so whats the problem?

The problem is that I didn't know that you could do that :D. But Orange still need to make it available on their web site, not just through Orange Update :wink:. Now, off to see how to update via pass through...

Regards,

Dave.

[Guest Rob_Quads]

If Orange reduced the cost of the Licence to say £100 for admin purposes, I think that most developers could afford this.

Lets say I am an enthusiastic developer and develop 10 apps in the year - that would mean I would need to shell out £1000 just to get them onto my own SPV.

Many people develop apps for them selves and not to sell on - and if they do distribute it it often goes out as freeware - you only have to do a search on downloads.com to see how many people devlope code for free.

I understand that if people ae going to make money out of selling the app then they should have to pay for the license but if it is going out as freeware then i think it should be signed for free or just be allowed to use it without signing

[Guest srcshelton]

its a bit like the End User Updates for Pocket PC, or Microsoft's other service packs. They come out on a particular date and every 6 months is about typical. Most of the bugs get seen and fixed pretty early, so the first update is usually the biggest one

That's prehaps my biggest disappointment with the SPV - I own a Casio E11 (Windows CE 2.0) and a Casio E125 (PocketPC 2000): These have both been solid and reliable devices. I was basing my expectations of the SPV on my experience with these ... and the SPV is a truly lovely device, which I'm loath to give up. However, I think that (especially in view of the number of bugs already found) the wait until the planned service pack is the proverbial straw that broke the camel's back.

I understand about Microsoft's/HTC's usual update roadmap, but I don't think that a standard roadmap can be adopted for a device with so many current shortcomings. I don't know about Windows CE 1.0, but I do know that CE2, 2.11, 3.0/2000 and 3.0/2002 had nowhere near so many obvious issues.

Were it not for the P800 coming soon, I'd probably persevere. However, I can't help feeling that there is a strong chance that when the P800 does eventually arrive (presumably with working usable SMS, always on GPRS, bluetooth, and no Orange certification required) I'd be feeling short-changed.

So I reckon I'll return the SPV now, wait for the P800, and at that point see how the SPV is faring. If the P800 is full of bugs and the SPV is fixed, I may buy another SPV, otherwise I may buy the P800. Who knows?

When fixed, the SPV could be the greatest mobile phone in the world - but by then will the world have moved on?

[Guest xanadu]

I have a Compaq Ipaq which I use everyday.

The battery will ony last 2.5 hours maximum.

The software I have paid for and run on it is full of bugs.

It uses Pocket PC 2002, which is also full of bugs.

I haven't yet had time to update it to the latest Service Pack.

It has a fault with the stylus not locking in place.

When I get around to it I will phone up Compaq for a replacement.

The fact is I need my Ipaq.

I don't care that it has all these problems, as I am too busy to worry about it.

It does everything I want of it, and I am prepared to put up with it.

The Ipaq cost me £400-00 pounds. The software cost another £200-00 pounds.

Now that's £600-00 pounds.

How much did you say your Orange SPV cost you ??

FREE / £50-00 ???

And you are complaining that that it locks up once or battery life is only 2 days !!!

Just think a moment....do you want an SPV or a baby's rattle ?

[Guest Rob.P]

:D Updates great, just means my phone could get better. Does all I need at the moment, the fact that I wasn't bored once on the train yesterday is good enough for me.

[Guest damianlewis]

Hi,

Great site Paul!

Aren't we missing something here?

The reason for Orange using their own certificate is to "prevent malicious use on the network". This is seen as a problem by Orange because anonymous people could launch attacks without any chance of easily stopping or locating them.

So it is really an issue of identity - afterall, that is what certificates do, they identify you as trustworthy.

For developers the problem is that you cannot create homebrew apps without going through a potentially expensive exercise.

So the solution is for Orange to put in place an identity verification process, such as the banks use. This would be available at £0 cost.

Then, we as developers would get our signed apps, and Orange get the peace of mind of knowing that any malicious use of a signed app can be chased down and pinned onto an individual for prosecution.

The sort of process I envisage is that I could self-register on the Orange site as a trusted Developer. Then, a letter would be sent to my home address with an activation number (unique to the details I supplied). I would enter the number into the site and then provide a valid credit card under my name which would be debited the amount of £0.00. At that point, I have passed two identity checks and my developer account is activated and my certificate is issued automatically.

This would then allow me to develop apps to my hearts content, and Orange know who I am and where I live - so if I get stupid and circulate my certificate or write a crack, I get busted.

Comments please...

Damian Lewis

Manchester

P.S. my company will happily implement the developer portal for Orange, at a fee of course :D

[Guest damianlewis]

P.S.

Of course, if Orange don't want to do that sort of identity test, it kinda tells us a lot more about what their true business model is - shortsightedly making money from the developers through arbitrary fees.

If that is the case, Nokia here I come...

[Guest DJHope]

Arnt you suposed to go through quite a hefty credit check when you join orange's mobile network? It escapes me that they cant give free certification when you join orange, surely they can track down their customers in order to stop people trading phones illegaly!

Also maybe even they could charge £3 a month (or what ever) for a certificate. If it is found that you are using your certificate to create malicious code then surely they could find a way to deactivate the certificate, a small update SMS could be sent to all the phones. Not only that but if orange have their details (which they would as they would be paying a contract) they could have them arrested!

Why didnt they think of things like this? I bet this forum alone could come up with hundreds of solutions, most would not be viable but surely we could come up with one viable soultion, their are alot of qualified business people on here, i think orange should use the forum more its an untapped resource!

[Guest elementalist]

I am no expert and I'm certainly not trying to defend the certification choice made by Orange - it seems over-the-top, BUT, isn't it true that there is already significant malicous use of phones even though users are supposedly credit checked, etc., etc.? Cloning/tampering/etc. occuring with SIMs and the like?

The worst that can happen then is that someone gets some free phone calls, though. Am I wrong that the potential for harmful tampering is much greater and easier with the capibilities of the SPV?

If people can fraudulently get free SIMs and phonecalls and whatever when you are supposed to have given Orange your ID then wouldn't even greater complications and problems arise on the SPV?

I'm with the make-it-easy-but-disable-the-radio faction myself. A hacked phone can't be too much of a problem if it is restricted to letting you play Doom rather than letting you SMS everyone in the UK for free...

Gad, I waffle...

[Guest DJHope]

Yeh ive been banging on about that one 2, totally agree, why not make it so unsigned apps automatically switch the radio off, theirs no way in a million it can interfere with the network then!