print this page

• Symbian OS v9 introduces an enhanced security model that provides controlled access to sensitive APIs. Symbian Signed authorizes access to these APIs for released (finished) applications. Developer Certificates (DevCerts) enable access to the restricted APIs during the development/testing phase, making it possible to test applications that use sensitive capabilities on production phones.
• In order to reduce the risk of compromising the security model, DevCerts are time limited to six months, allow access to a limited set of capabilities and grant access only on a specified list of phones.
• DevCerts are obtained and managed through the Symbian Signed website>>
• There are four scenarios concerning granting access to capabilities – no grant required, the user grants them, the DevCert grants access to sensitive capabilities or phone manufacturer approval is required. Sony Ericsson is only involved in the last two scenarios which both follow similar processes:

Sensitive capabilities
To develop applications that require an ACS Publisher ID for a DevCert to be issued, covering both the 'basic' and 'extended' capability domains as defined by Symbian. Refer to the UIQ 3 SDK documentation for a complete breakdown or visit the Symbian Signed website for more information>>

Phone manufacturer approved capabilities
To be able to access any of the restricted Sony Ericsson controlled APIs, for stated business reasons, you need to go through a review process due to the sensitive nature of these capabilities.

• With a mass market of Symbian OS phones it is essential to ensure that users' phones are secured. Applications that have not been properly tested (intentional and unintentional) can cause significant cost for all parts of the industry. In order to further build trust among carriers and consumers, which in turn will help support a thriving market for applications, Symbian introduced platform security in Symbian OS v9.
• The introduction of DevCerts also allows phone manufacturers to give access to certain APIs that were previously inaccessible in a controlled and secure way.

• Capabilities are associated with getting access to particularly sensitive APIs.
• Around 60% of the APIs in Symbian OS v9 are not regarded as sensitive and have no capabilities associated with them. A developer can use these APIs and deploy the application to a device without getting the application Symbian Signed or using a developer certificate. However, in order to ensure that the application has not been tampered with, Sony Ericsson encourages all smartphone users to only download and install Symbian Signed applications. Information about how to avoid the restricted APIs can be found here>>
• If the developer requires access to capabilities, a DevCert is needed to deploy a test version of the application on a specific phone. More information>>

• These are capabilities that Sony Ericsson considers sensitive enough to require registration of the developers that are using them and for which reasons. Requiring an ACS Publisher ID during the granting process enables trusted ISVs to access these capabilities in a simple and secure way. These sensitive capabilities cover both the basic and extended capability domains as defined by Symbian.

• The seven capabilities are DRM, Network Control, MultimediaDD (device drivers), All Files, CommDD (access to low-level device drivers), Disk Admin and TCB (Trusted Computing Base).

• An overview of the process for applying for DevCerts is presented here>>
• As the DevCert process is hosted and managed by the Symbian Signed website, more information (including a step-by-step guide) can be found on that website>>

• Symbian Signed DevCerts are valid for six months and once expired, cannot be renewed. After the six months, a new one will have to be issued.

• To gain access to Phone manufacturer approved capabilities, a DevCert is required for development, followed by the Channel Certification Symbian Signed process for wider distribution. An overview of the process can be found here>>
• This level of DevCert is issued by the specific phone manufacturer that creates the target phone and therefore Sony Ericsson plays an active role in the DevCert and Channel Certification process. This allows testing of third-party applications that are closely aligned to Sony Ericsson Symbian OS v9 smartphones and which require more than just the basic Symbian Signed testing.

• Approving a Phone Manufacturer DevCert means that Sony Ericsson has carried out due diligence on the ISV in question to ensure that the ISV is reputable, trustworthy and has sufficient assets to meet the reasonable potential liabilities that could arise through misuse of the Phone Manufacturer Approved DevCert. The ISV must have sufficient skill and experience in developing applications for Symbian OS to ensure that it will develop high quality applications.
• In order for Sony Ericsson to issue the DevCert to the developer, the ISV must have signed a non-disclosure agreement (NDA) with Sony Ericsson, and in general have a commercial relationship with Sony Ericsson. The ISV must also be registered under Symbian Signed and accept the Terms and Conditions for Applications Developers.