NEWS FROM THE LAB - Friday, March 26, 2010

Symbian Certificate Revocation Posted by Sean @ 11:03 GMT

Monday's post regarding the Merogo SMS worm noted its use of signed installation files and that the Symbian Foundation promptly revoked the publisher ID that was used.

So, the worm's files were signed but the certification has been revoked. Problem solved, right?

Unfortunately, not quite yet. One more step is required. Typically, S60 phones aren't configured to check for certification revocation by default.

This is very understandable. If hardware vendors shipped phones configured to make data connections by default, it could potentially cause very big customer service headaches for telephone operators. The hardware vendor cannot assume that the customer will buy a data plan, so the certification check is turned off by default.

If you have an S60 phone, and have a data plan, we suggest adjusting your Application Manager settings.

The Flash animation below demonstrates:

E72 Demo

Setting Software installation to Signed only and Online certificate check to On is recommended.

Then, when the Symbian Foundation revokes a threat, your phone will be updated, and you'll be better protected.