Symbian security is very useful for users. Currently there is no virus that I know of that can run on the new Symbian 9.0 because of the new security framework. From the developer point of view, this security framework is sometimes frustrating. The developer needs to sign his application, and then he have to specify what capabilities are needed for the application. We can categorize the Symbian security capabilities to 4 sets. The first one is the default one, which doesn’t need any user intervention, the second is User Grantable capabilities which can be granted by the user (the installer will ask the user that the program needs some capabilities), the third one is the one that the developer must ask from Symbian, and the last one is the one that the developer must ask from the device manufacturer.

The problem starts to appear when you need additional capabilities other than the default and User Grantable. For example we will need NetworkControl capability to create a ping application. Here is how you would do it according to the old process:

1. You will need to get a certificate from Symbian, then you can test it only on one device.
2. To be able to distribute it, you must submit your application to be tested by Symbian (this process is not free). The last process will take several weeks.

The old process have some loophole that is being used by crackers. For applications for which they can not generate the serial number, they patch the application, and the user that wish to use the cracked application will need to get a certificate from Symbian, and sign the cracked application so that it will work on his phone. Now they revised the process:

1. You will need to compile your application, and upload to Symbian for signing. You can only sign an application that is yours (the UID of the application must match to one of the UID that you have requested from Symbian). This will prevent a user from signing 3rd party application (which presumably a cracked application).
2. To distribute your application, you will still need to pay. As an improvement, they have provided express signing, where you can quickly sign your application without testing it. They will pickup some application for random testing.

As you can see, the development process becomes more difficult because now we must sign our application online. People keep telling others that only a small set of capabilities are restricted, but that is not entirely true, it depends on what kind of application you are developing. For example, this kind of simple applications needs more than User Grantable capabilities: VoIP applications, screen capture that can be activated by shortcut, network ping tool.

Recently, a flaw has been found in the debugging mechanism used by Symbian (AppTRK). The debug server on the Symbian side is an all-powerful application that has all the capabilities in the world, and can be controlled to do anything from the PC side when debugging. As you can guess, this can bypass all the security measures in Symbian. I tried the method, and it works very nicely. This process makes it very easy for me to test any kind of functions, including those that requires special capabilities.

I am quite sure that this hole will be plugged in the next firmware release, and it will be a shame, because this bug can actually helps developer, without risking simple end user. This hack is not so simple, so I think anyone that can do this hack is not a simple user, and can be responsible for the harm that it might done his phone. I really hope that Symbian will provide a nice, legal, documented ways for a developer to really "own" his phone to be able to develop anything, and still uses the current security method for end users.