[ISN] REVIEW: "Symbian OS Platform Security", Craig Heath

From: InfoSec News (alerts@private)
Date: Tue Sep 12 2006 - 22:47:07 PDT


Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rmslade@private>

BKSYOSPS.RVW   20060615

"Symbian OS Platform Security", Craig Heath, 2006, 0-470-01882-8,
U$70.00/C$90.99
%A   Craig Heath
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2006
%G   0-470-01882-8
%I   John Wiley & Sons, Inc.
%O   U$70.00/C$90.99 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0470018828/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0470018828/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0470018828/robsladesin03-20
%O   Audience a Tech 2 Writing 2 (see revfaq.htm for explanation)
%P   249 p.
%T   "Symbian OS Platform Security"

Part one is an introduction to the Symbian mobile (cellular) phone 
operating system, and particularly its security provisions.  Chapter one 
examines the reasons for the emphasis on security in a mobile phone: the 
users' perception of it as a more personal (and therefore more trusted) 
device and the acceptability of remote network installations and 
administration.  Therefore, the developers of Symbian were faced with 
the challenge of creating an "open" development platform, while 
implementing security constraints. "Platform Security Concepts," in 
chapter two, presents an interesting basic catalogue, but concentrates 
on capability lists.  (In this, the term may not be used in a standard 
manner: the capabilities appear to be preset, rather than being taken 
from the calling capability.)

Part two looks at application development for platform security. Chapter 
three describes the basic functions of the Symbian security environment.  
A decent, basic list of suggestions for writing secure applications is 
in chapter four, but there are few details.  How to write secure servers 
(common processes), in chapter five, provides only generic advice, and 
has oddly little information that is distinctive to Symbian.  Chapter 
six, on the development of plug-ins, is more code and architecture 
specific.  The safe sharing of data, in chapter seven, is addressed with 
a useful list of threats and countermeasures, and an outline of various 
security related components and provisions.

Part three deals with the management of platform security attributes. 
Chapter eight examines the native software installer, concentrating on 
encryption key certificates.  How developers obtain and use these 
certificates is reviewed in chapter nine.  Some of the public key 
infrastructure behind the system can be inferred from the description 
(by those familiar with the concepts) but little detail is provided.

Part four, on the future of mobile device security, consists of chapter 
fourteen, which mentions a variety of potential functions for mobile 
phones.

For those wanting an introduction to the security provisions of the 
Symbian operating system, this work provides a useful starting guide. 
Developers, however, may need a bit more.  For example, the statement is 
made that the platform is "less prone" to buffer overflows, but there is 
no discussion of why this is so, how it is achieved, or to what extent a 
developer can rely upon the operating system to protect against the 
problem of buffer overflows (or other types of malformed data).  Given 
that most Symbian security is based on capability tables and 
certificates (and particularly with a somewhat non-standard definition 
of capabilities) these concepts, and their limits, should probably be 
explained more fully.

copyright Robert M. Slade, 2006 BKSYOSPS.RVW 20060615


======================  (quote inserted randomly by Pegasus Mailer)
rslade@private     slade@private     rslade@private
If God had wanted us to vote, he would have given us candidates.
                                                          - Jay Leno
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm


_________________________________
HITBSecConf2006 - Malaysia 
The largest network security event in Asia 
32 internationally renowned speakers 
7 tracks of hands-on technical training sessions. 
Register now: http://conference.hitb.org/hitbsecconf2006kl/



This archive was generated by hypermail 2.1.3 : Tue Sep 12 2006 - 22:55:54 PDT