Fun With Symbian Platform Security

In the past few weeks, a number of Symbian technical blogs have announced a hack of Symbian Platform Security on the latest Symbian phones. By modifying a file in an OS software update, you can install unsigned applications and gain access to the Nokia Series 60 (S60) phone’s file system. On older S60 phones it was easier to accidentally install malware such as Cabir or Commwarrior. The newest phones refuse to install old installation files and restrict file system access for new programs, unless they’re digitally signed.

Installing unsigned apps is not a big risk by itself, as unsigned programs will not install. After using this hack, you can sign an application yourself and also give it additional permissions–such as reading user data or monitoring email. Signing an app yourself limits it to being installed and running only on your phone, so this isn’t an effective way to spread malicious programs.

Others have suggested more harmful uses for this hack. Phone thieves may use the technique to read your e-mail or steal unencrypted passwords. The risk from this attack is also slim, as the hack may brick various phone models.

Sony Ericsson UIQ phones are also open to a variation of the hack. Instead of the more uncertain do-it-yourself method on the S60 phones, for around $30 you can purchase online a flash update from a phone-unlocking vendor. However, every time a new official UIQ update is released, you’ll need to purchase another unlocking flash.

Though playing with phone hacks can be fun, there is the possibility of ending up with a bricked phone. Here are few more things to look out for:

• Downloading and installing ROM updates from untrusted sources can sometimes be exploited. On some phone ROMs it may be possible to install malicious applications. Install the update and you could end up with a malware bonus.

• Hacking tools may either help disguise malware or in some cases may actually be malware.