Symbian Admits Trojan Slip-Up
Tom Espiner writes on C|Net News:
The Symbian Foundation has acknowledged that its process for keeping malicious applications off Symbian OS-based phones needs improvement, after a Trojan horse program passed a security test.More here.
The botnet-building Trojan, which calls itself "Sexy Space," passed through the group's digital-signing process, Symbian's chief security technologist Craig Heath said Thursday. Heath said the group is working on improving its security-auditing procedure.
"When software is submitted, we do try to filter out the bad eggs," Heath told ZDNet UK. "When apps are submitted, they are scanned. We are looking at how they could be scanned better."
Developers must submit the mobile applications they build to the Symbian Foundation for checking for the applications to be accepted by handsets with the Symbian operating system. Once the submission has been accepted, the applications are digitally signed by Symbian. Digital signatures, which are cryptographic security features, are designed to provide an amount of assurance that software for download comes from a trusted source.
The first stage of Symbian's signing process, antivirus scanning, is done automatically using an antivirus engine. Once an application has been submitted and scanned, random samples are then submitted for human audit.