DIY hack for Orange SPV smartphone revealed

ToshiroOC · Jan 17, 2003, 11:51 AM

Orange SPV application signing disabled

Carrier Orange and Microsoft face embarassment as workarounds for the SPV's application signing requirements, loathed by developers and SPV owners, show up on the Internet.

As the first device to be based on Microsoft's Smartphone 2002 platform, the features of Orange's SPV have been much touted over the course of the past few months. However, one glaring omission - or addition, as one might call it - stands out in the features list. Unlike Microsoft's Pocket PC Phone Edition platform, Smartphone 2002 contains a framework which allows carriers to prohibit the installation of any application having not undergone an official signing process. Now, two separate workarounds have appeared on the Internet that allow SPV owners to circumvent that restriction.

Orange, in its SPV, chose to implement the strictest option available in the framework, with the intent of blocking malicious applications from being installed, but also rendered a great number of potential developers unable to work with the platform in doing so. Not only do developers have to purchase an expensive SPV development kit, but are also required to undergo a costly process to obtain certificates required to allow owners of commercial-grade SPVs to install their applications - a total of which many independent developers and small software houses simply cannot afford.

Two workarounds to let SPV owners disable the much-loathed application signing requirements were recently posted - to Microsoft's embarassment - in the official Smartphone Newsgroup, frequented by SPV users who willingly voice their opinions concerning the many bugs of their SPV, as well as their discontent with the lack of applications for the platform.

Although relatively simple, the workarounds require users to take active steps to disable the signing requirements. As such, they cannot be invoked remotely to present a vulnerability by leaving SPVs open to viruses or other malicious content. This issue was also touched upon by Microsoft's Smartphone Product Manager, Jonas Hasselberg, in his comment to the workarounds.

Hasselberg said Microsoft had recently learned of the potential issue affecting the SPV handset, and is working with Orange to address the issue. "Owners of Orange SPVs are not at risk from attackers, as an Orange SPV could in no way be compromised using the recently posted exploits remotely, or without the participation of a user physically disabling the code signing enforcement."

Likely, an eventual fix for the problem will result in an update being made available to SPV owners through Orange's Over-The-Air upgrade feature, embedded in all SPV handsets.

Meanwhile, developers who cannot afford to undergo the $600 USD signing process have no other choice than to await SPV contenders, leaving a potentially healthy software market anemic in comparison with that of the successful Pocket PC platform - from which, ironically, porting most applications to the SPV platform is widely perceived to be a relatively simple task.

--By: Jørgen Sundgot

Article can be read here.

Jan 17, 2003, 11:51 AM	#1
ToshiroOC Unbiased. Join Date: Jun 2002 Posts: 4,812 Rep Power: 0	DIY hack for Orange SPV smartphone revealed Orange SPV application signing disabled Carrier Orange and Microsoft face embarassment as workarounds for the SPV's application signing requirements, loathed by developers and SPV owners, show up on the Internet. As the first device to be based on Microsoft's Smartphone 2002 platform, the features of Orange's SPV have been much touted over the course of the past few months. However, one glaring omission - or addition, as one might call it - stands out in the features list. Unlike Microsoft's Pocket PC Phone Edition platform, Smartphone 2002 contains a framework which allows carriers to prohibit the installation of any application having not undergone an official signing process. Now, two separate workarounds have appeared on the Internet that allow SPV owners to circumvent that restriction. Orange, in its SPV, chose to implement the strictest option available in the framework, with the intent of blocking malicious applications from being installed, but also rendered a great number of potential developers unable to work with the platform in doing so. Not only do developers have to purchase an expensive SPV development kit, but are also required to undergo a costly process to obtain certificates required to allow owners of commercial-grade SPVs to install their applications - a total of which many independent developers and small software houses simply cannot afford. Two workarounds to let SPV owners disable the much-loathed application signing requirements were recently posted - to Microsoft's embarassment - in the official Smartphone Newsgroup, frequented by SPV users who willingly voice their opinions concerning the many bugs of their SPV, as well as their discontent with the lack of applications for the platform. Although relatively simple, the workarounds require users to take active steps to disable the signing requirements. As such, they cannot be invoked remotely to present a vulnerability by leaving SPVs open to viruses or other malicious content. This issue was also touched upon by Microsoft's Smartphone Product Manager, Jonas Hasselberg, in his comment to the workarounds. Hasselberg said Microsoft had recently learned of the potential issue affecting the SPV handset, and is working with Orange to address the issue. "Owners of Orange SPVs are not at risk from attackers, as an Orange SPV could in no way be compromised using the recently posted exploits remotely, or without the participation of a user physically disabling the code signing enforcement." Likely, an eventual fix for the problem will result in an update being made available to SPV owners through Orange's Over-The-Air upgrade feature, embedded in all SPV handsets. Meanwhile, developers who cannot afford to undergo the $600 USD signing process have no other choice than to await SPV contenders, leaving a potentially healthy software market anemic in comparison with that of the successful Pocket PC platform - from which, ironically, porting most applications to the SPV platform is widely perceived to be a relatively simple task. --By: Jørgen Sundgot Article can be read here. __________________ [img][/img] [color=White]Peace be with you, Joe.[/color] Driverheaven Staff Member (Supermoderator)