Is there is a way in nokia symbian to make it signed manually on device after installing it as unsigned or before installing.
With self signed method or any other method.
For the Above purpose you need to buy a Singing Certificate from VeriSign or other Trusted site. My Company has purchased same certificate worth Rs 20K. It is onetime payment. however you can have your own customized certificate called self signed certificates. Just google it how to make self signed certificate. It will show you the stesp for it. After signing with that certificate, you need to install that certificate on the same phone. It has benefit that , this works like a licencing of your own Application.
Related
My company's product is Android and iOS mobile app which connects to our own backend. All interactions of the mobile app are with backend developed by our own company.
In such a situation, can the backend use a self signed certificate (instead of getting a certificate from CA) and pin this self-signed certificate on mobile app to make it more secure.
Please let me know if this strategy makes sense (or we still have to get SSL cert from a CA)
This is an old issue, but I think it bears following up on. SSL certs are dirt cheap if purchased from the right companies and not from the "big 3". Comodo has wildcard certs (any subdomain) for USD 60-70/year. They are secure (256 SHA) and install right off. Well worth the money, IMHO.
I want to understand what self signed certificate means.
any explanation is appreciated.
Self Signed Certificates are types of SSL certificates that are generated by an independent person (such as yourself), rather than generated by a Certificate Authority.
Many organizations are tempted to use self-signed SSL Certificates instead of those issued and verified by a trusted Certificate Authority mainly because of the price difference. Unlike CA issued certificates, self-signed certificates are free of charge. What most users are not aware of is that self-signed certificates can end up costing them more in the long run.
While self-signed SSL Certificates also encrypt customers' log in and other personal account credentials, they prompt most web servers to display a security alert because the certificate was not verified by a trusted Certificate Authority. Often the alerts advise the visitor to abort browsing the page for security reasons.
In cryptography and computer security, a self-signed certificate is an identity certificate that is signed by the same entity whose identity it certifies. This term has nothing to do with the identity of the person or organization that actually performed the signing procedure.
It means that the people who are providing the certificate are the same people the certificate is being issued to, usually done this way because it is free.
It is best to have a certificate provided by a trusted Certificate Authority however, It will cost money, but is more trustworthy.
I an responsible for deploying a large amount of embedded devices and want to add https.
I've done a bit of googling and am a little confused as to where exactly my plan falls through.
Get a certificate signed by a reputable CA
Use the corresponding private key to sign new certs for each device
User connects to device (e.g.192.168.1.40) and receives 2 certificates
User's browser verifies that the device's cert. was issued by my company
User's browser verifies that my companies cert. was issued by reputable CA
Can someone please poke a few holes in that??
Similar question here
I don't have any experience on using a digital cert.
Recently I wrote an application in J2ME and Qt for the Nokia S40 and S60 /Symbian ^3/Anna/Belle series phones.
My question is mainly on S40 J2ME phones.
My app need to read /write from memory cards and thus needs a digital cert signing.
I plan to let users download my apps from my site and my questions are:
If I bought a cert, does it mean that I use the same cert to sign any number of J2ME apps? Or one cert one app?
After signing an app with a cert, will it run after the cert expired? Suppose the cert is valid at the time signing the code. I read some articles about timestamp for PDF documents and Microsoft code signing, and not sure whether it is needed for J2ME apps.
I assume many S40 users won't connect to internet. But when a user tries to install the MIDlet, is it necessary to connect through network to the cert issuer's site to verify the cert?
You can use the purchased certificate to sign any number of applications until it expires
Your midlet will still work and install but you will not be able to sign new ones with an expired certificate. See also this post
certificate validation does not require network access. The root certificate of the issuer is already on the device. Be aware that you should use a certificate issuer whose root certificate is on your target devices.
In J2ME when you sign a JAR with a certificate chain that includes an intermediate certificate (such as one from obtained from Verisign), does the device need to have the intermediate certificate installed as well as the root certificate during verification?
I am guessing the answer is no because the intermediate certificates are stored in the JAD file in the MIDlet-n-m properties where m is 2 or greater, and I believe the device references these while verifying. If that is true then J2ME certificates are different from SSL website certificates which require the intermediate certificates be installed in the browser, correct?
Finally if this is all true then couldn't anyone who gets a certificate from Verisign or any other CA with their root certificate on the device just go ahead and sign their friend's certificates and then their friends will be trusted?
Seems like a flaw in the system if this is all true...
The certificate one gets from verisign would typically be trusted to sign a MIDlet but not another certificate. Certificates trusted to sign MIDlets usually are not trusted to sign native applications either.
Between this and the (admitedly advanced and not always available) ability to revoke certificates, the system is fairly safe as long as trust is preceded by due diligence (so your Mobile Network Operator doesn't start trusting trojans and such...)
Frankly, it's not like mobile airwaves are inherently secure anyway.