Signing Smartphone apps with a privileged certificate


The security infrastructure on Smartphone requires that an application be "trusted" in order to write to certain files, write to certain registry keys, or use certain APIs.  How you get "trust" is determined by the OEM or operator selling the device.  For some devices, all apps are trusted.  For others, you get trust after the user agrees to a prompt.  For a large number of devices, however, to be trusted your application must be digitally signed with a "privileged" certificate that the device trusts.  Until recently, this meant going to each mobile operator and convincing them to sign your app (not exactly an easy task). 

Well, now we have something better: the Mobile2Market Privileged Certificate program.  The goal of this is to enable ISVs to get their app signed with a single privileged certificate that all devices trust.  This is mostly a manual process on our end but it's a huge step forward and I'm really excited that our Mobile2Market and security folks were able to pull this together. 

If this is something you need, read the requirements.  Once your app meets the requirements, send a mail to M2M@microsoft.com to get the rest of the details (process, costs, etc).

[Author: Robert Levy]


Comments (13)
  1. Mikel Berger says:

    The security infrastructure on Smartphone requires that an application be "trusted" in order to write to certain files, write to certain registry keys, or use certain APIs. Until recently, this meant going to each mobile operator and convincing them to sign your app (not exactly an easy task). Well, now we have something better: the Mobile2Market Privileged Certificate program. The goal of this is to enable ISVs to get their app signed with a single privileged certificate that all devices trust. If this is something you need, read the requirements. Once your app meets the requirements, send a mail to M2M@microsoft.com to get the rest of the details (process, costs, etc). http://blogs.msdn.com/windowsmobile/archive/2004/11/02/251298.aspx

  2. Saar Avigour says:

    At last…what a pain relief…if only it will do the job. I’m going to apply for.

    Saar Avigour

    SPM – Destinator

    HSTC

    savigour@hstcglobal.com

  3. Andrew Thomas says:

    Only of course if the operators allow the M2M priv cert to be installed.

  4. D. Kurovskiy says:

    I have i-mate sp3i , wince for smohs operator version 1.1.33.23/ When the phone was upgraded to ver 2.3.33.21 (OS ver 4.21.1088 build 15045.2.6.0) the signed applications STOPPED working! they work only if I get rid of the prote ction by the use of program SDA Application Unlock! Why?

    Is it is microsoft’s bug or i-mate?

    p.s.

    All certificates are present in Root window

  5. CS says:

    Does this signing only applies to smartphone application? What if I have an application that run only on pocket pc?

  6. scyost says:

    The signing model applies to both platforms but the security model for pocket pc is much less restrictive, so you can usually get by with the unprivileged M2M certificate unless you are writing a driver or service.

  7. CS says:

    Hello Scott,

    Where can I get the information on the process and cost all that information other than just email the m2m@microsoft.com? Is there other way around?

  8. scyost says:

    That e-mail address and http://www.mobile2market.net are your best bets.

  9. CS says:

    Hello,

    I think I understand more now. Unfortunately, http://www.mobile2market.net seems like is not the one that I want where it provide Mobile Application Catalog which seems like it is not Code Signing that I want. Now I understand that M2M seems only provide privileged authorization and if I require a normal code signing, I don’t have to go through mobile2market this step. Is it true?

  10. CS says:

    Scott,

    Any answer for the above?

  11. scyost says:

    It’s not true. You want to go through M2M for normal mode signing too.

  12. brewwindow says:

    hi, can I change icon and name of Application after I have signed in my application.

  13. brewwindow says:

    Hi ,

         Is there any workaround to change name of window mobile application

    after it has been signed.

    regards

Comments are closed.

Skip to main content