Just months after European carrier Orange released the world’s first mobile phone running on Microsoft’s Smartphone operating system, the two companies are working to develop a patch for a software bug in the phone’s operating system, a bug that allows users to bypass the phone’s security functions.
Both Orange and Microsoft point out that the software bug will not affect users unless they perform a complicated series of steps to disable the security feature. Nevertheless, the event illustrates the evolution of wireless computing as the lines between the mobile phone and the personal computer begin to blur. Indeed, some believe that in just a few years wireless users will have to download the latest virus updates to their mobile phones, just as they currently must do for their PCs.
“As mobile devices become more and more functional, it opens them up to more concerns,” said Alex Slawsby, a research analyst for the smart handheld device group at consulting firm IDC. “This is just the beginning. I think this is going to be a big issue in the coming years.”
News of the software bug in the Orange SPV (so dubbed by the operator to stand for sound, pictures and video) came to light early last week. Rumors that a user in Denmark discovered a way to bypass the phone’s application security features quickly spread over SPV enthusiast Internet sites, most notably www.modaco.com. According to those sites, users who want to disarm the security feature must edit information in the device using a personal computer, shut it off, then turn it on holding the voice memo button, edit additional information and finally restart the phone.
The process disables the signed application security feature in the phone. The feature blocks users from developing their own applications and running them on the device without first getting permission from Orange and Microsoft. To develop and distribute applications, developers must get their applications signed and certified to ensure they will run on the device, which includes a certification course and a US$500 price tag.
Orange required the certification feature so it could maintain control over the devices and stem the spread of unauthorized applications, such as viruses. Such controls could appeal to business users wary of rogue phone applications.
“This is going to be something that handset makers and carriers will have to deal with, and the public will have to be educated about,” Slawsby said.
With the rise of new wireless technologies-including downloadable applications based on Java and BREW technology, downloadable ring tones, multimedia messages and even downloadable video files-wireless soon will have to face the complications that inevitably arise from such progress. Viruses and computer crashes are commonplace for PC users, but those in the industry say mobile-phone users may not put up with such difficulties. Much of the pressure is on handset makers to continue to upgrade their devices and add new functionality while at the same time ensuring that the devices continue to operate as constantly as older-generation phones.
Mobile phones “are a very personal device,” Slawsby said. “It’s kind of a critical time for these (smart phone) launches to go smoothly.”
The SPV’s security bug also highlights the difficult role of the network operator. For the launch of the SPV, Orange added an extra layer of security above Microsoft’s operating system to make sure that only signed and certified applications could run on the device. That way, if an application such as a virus began to spread, Orange could revoke the certificate and immediately suspend the application.
While such an arraignment ensures that Orange can guard against potentially dangerous applications, some argue that it also stifles an open and creative developer community. Many have pointed to NTT DoCoMo’s i-mode as the premier example of a successful wireless data strategy, wherein developers are given free reign to create and sell applications. Carriers around the world have introduced wireless data strategies that model DoCoMo’s approach to varying degrees, with some keeping tight control over their applications and others taking a more laissez-faire attitude.
AT&T Wireless Services in the United States has adopted much of DoCoMo’s open approach through its mMode data offering. The carrier has said it will sell a phone using Microsoft’s Smartphone operating system by the middle of this year. AT&T Wireless was not immediately available to comment on the SPV’s security bug.
Interestingly, the SPV bug comes at the same time Microsoft and its former Smartphone partner Sendo are butting heads in a Texas court. Sendo’s lawsuit alleges Microsoft worked to drive Sendo into bankruptcy while gaining knowledge of the wireless industry. Part of Sendo’s complaint alleges Microsoft refused to fix bugs in its Smartphone software, which Sendo was using to build a phone. GW