Licensees need to update any overrides of CEikAppUi::HandleSystemEventL on the same pattern as Symbian will do

UI Framework provides a function CEikonEnv::SetSystem to be used by applications that should not be possible to close from another application. Currently this mechanism does not work and changes to Symbian code alone will not be enough to close this vulnerability.

Updates to licensee code are required to prevent that applications having called CEikonEnv::SetSystem (e.g. Telephony) to be possible to close from another application.

To close the security vulnerability all implementations of the virtual CCoeAppUi::HandleSystemEventL needs to:

· Change so that an application marked as “system” does not close itself when it receives an EApaSystemEventShutdown event

· Add functionality so that an application is closed when it receives an EApaSystemEventSecureShutdown event

In code this can be expressed like this.

EXPORT_C void CXxxAppUi::HandleSystemEventL(const TWsEvent& aEvent)

{

<skip>

case EApaSystemEventShutdown:

+ // This event must no longer be allowed to close system-applications

+ if((static_cast<CEikonEnv*>(iCoeEnv)->IsSystem()))

+ break;

+ case EApaSystemEventSecureShutdown:

+ // If shutter is already running we don’t need to launch another one

+ if(iAppUiExtra && iAppUiExtra->IsSet(CEikAppUiExtra::EShutterPending))

+ break;

+ // Launch a shutter to gracefully close the application

CEikShutter::DeferredExecuteL(*iEikonEnv);

+ if(iAppUiExtra)

+ iAppUiExtra->Set(CEikAppUiExtra::EShutterPending);

break;

<skip>

}