Symbian3/SDK/Source/GUID-39A995DC-F047-4B41-A60D-27063CE329BE.dita
changeset 0 89d6a7a84779
equal deleted inserted replaced
-1:000000000000 0:89d6a7a84779
       
     1 <?xml version="1.0" encoding="utf-8"?>
       
     2 <!-- Copyright (c) 2007-2010 Nokia Corporation and/or its subsidiary(-ies) All rights reserved. -->
       
     3 <!-- This component and the accompanying materials are made available under the terms of the License 
       
     4 "Eclipse Public License v1.0" which accompanies this distribution, 
       
     5 and is available at the URL "http://www.eclipse.org/legal/epl-v10.html". -->
       
     6 <!-- Initial Contributors:
       
     7     Nokia Corporation - initial contribution.
       
     8 Contributors: 
       
     9 -->
       
    10 <!DOCTYPE concept
       
    11   PUBLIC "-//OASIS//DTD DITA Concept//EN" "concept.dtd">
       
    12 <concept id="GUID-39A995DC-F047-4B41-A60D-27063CE329BE" xml:lang="en"><title>Planning
       
    13 system and software security</title><prolog><metadata><keywords/></metadata></prolog><conbody>
       
    14 <p>Devices based on the Symbian platform are capable of joining both public
       
    15 and private networks and often have the functionality of a normal desktop
       
    16 computer. However, the average user does not perceive the device as a computer,
       
    17 but rather as a regular phone that is safe from security threats. This creates
       
    18 an opportunity for hostile attackers to infiltrate the device and wreak severe
       
    19 direct or indirect damage (for example, by penetrating into the corporate
       
    20 intranet).</p>
       
    21 <p>It is, however, possible to anticipate these kinds of threats, and protect
       
    22 applications by using the security features offered by the Symbian platform,
       
    23 and by expanding <i>security policies</i> to cover mobile devices and services.</p>
       
    24 <p>To develop system or software security, repeat the following steps:</p>
       
    25 <ol>
       
    26 <li id="GUID-98856624-2B55-44FC-9DD9-69850C2B22D9"><p>Define and
       
    27 evaluate all critical assets (resources, information).</p></li>
       
    28 <li id="GUID-4FE98A61-A0B8-4249-936E-DF319804AA2D"><p>Identify all
       
    29 possible threats, vulnerabilities, and potential attacks, and estimate the
       
    30 extent of possible damage.</p><p>Areas to examine in the Symbian platform
       
    31 are system resources, removable media, and communication between components.</p>
       
    32 </li>
       
    33 <li id="GUID-43B87274-297C-4AA8-B2A1-872E2BA83F30"><p>Prioritize
       
    34 high-risk vulnerabilities, and select and implement corresponding security
       
    35 features. If risks are sufficiently low, protective measures may be unnecessary.</p>
       
    36 </li>
       
    37 <li id="GUID-3D7F3A95-635E-4D9C-9883-BBD36263401D"><p>Repeat these
       
    38 steps until the necessary level of protection is achieved.</p></li>
       
    39 </ol>
       
    40 <p/>
       
    41 <fig id="GUID-A41ADA16-6D0B-4EA4-BBF2-67C2CFED68F3"><title>Security development process</title><image href="GUID-316D7B85-F827-4479-B5EE-81F210614236_d0e6515_href.png"/></fig>
       
    42 <p>The security development process is guided by <i>cost</i>, <i>efficiency,</i> and <i>usability</i>.
       
    43 If security is too tight, this may be expensive and affect both performance
       
    44 and the user's experience of the system or software. On the other hand, if
       
    45 security is too slack, this may result in severe damage and, in the long run,
       
    46 be even more costly.</p>
       
    47 <section id="GUID-39A995DC-F047-4B41-A60D-27063CE329BF"><title>Security methods</title>
       
    48 <p>The list below contains the most common and important security methods
       
    49 used in the mobile world:</p>
       
    50 <ul>
       
    51 <li><p><i>Ciphering</i> enables confidentiality. Information is
       
    52 accessible only by authorized parties. With ciphering it is also possible
       
    53 to maintain integrity.</p></li>
       
    54 <li><p><i>Hash</i> function (<i>checksum</i>) can be used to verify
       
    55 integrity and detect information tampering.</p></li>
       
    56 <li><p><i>Signing</i> allows attaching of information to a certain
       
    57 source.</p></li>
       
    58 <li><p><i>Authentication</i> ensures that the object is what it
       
    59 claims to be.</p></li>
       
    60 <li><p><i>Access control</i> restricts unauthorized access to resources.</p>
       
    61 </li>
       
    62 <li><p><i>Authorization</i> is permission to perform tasks on behalf
       
    63 of somebody else.</p></li>
       
    64 <li><p><i>Certification</i> is provided usually by a third party
       
    65 to prove information validity.</p></li>
       
    66 <li><p><i>Recovery mechanisms</i> are usually implemented as redundancy
       
    67 (duplication of information or routes).</p></li>
       
    68 <li><p>In communication it is possible to use, for example, <i>error
       
    69 correction</i> to repair transmission failures, <i>random traffic generation</i> to
       
    70 keep the line occupied, and <i>packet uniforming</i> to blend important packets
       
    71 into traffic.</p></li>
       
    72 </ul>
       
    73 <p>Some of the methods above are interconnected (for example, certification
       
    74 requires that the information is signed) and not all of them are of equal
       
    75 importance, since some basic methods form a base for more complicated methods.</p>
       
    76 </section>
       
    77 </conbody></concept>