Geeks With Blogs

News Clicky Web Analytics

web stats View David Caddick (davidcaddick@gmail.com)'s profile on LinkedIn

Search this Site!

Locations of visitors to this page
View My Stats eXTReMe Tracker
This posting is provided "AS IS" with no warranties, and confers no rights. The opinions expressed within are my own and should not be attributed to any other Individual, Company or the one I work for. I just happen to be a classic techie who is passionate about getting things to work as they should do (and are sometimes advertised and marketed as being able to?) and when I can I drop notes here to help others falling in to the same traps that I have fallen in to. If this has helped then please pass it on - if you feel that I have commented in error or disagree then please feel free to discuss with me either publically or privately? Cheers, Dave
Thin Clients, VDI and Linux integration from the front lines.... Raw and sometimes unedited notes based on my experiences with VMware, Thin Clients, Linux etc.

So continuing on from last nights rant/ramble regarding Root Certs on my C600…….

I originally sent this email to Orange Developers trying to find out why I couldn’t at least unlock my Phone from the point of view of running unsigned applications on it. This used to be one of the first things I always did after I’d upgraded or flashed the C500, straight over to http://developer.orangews.com/orgspv/SPV.aspx?U=T and enter my details along with the IMEI number and hey presto “Application Unlocked”, now with the C600 it kept coming up with a refusal like this:

Sorry but we are unable to find the IMEI number that you have entered on our database.
If you are certain that the details you have entered are correct, consult the following solutions:

So I signed up as an Orange Developer on http://www.orangepartner.com and then sent this email:

++++++++++++Email 1++++++++++++++++++++++++++++++++

Hi Chaps,

I wonder if someone could possibly answer this for me?

 

I have a nice shiny new C600 but to get it to talk correctly to the Exchange 2003 SP2 server it needs to have a valid cert. The cert on the Exchange server is a "Equifax Secure Global eBusiness CA-1"

 

So first of all I need to find a way of getting the Root .cer in to the WM5 device?

 

I've also accessed the original site

http://developer.orangews.com/orgspv/SPV.aspx?U=T trying to get my C600 Application unlocked so that I could do this myself but unfortunately I get an error that my IMEI number is not recognised....

 

Any and all suggestions and assistance welcome.

 

Thanks in advance,

Dave Caddick
++++++++++++Email 1++++++++++++++++++++++++++++++++

 

And the reply came back

++++++++++++Email 2++++++++++++++++++++++++++++++++

David,

If you check the handset there is an Equifax Secure Certificate in the Root certificate store. Your "Equifax Secure Global eBusiness CA-1" certificate should authenticate against this. Unlocking your handset would allow you to put a certificate in the store but you would need to do this for all handsets you intend to connect to the Exchange server. As you have purchased the certificate from Equifax it might be worth checking that the certificate you purchased is compatible with the "Equifax Secure Certificate" on the handset.

++++++++++++Email 2++++++++++++++++++++++++++++++++

 

Now I don’t actually agree with this, as per yesterdays Blog, so I sent this:

++++++++++++Email 3++++++++++++++++++++++++++++++++

Thanks Martin,

 

I think you'll find that this is not quite the case, but regardless, what happens when we or one of our clients wants to use a Test certificate in a Proof of Concept - we're still in the same boat.

 

What I really would like to know is Orange's policy regarding Application Unlocking

 

Can it be done?   It's my PC/PDA/etc after all

Can I not have Admin rights?

I am very much in the forefront of this technology, BUT this is what I do for a living - fix technology for others...

 

Previously with the C500 all I had to do was go to a developers.orange.com web site and I could unlock over the web by quoting my IMEI number...... Is this no longer the case?   When did this change?

 

I would really appreciate as much detail as possible regarding these questions if at all possible?

 

Cheers,

Dave

++++++++++++Email 3++++++++++++++++++++++++++++++++

 

And so the next reply came back:

++++++++++++Email 4++++++++++++++++++++++++++++++++

David,

See answers below. (Additional notes from Orange in red) Also be aware that the situation will get much tighter. All open OS on handsets e.g. Symbian, Java and Microsoft are moving more and more toward security models based on trust levels. There should always be ways to allow developers to test their applications but industry standard testing and digital signing will become more and more important as it provides traceability to the developer and helps protect the customer.

 

Regards,

Martin

Orange Partner

 

-----Original Message-----

From: David Caddick [mailto:davidcaddick@gmail.com]

Sent: 01 February 2006 16:27

To: Developers

Subject: Re: Technical - Adding a root cert to SPV C600? Application unlocking?

 

Thanks Martin,

I think you'll find that this is not quite the case,  (it should be - check the Microsoft article http://support.microsoft.com/default.aspx?scid=kb;en=us;841060 ) but regardless, what happens when we or one of our clients wants to use a Test certificate in a Proof of Concept - we're still in the same boat.

 

What I really would like to know is Orange's policy regarding Application Unlocking

 

Can it be done?  Yes for development purposes

It's my PC/PDA/etc after all  True but it is using our network and we must protect that. Customers expect us to replace damaged handsets and this would include handsets that have a virus on them.  Would a customer agree to pay the bill if a rogue application that they had downloaded to an unlocked handset ran up huge Premium rate SMS bills without their knowledge? We are aware that it is a tricky problem but even your PC warns you if you try to load an application that has not been approved by Microsoft.

Can I not have Admin rights?  This has not been provided in the technology as yet. 

I am very much in the forefront of this technology BUT this is what i do for a living  - fix technology for others...

 

Previously with the C500 all i had to do was go to a developers.orange.com web site and I could unlock over the web by quoting my IMEI number...... Is this no longer the case?  Yes it is still the case but we need to ensure as far as possible that the unlock is being used for development and testing not just to allow the installation of untrusted applications.

- Show quoted text -

When did this change?

++++++++++++Email 4++++++++++++++++++++++++++++++++

 

So it would appear at this stage that Orange is taking the stance that they NEED to block unsigned applications – just in case you accidentally download and run a rouge application that starts making calls and or SMS messages to premium services, and so then when you discover you have a bill that’s too high you won’t be able to blame the carrier?

 

So as such, when you get a shiny new toy you will have to be restricted to only playing with new software and toys from recognised developer houses that publish/sell/support SIGNED apps?

 

Heck, if I was going to run a scam where I could convince people to download an applet that would cause that sort of mayhem while earning me thousands (a Crazy Frog anyone? ;-) I would not be too concerned with having to shell out a couple of hundred quid to get it to run silently?

 

I mean we all know that this isn’t going to stop those of us that are keen, because this time around it just took me a little longer than normal because they’d changed the rules slightly with the WM5? But it is somewhat annoying the way this is being handled?

Posted on Thursday, February 2, 2006 5:10 PM C500/C600 SmartPhone (or replacement) , Exchange and Push Email , IT Management , Real Cool Stuff , Microsoft Tips , Security | Back to top


Comments on this post: Orange UK, Orange Developers and how Security is being changed/implemented on SmartPhones - should we be concerned?

# re: Orange UK, Orange Developers and how Security is being changed/implemented on SmartPhones - should we be concerned?
Requesting Gravatar...
i co wpisalemw wyszukiwarke slowa kluczowe i co mi znalazlo gowno widac ze w uk niema darmowych esow ze stron www
wqrwic sie idzie
Left by zenek on Feb 11, 2006 7:55 AM

# re: Orange UK, Orange Developers and how Security is being changed/implemented on SmartPhones - should we be concerned?
Requesting Gravatar...
i co wpisalemw wyszukiwarke slowa kluczowe i co mi znalazlo gowno widac ze w uk niema darmowych esow ze stron www
wqrwic sie idzie
Left by zenek on Feb 11, 2006 7:55 AM

# re: Orange UK, Orange Developers and how Security is being changed/implemented on SmartPhones - should we be concerned?
Requesting Gravatar...
I received my C600 today at 2pm.

Signed up at orangepartner.com. Emailed developers@orange.com explaining that I wanted to disable the security on my phone to develop applications along with my imei. and 2hrs 20mins later i have my own certs installed and a syncronized handset...
Left by boredazfcuk on Apr 13, 2006 1:27 PM

# re: Orange UK, Orange Developers and how Security is being changed/implemented on SmartPhones - should we be concerned?
Requesting Gravatar...
Cool - Looks like Olivier is getting on top of things then,
Dave
Left by Dave Caddick on Apr 13, 2006 2:31 PM

# re: Orange UK, Orange Developers and how Security is being changed/implemented on SmartPhones - should we be concerned?
Requesting Gravatar...
unlock my SPV 2000 Phone
Left by malik on May 13, 2006 2:17 PM

Your comment:
 (will show your gravatar)


Copyright © Dave Caddick | Powered by: GeeksWithBlogs.net | Join free