Smartphone manufacturers frequently go to enormous lengths to help keep our devices secure. Part of that role is regulatory, keeping unwanted apps out of centralized app stores. Other protections are technical, using software to keep one step ahead of ne’er-do-wells. One such technical protection is code signing, allowing developers to use an encryption key to let end users verify that code came from a known trusted source; this is why you can safely sideload updates to Google’s Android apps you find online, as they can be verified as coming from Google itself. But now a new story’s emerging about how some hackers nearly undid this protection for one smartphone platform, and blackmailed Nokia in the process.
We have to go back a few years for this, to the days when Symbian was still a viable platform. Reports out of Finland this week claim that six years ago Nokia paid hackers a sum of several million euros in order to prevent the group from releasing critical Symbian source code, including a private Nokia encryption key that could be used to sign code. Were that ever to get out into the wild, malicious code could be made to look indistinguishable from legitimate Nokia-sourced software.
Finnish police have confirmed that they’re investigating the case, and while Nokia hasn’t confirmed the details (perhaps due to the ongoing nature of the investigation), this talk of blackmail does align with those media reports.
A potential hack involving Symbian might not seem so important now, but remember: we’re learning about this six years after the fact. Could there be similar, more recent cases involving other smartphone platforms that have yet to become public knowledge?