I have always had a huge issue with code signing for BlackBerry applications. For almost a decade code signing has been a hugely frustrating and annoying barrier to entry for new BlackBerry developers while providing marginal security improvements. Hell it used to cost $200 for code signing keys. As far as I have been able to research all code signing does, at least until the BlackBerry PlayBook, is prove that the code you are installing has not been modified since the developer signed it. In other words it provides trust (aka Integrity) though even RIM can see how laughable of a security model that is all by itself. I am not necessarily against code signing but the benefits have to outweigh the cost. More on that later.
One of RIM’s devs, Mark, was kind enough to detail the current past and present of code signing for all BlackBerry devices on the RIM DevBlog. He even tries to explain why it is of value especially on the BlackBerry PlayBook. The two major additions RIM did with code signing on the BlackBerry PlayBook is use part of the code signing key to protect the data your application can access and another was to add debug tokens to allow you to test unsigned code on an actual BlackBerry PlayBook. It is nice to see that code signing is getting easier and I truly hope it becomes as simple as pie without 14 different steps no matter how easy the wizard. I just want to stress how important it is for RIM to streamline this process until there are no longer flooded in their support forums with developers frustrated with the code signing process. (Just take a look to see what I mean)
Code signing certificates mainly provide the ability to verify that the application you installed is coming from the developer without any modifications. It does not tell you if the developer is somebody you should trust or if they just plan on stealing all your data. Hell all RIM even does is just verify a developers information with their credit card company. This is semi-redundant on the BlackBerry PlayBook since RIM plans on restricting PlayBook app installations to App World only unless you sideload your app. That means RIM already authenticates that the application you are installing comes from that developer. They do this by making developers jump through hoops to register for App World and verify their identity. So why do we need to double verify that fact? Also it is laughably easy to get a code signing key from RIM so it does not stop you from trusting bad developers since they can just as easily sign their code with another key.
The code signing keys also provide little value to developers especially PlayBook developers. It does not protect your application code or make sure that another developer cannot simply unzip your .BAR install file (for WebWorks and Flash apps) compile the app again and sign it with their key. That sort of makes the whole Debug Token security model another painful step that does not add as much value as the painful setup scheme it requires. It gets even worse if you lose your key and can no longer update your app until it is reinstated or want to share your key with other developers you are working with.
This model is even more flawed on BlackBerry smartphones where code signing is not even required for apps to run unless they need access to protected APIs. Also they can be installed from any source which is probably why RIM started with the code signing model. It allows RIM to centrally revoke a developers ability to sign new code. The thing is that developer could have many more code signing keys that they could just as easily sign malicious code with. If anything part of RIM’s improvements to streamline code signing has been to make it easy for ANYBODY to get a code signing key.
All in all it seems like code signing is simply maid to deter lazy crooks instead of providing the level of benefit that would justify the high toll it takes on BlackBerry developers. The question is if RIM can simplify this process to make it less painful or at least justify the cost by adding actual benefits. I understand that RIM wants to protect users from imposters signing code or impersonating another company but the security it offers against that is not that hard to bypass. All it does is make sure the code signer cannot be anonymous but a malicious dev could easily obtain a stolen credit card number and purchase a code signing key especially since nobody would notice the $1 code signing authorization charge.
My dream is that RIM finds a way to create a 3 step wizard that within 10 minutes sets up your development environment, requests and installs your code signing keys, and sets up your App World vendor account. I am truly hoping Mark and his team can make that a reality ASAP… Since right now that process is measured in hours-days instead of minutes. You can see the advancements RIM has made in the last year below but hopefully RIM overhauls the whole system so we don’t need www.isthesigningserverdown.com anymore:
- Made code signing keys easier to obtain by removing the credit card requirement for ordering them
- Reduced the order time for code signing keys from 7-10 days to approximately 1-2 hours so you can start building right away!
- Created Configuration Wizards to walk you through configuring and backing up your keys
- Automated many previously manual steps by integrating Debug Tokens into the SDKs
- Updated the hardware for our code signing servers
- Created the Code Signing Support site to walk through the ordering, configuration and signing process
Let me know what you think! I would love to be proven wrong…