iPhone 2.0 SDK: How Signing Certificates Work
March 18th, 2008
Daniel Eran Dilger and Jason Smith
Last May, I asked Steve Jobs for a public comment to clarify Apple’s plans for third party software for the iPhone. He assured me that Apple did indeed recognize a market for software outside of the web platform outlined for the iPhone, but was “wrestling” with how to balance openness with security. Jobs repeated similar comments that summer at All Things D.
Then, in a public message issued in October, Jobs went even further to outline Apple’s strategy for a native SDK and hinted that the company would be adopting measures similar to Nokia’s “Symbian Signed” digital signature program as a key part of its efforts to allow legitimate developers to contribute to the iPhone while keeping viruses, malware, and privacy attacks under control. The message now seems impossible to find on Apple’s servers, but stated the following:
Let me just say it: We want native third party applications on the iPhone, and we plan to have an SDK in developers’ hands in February. We are excited about creating a vibrant third party developer community around the iPhone and enabling hundreds of new applications for our users. With our revolutionary multi-touch interface, powerful hardware and advanced software architecture, we believe we have created the best mobile platform ever for developers.
It will take until February to release an SDK because we’re trying to do two diametrically opposed things at once—provide an advanced and open platform to developers while at the same time protect iPhone users from viruses, malware, privacy attacks, etc. This is no easy task. Some claim that viruses and malware are not a problem on mobile phones—this is simply not true. There have been serious viruses on other mobile phones already, including some that silently spread from phone to phone over the cell network. As our phones become more powerful, these malicious programs will become more dangerous. And since the iPhone is the most advanced phone ever, it will be a highly visible target.
Some companies are already taking action. Nokia, for example, is not allowing any applications to be loaded onto some of their newest phones unless they have a digital signature that can be traced back to a known developer. While this makes such a phone less than “totally open,” we believe it is a step in the right direction. We are working on an advanced system which will offer developers broad access to natively program the iPhone’s amazing software platform while at the same time protecting users from malicious programs.
We think a few months of patience now will be rewarded by many years of great third party applications running on safe and reliable iPhones.
P.S.: The SDK will also allow developers to create applications for iPod touch.
What Do Signing Certificates Do?
How does signing an application have any impact upon security? In the computing world, code signing goes a bit beyond the equivalent of signing a document on the dotted line. Signed code is more like a parchment rolled up into a scroll and sealed with hot wax imprinted with a unique signet ring. Once so signed, the document can’t be altered, extended, revised, or corrected without breaking the seal. If the seal is broken, the recipient knows that something has happened to it along the way.
In addition to acting as evidence of tampering, digital code signing also unequivocally proves who signed the code. That means the two main attractions to signing code is to provide:
- Authentication – to prove the item does indeed come from the source that it says it comes from;
- Integrity – to prove the item has not changed since it was signed.
In practice, this means spammers and identity thieves can’t take existing utilities, attach an ugly hack, and then redistribute it as apparently legitimate software. It also means that companies with a history of making spyware and adware can simply be disqualified from offering any software for the iPhone. However, there’s also a third aspect of certificate security that will enable Apple to shutdown and clean up malware outbreaks immediately as they are discovered.
He Giveth and Taketh Away.
In the digital realm, the unique signing keys are issued by an authority–in this case Apple–to potentially hundreds of thousands of developers. Even more importantly, the recipient iPhones that will be examining the digital signatures of applications can verify not only the authenticity and integrity of the signing, but can also consult Apple to see if any of those signing keys have been revoked. Half the power of signing keys is in the ability to remotely revoke them, just as a drivers license can be revoked by the court without requiring a deputy to actually go out and demand the return of the physical license card.
Apple’s ability to both give out signing certificates to developers and to revoke those certificates afterward gives it the same kind of control over developers that the DMV holds over drivers. If drivers faced no threat of losing their license, there would be no way of holding them accountable to drive according to the law. That’s how the desktop PC world currently works: anyone can jump in a car and drive any way they like, and neither Microsoft nor Apple nor any other desktop operating system platform vendor can really do much to reign in bad or malicious software drivers apart from erecting protective barricades around sensitive buildings.
Desktop developers don’t obtain a license to code, but the bad driving of the very few causes big problems for the majority of good drivers out there. End users also suffer. While malware is not a significant problem on the Mac yet, Windows PC users have to run their boxes behind a firewall and typically need to run anti-virus and other cleanup tools that rob a significant amount of their system performance in overhead.
To prevent a similar sort of anarchy from developing in the mobile space, Apple decided that developers will need a license to code for the iPhone. While the SDK is free to download for anyone who signs up in Apple’s developer program, it is also limited to running code only in a test environment. In order to upload any code to an actual iPhone–for testing, distribution, or sale–developers will need to obtain a certificate from Apple to sign their apps with. If they don’t follow the rules, or if they allow others to use their assigned certificate to sign malicious code, Apple can revoke their certificate and their signed apps will all stop working.
The simple threat of revocation would likely be enough to prevent legitimate developers from allowing fly-by-night spammers and identity thieves to use their assigned certificates to sign and distribute malicious software. Apple can also vet software as it is submitted, and rapidly respond to user complaints by terminating the distribution and revoking the run rights of signed software. With such a system in place, there’s no need for iPhone anti-virus software. Our children will never know why Symantec and Norton ever existed.
A Good Deal All Around.
However, developers aren’t just being asked to contribute toward iPhone users’ security out of their own sense of goodwill. In addition to protecting users from malware threats and casting an aura of safety and trustworthiness over their own legitimate iPhone software, certificate-signed applications will also create a market for mobile software that has never really existed before.
Last year, I explored the possibilities and risks Apple faced in opening its platform in a series of articles. One of the greatest problems Apple could solve in delivering software through iTunes, I suggested, would be to give developers a real marketplace where they could sell their apps at low prices and still make money. Currently, mobile developers either have to give away their work, or offer it at a high price. That’s because they are only likely to sell a few hundred copies to the minority who will pay pretty much anything, while the rest of the mobile user population simply steals cracked versions.
Software developers suffer from piracy as much or more as recording artists. While there is a large business behind physical music sales, software is easier to find online than in retail stores, particularly mobile software. In iTunes, Apple began testing mobile electronic distribution with iPod Games. Not only are the games signed by Apple, but they’re also wrapped in a version of FairPlay that associates the game files with the user who bought them. While it’s still possible to steal them, it’s more convenient for most users to throw down the $5 to obtain the game they want.
All iPhone apps will similarly be wrapped by FairPlay, again making it easier for users to buy a legitimate copy than to find a stolen version. This will result in two positive effects: first, developers will be able to price their software lower to entice volume purchases. Second, users buying software will get a better overall experience, with automatic update notifications and records of their purchases. They can also expect better customer service, because they’ll be dealing with happy developers that know they’ve been paid rather than threadbare merchants who realize that most of the users demanding support haven’t contributed anything to use their software.
Something Old, Something New.
While Apple certainly isn’t the first company to begin working on code signing–Microsoft has been pushing Authenticode in Windows, Nokia began the Symbian Signed program for some mobiles in 2005, and RIM uses code signing for BlackBerry apps that make use of certain APIs–the iPhone marks the first time a highly visible, significant consumer computing platform has launched with a mandatory code signing program intact across the board.
Outside of general computing, the idea of code signing is far less novel. Every modern video game console unit uses code signing to force developers to pay licensing fees. The practice appears to have been invented by Nintendo, which began using a simple, physical equivalent to code signing–a lockout chip called the 10NES–to force games developers into the terms of its licensing contract. Without paying to license the “Nintendo Seal of Quality” and following Nintendo’s strict rules, third parties couldn’t obtain the 10NES chip to insert in their cartridges, and therefore couldn’t release games for the NES console.
Later generations of games consoles used a boot ROM routine to digitally verify that games on cartridge or optical media had paid their licensing dues. Apple’s iPod Games sold through iTunes also use a digital signing system to make it difficult to pirate the games, modify them, or create homebrew versions. However, Apple’s business model for digitally downloaded iPod games and iPhone apps is nearly opposite that of the console makers.
Nintendo, Microsoft, and Sony all sell hardware at or near a manufacturing loss and use software licensing to bring in their main revenues. Apple sells its iPod and iPhone hardware at a profit, and has announced the intention to operate software sales at just above breaking even. That’s why game console hardware costs as little as possible, yet games themselves cost $30 to $70 each. Apple’s hardware is more expensive, but iPod games cost $5, and most iPhone software titles are expected to be priced under $20.
Video Game Consoles 2007: Wii, PS3 and the Death of Microsoft’s Xbox 360
How Much Does it Cost Developers?
In addition to the retail prices that consumers face, there are big differences in costs to developers. The complex and unique nature of developing for the latest games consoles results in significant expenses for developers. Last fall, Sony slashed its fees for the PlayStation 3 SDK in half… to $10,250. Sony has to charge a lot because its SDK involves custom hardware and the package is only shared among the limited number of developers working on console titles.
Even so, the costs of the SDK are a trivial amount of overall development costs. San Francisco’s Ubisoft spent $12.75 million developing the game Red Steel, for example. THQ president Brian Farrell estimated that Wii development costs are around a quarter to half of that required for PlayStation 3 or Xbox 360 development, suggesting that a game like Red Steel would cost $24 to $48 million for those platforms. Suddenly $10,250 for an SDK doesn’t sound like much.
The Nintendo Wii development tools are among the cheapest of any game console, but still cost $2,000 to $10,000, depending on the size of the developer. Nintendo notes that “becoming an Authorized Developer does not mean any game you develop will be published. If your company is developing a Wii disc-based game, it is your responsibility to secure your own agreement with a Wii Licensee.” Developing for the Nintendo DS costs a similar amount.
In contrast, Apple’s iPhone 2.0 SDK uses the same tools and hardware as Mac development, and those tools are already mature and familiar to a wide audience. Apple’s economies of scale, combined with the similarities between Cocoa development on the Mac, iPod touch, and iPhone, makes it easy for Apple to offer the new SDK for free to anyone who wants to download it; in four days, 100,000 users signed up to obtain the beta.
Unlike the game console makers, Apple’s new SDK is really only an extension of its desktop platform. Any modern Intel Mac can run the development software, and the hardware itself only costs $399 to obtain for hardware testing. Anyone that can develop for the Mac can create iPhone software. In order to actually publish their work, developers will need to pay $99 to obtain a certificate, or alternatively, they’ll have to find another developer to sign their work for them. Developing games for the iPhone won’t incur the huge multimillion dollar risk for developers that console gaming does.
Mobile Development In Comparison.
How do Apple’s familiar, desktop-class development tools for the iPhone compare to other smartphone development programs? Only Microsoft offers a mobile development platform that similarly resembles its desktop environment. RIM, Palm, and Symbian are all highly unique development environments that require a lot of specialized development experience.
There are other differences as well. Mobile platforms, including Sun’s Java ME, Google’s Android, Palm, Symbian, RIM BlackBerry, and Microsoft’s Windows Mobile all attempt to deliver tools to accomodate a wide range of hardware with different features and capabilities. That leaves developers to either target a limited number of high end devices or a wide lowest common denominator profile. Apple currently has the advantage of targeting a limited scope of hardware that already has a significant installed base; both the iPhone and iPod Touch are very similar devices from the same maker.
When Apple announced its terms for developers under the iPhone 2.0 SDK, critics immediately shot off about how expensive it was for Apple to charge $99 for a signing certificate and take a 30% revenue share of apps delivered through the iPhone’s App Store. Here’s how those plans compare to what’s already in place:
RIM BlackBerry Certificates.
RIM charges $100 for each code signing certificate application. There are three sets of restricted APIs on the BlackBerry, and each requires a certificate bundled in a set the developer receives. Those certificates are bound to a single machine, so each developer in a company will need their own certificate or share a system. Signing code can not be automated, as it requires a user to type in a secret key at each build. The machine must also be connected live to the Internet during the signing process, and RIM’s servers must be up and responding in order for the process to work.
BlackBerry Code Signing Tips | Eric Giguere’s BlackBerry Developers At Work!
Nokia, Sony Ericsson, NTT DoCoMo, and other Symbian partners, which collectively make up the vast majority of phones sold worldwide, are bound together by the Symbian Signed program, which went into effect with phones using Symbian OS 9.1 or later. There are several levels to the program.
Symbian calls its signing certificate a Publisher ID; it costs $200 and now lasts for three years (recently extended from six months). Without obtaining a Publisher ID, developers can generate their own private key to sign apps, but those self-signed apps can only run on a single phone and so can’t be distributed. This is called “Open Signed,” and is intended only for testing or personal use.
In order to distribute their apps, developers have to obtain their own Publisher ID or arrange to share the use of another publisher’s. The Symbian Signed Publisher Partners program provides a signing service for freeware or open source developers who do not have a Publisher ID but want to distribute signed applications.
According to Symbian’s website: “Typically, the partner signs and publishes the application on behalf of the developer in return for privileged distribution rights; for example, exclusive distribution. Similar services are available for shareware developers without a Publisher ID, typically in return for a share of the sale proceeds. Freeware, open-source, or shareware developers who prefer to publish their own software will need a Publisher ID.”
The middle tier “Express Signed” program charges Publisher ID holders an additional $20 every time they sign a new app. In order to access the full features of the system, developers have to join the top tier “Certified Signed” program, which involves additional fees from 200-500 Euro ($310 – $780 US) charged by an independent test house for each app. Symbian developers have to pay these fees with each new release of their applications.
Qualcomm BREW Certificates.
Primarily associated with rented, downloadable games from Verizon Wireless, BREW development requires obtaining a certificate package from VeriSign. The minimum package to sign 100 applications is $400; a 500 package is $895, and a 1000 sign package is $1295. VeriSign notes that “you must apply for, pick up, and install your VeriSign Authentic Document ID on the same computer with the same version of Microsoft Internet Explorer.”
Apple iPhone 2.0 SDK: the Kindest 30% Cut.
That leaves Apple’s program the cheapest and the simplest secure mobile software platform. There is currently no expensive, compulsory testing program, no significant upfront investment in digital certificates, and the certificates work outside of a Windows PC. Outside of certificates, Apple also offers a number of other things that are unique among mobile platforms that have mandatory code signing programs.
The first is its iTunes App Store system for distributing third party applications. Once you’ve paid the $99 fee, you can sign and upload apps into iTunes just as labels upload their music into iTunes. Apple takes a 30% cut, which pundits again tried to dramatically gasp at, apparently unaware that most mobile software stores take as much or more while offering developers a lot less.
Take Danger, which offers an app store most similar to the system Apple outlined. It takes a 50% cut. Microsoft recommends Windows Mobile developers list with Handango, which also offers Palm, Symbian, and BlackBerry software. It takes a 40% cut from small developers (and plans to raise things to 50% this month) but doesn’t present any direct purchase or directory across Windows Mobile, Palm, BlackBerry, or Symbian phones. Larger developers are supposed to pay Handango 60 to 70% of their software revenues!
Nokia’s Software Market/Content Discoverer and Motricity’s Smartphone.net both take a 40% revenue cut, with some transactions giving the developer only 50% and/or charging them an additional 5% fee for ‘non-real time fulfillment.’ Nokia pays developers quarterly, rather than every month as Apple outlined.
Other shareware listing sites offer to present titles for less, even for free. However, users don’t know to shop around for software titles. Google for popular mobile titles, and you don’t find lots of free listing services, you find torrents for stealing the software. Earning 70% of tens of thousands of $5 sales is a much better deal than earning 50% of a few dozen $20 titles, or 100% of a handful of sales at $50.
While Microsoft, Symbian, RIM, and others scramble to offer their own software stores that can match iTunes, it will all be too little, too late. Apple has the cohesive platform grabbing the most attention, the most familiar and modern developer tools, and the most most trusted consumer software store. By offering developers guaranteed sales and sustainable profits at a low cost of entry, no smartphone vendor is going to be able to match the sophistication of apps that sprout up around the iPhone.
So how does the iPhone hardware compare with other handheld devices on the market? The next article takes a look.
More on the iPhone 2.0 SDK
iPhone 2.0 SDK: The No Multitasking Myth
iPhone 2.0 SDK: Java on the iPhone?
iPhone 2.0 SDK: How Signed Certificates Work
iPhone 2.0 SDK: Video Games to Rival Nintendo DS, Sony PSP
iPhone 2.0 SDK: Readers Write on Certificate Signing
Like reading RoughlyDrafted? Share articles with your friends, link from your blog, and subscribe to my podcast! Submit to Reddit or Slashdot, or consider making a small donation supporting this site. Thanks!