News  Tizen

No Tizen smartphone viruses reported

News this week that Samsung has launched its first two Tizen handsets in India was greeted with mild curiosity by the smartphone industry, and naturally how it tackled the various issues faced by the existing platforms was of interest.

In a not entirely tongue-in-cheek tone, one observer pointed out that at least it doesn't have any smartphone viruses aimed at it - yet. This got us thinking - just what is the security model for Tizen like? Surely it can benefit from the experience of the existing systems and take the best approaches from them, since it is quite literally starting with no legacy baggage.

Apps need two signatures

A very interesting feature is that unlike Android, which requires just one signature (the developer) to sign its Apps, Tizen needs two - the author and the distributor. This in theory can allow multiple authorized App stores, whilst combating malware by forbidding sideloading totally. In practice, this looks to be aimed at the carriers, since each could have an app store serving their customers only.

Web Apps are first class

Tizen features 3 kinds of Apps: native, web application and hybrid. They are collectively installed as packages. The web application package type is based on the W3C widget packaging specification, and is delivered as a zip file with the extension .wgt. The is also how the new FirefoxOS works, so from the off you have an app compatibility level across two fledgling mobile operating systems. Hybrid/native apps have the extension .tpk.

All Tizen apps run as non-root, including the daemons, and they can only read and write iles in their home and shared media directories.

Tizen provides API level access control. This can be qualified by the signature type, so there are classes of API available only to, for example, the carrier. Tizen supports per-app permission settings - this is much finer grained than Androids "all or nothing" approach. Permissions can be changed by the user after installation, so they can say, for example, "I no longer want this app to access my contacts, even though I said it could when I installed it".


SMACK (Simplified Mandatory Access Control Kernel) is a rule based policy enforcement which Tizen supports. This powerful technique allows security policies such as "don't access the media player between midnight and 6.00am"

The "Content Security Framework" basically offers a set of hooks into apps in a secure way which allows them to scan for any patterns of interest - for example, to scan for URL's the app accesses in order to compare against a blacklist. The means PC-style 3rd party anti-virus systems are not only allowed but positively encouraged.

The Tizen App store

Samsung will moderate its own Tizen App store in a similar way Apple does, i.e. humans approve them. It has categorically stated the turnaround time will never take more than 3 days, a promise only time will tell.

Despite the relative newness of these Tizen handsets, anti-virus solutions are already appearing. Arxan has announced its EnsureIT on-device security system providing defense, integrity and the auto-updating of malware signatures, and its a safe bet the big boys won't be far behind either.