WRT 1.0 and later support the following security policy.
The security management of widgets running on S60 mobile devices is based on a sandbox security model. Specifically:
Widgets do not need to be signed.
All widgets are currently considered untrusted by the device platform. This means that access to platform services (such as user data) is controlled and that mobile device users must grant permission before a widget can access network services.
Widgets access the network through the Web Browser for S60.
Widgets access S60 platform services through scriptable plugins or Javascript Service APIs (see below for a list of plugins and Service APIs). For WRT 1.0, the Web Runtime controls access to platform services through the Web Browser for S60. Starting in WRT 1.1, the Web Runtime utilizes a common component called the Runtime Security Manager to enable access control to platform services. For more information, see section Runtime Security Manager.
The Javascript Service APIs are:
AppManager Service API (see Accessing and launching installed applications)
Calendar Service API (see Accessing and managing calendar information)
Contacts Service API (see Accessing and managing information about contacts)
Landmarks Service API (see Accessing and managing information about landmarks)
Location Service API (see Accessing device location information)
Logging Service API (see Accessing device logs)
Media Management Service API (see Accessing information about media files stored on a device)
Messaging Service API (see Accessing messages and using messaging services)
Sensor Service API (see Accessing data from the physical sensors of a device)
SystemInfo Service API (see Accessing and modifying system information)
The plugins are:
SystemInfo scriptable plugin (see Accessing system information and controlling device features
Browser Audio Video plugin