BlackBerry Forums Support Community               

Closed Thread
 
LinkBack Thread Tools
Old 01-21-2009, 01:49 PM   #21 (permalink)
Knows Where the Search Button Is
 
Join Date: Jan 2009
Model: 8330
PIN: N/A
Carrier: sprint
Posts: 48
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Please Login to Remove!

Quote:
Originally Posted by daphne View Post
Ok, let me rephrase that. There are no current known viruses for BlackBerrys. There are a couple of spy applications, but not viruses/trojans. The spy applications can be installed if someone has access to the device.

.....

The BlackBerry OS APIs ane security features are locked down very tight
mking it very hard to hack or infect, and none of the known mobile viruses to date can infect a BlackBerry.
I hate to argue the point but imo there is a huge difference between being unable to infect a device and a device not being infected as much as others. That appears to be the case. One of the articles you quoted even cited one big reason for the Symbian hacks was most phones run on it. The same could be easily said for Vista/XP in the pc world compared to all others. Just because an OS is attacked more than others doesn't necessarily mean it's more vulnerable than others - it could mean the hackers are just going for the biggest splash.

Unless you can point me to something specific, there isn't anything about the BB OS that makes it any less vulnerable to attack. One of the articles you included talked about a game or utility program in China that infected many phones and used the phones to send information to the coder. What exactly about the BB OS would prevent that from happening? Is it impossible to code a program that sends messages?

I think it can be done just as easily as it can be done on the other platforms. I just think it's a matter of coders going for the larger market. I'd say you have more success getting your virus infected game installed on Win Mobile than BB.

The only other possibility besides the user downloading and installing the virus would be infection via simple web browsing. This is where the device / OS could make it's name as being superior to others but as far as I know there aren't any stats on this.
Offline  
Old 01-21-2009, 09:10 PM   #22 (permalink)
BBF Spam Killer Moderator
 
daphne's Avatar
 
Join Date: May 2007
Location: on a sunny beach
Model: Z
OS: 10.2.1.12
PIN: X1ZPY34K
Carrier: VZW
Posts: 9,165
Post Thanks: 122
Thanked 146 Times in 116 Posts
Default

Not being a coder of developer myself, I can't explain the BlackBerry OS technology, however look at these statistics on market share of mobile devices. They are from q 3 2007, but you can see BlackBerry has a much larger market share than Symbian and a slightly larger share than Windows Mobile. The Symbian slice of that pie is small.

Smartphone marketshare showdown in 2008: iPhone vs. Windows Mobile vs. BlackBerry | Tech Sanity Check | TechRepublic.com

The reason there are no stats on the BlackBerry being infected via web browsing is that it has not happened.
__________________
Report spam text messages to 7726
#BlackBerry by choice #BlacBerry 10 is here!
Offline  
Old 01-22-2009, 06:57 AM   #23 (permalink)
Whoever
 
audit's Avatar
 
Join Date: Apr 2005
Location: Michigan
Model: xxxx
Carrier: AT&T
Posts: 1,216
Post Thanks: 37
Thanked 0 Times in 0 Posts
Default

For the love of god, PLEASE show me where a Blackberry has EVER been infected with anykind of malware or virus. Yes there are spy programs out there but they MUST BE INSTALLED ON THE DEVICE MANUALLY. You can NOT go to a webpage, no matter how it's coded and it will install it without prompting the user first. I've seen first hand MANY Windows Mobile devices crash because of malware and badly coded websites.

It the device isn't so secure then why is it the number 1 device for the US Government? They check these things out much deeper then any carrier does before the certify them.
__________________
audit

Win or Lose... Everyone Has Their Fight
Offline  
Old 01-22-2009, 08:01 PM   #24 (permalink)
Knows Where the Search Button Is
 
Join Date: Jan 2009
Model: 8330
PIN: N/A
Carrier: sprint
Posts: 48
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by audit View Post
For the love of god, PLEASE show me where a Blackberry has EVER been infected with anykind of malware or virus. Yes there are spy programs out there but they MUST BE INSTALLED ON THE DEVICE MANUALLY. You can NOT go to a webpage, no matter how it's coded and it will install it without prompting the user first. I've seen first hand MANY Windows Mobile devices crash because of malware and badly coded websites.

It the device isn't so secure then why is it the number 1 device for the US Government? They check these things out much deeper then any carrier does before the certify them.
Maybe you should step back, take a breath, and define a few things for me.

You say that a BB has never been infected with a virus yet you say that spyware must be installed. This implies that a virus is put on a device via means other than install. If so, how does a WM device get infected with a virus without the user doing an install. If not, then why do you try point out a difference between a virus being installed or not being installed? Unless you realize that a virus can be installed on both if the user allows it which makes both equally susceptable.

You also mention WM devices "crash" due to a website but I'm not sure why you think a crash is a virus or malware. AFAIK the topic at hand was vulnerability to attack and not stability. If you want to talk stability then I will give up now and give you that but I'm sticking with vulnerability right now.

Also with a little searching I found something that implies WM is certified for government work. It's like I said before (but maybe not here), when managed by a corporate server, both BB and WM devices can be equally secure if the person who manages them takes all the necessary precautions. Both offer the same level of encryption on the data being transmitted, both can be wiped remotely, and both can be password protected. So I fail to see why one is vastly superior when both employ the same protection techniques.

I have no doubt that a BB is secure but I think there is too much hype about it being overly secure to something like WM. From what I read on both RIM and MSFT's websites on their enterprise solutions, they offer the exact same protection. So when someone implies that BB is vastly superior it makes me wonder what I'm missing - or what RIM isn't advertising. I assume if they had such a huge lead over everyone else they'd put it right on the website for everyone to see.

As near as I can tell, the BES and the WM equivalent offer all the same security options.
Offline  
Old 01-22-2009, 08:10 PM   #25 (permalink)
Knows Where the Search Button Is
 
Join Date: Jan 2009
Model: 8330
PIN: N/A
Carrier: sprint
Posts: 48
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by daphne View Post
Not being a coder of developer myself, I can't explain the BlackBerry OS technology, however look at these statistics on market share of mobile devices. They are from q 3 2007, but you can see BlackBerry has a much larger market share than Symbian and a slightly larger share than Windows Mobile. The Symbian slice of that pie is small.

Smartphone marketshare showdown in 2008: iPhone vs. Windows Mobile vs. BlackBerry | Tech Sanity Check | TechRepublic.com

The reason there are no stats on the BlackBerry being infected via web browsing is that it has not happened.
That lists just North America. I think the article I first read said that the very first mobile phone virus was written to target Symbian because it was the most popular, and it started in Europe.

I have never managed a BES server but just from my own experience with corporate email I know that we have really good email filters to keep spam out. I would guess that BES does the exact same thing. Cutting down on "Click here for a free game" emails goes a long way to stopping infections. I'm also guess that something exists to make sure that the corporate phones can not text or can only text to other members of the network, which would also cut down on the infections.

The thing that I keep saying but no one likes to hear is that you can do those exact same things in a corporate world with WM phones.

I'd love to see something that excludes all corporate phones. IMO it's the consumer phones that are getting infected and the only fair comparison is to lump consumer with consumer. A comparison of corporate only would be nice if they made sure that each corporation used the same security options. Else there is too much apples and oranges going on.
Offline  
Old 01-22-2009, 11:23 PM   #26 (permalink)
BBF Spam Killer Moderator
 
daphne's Avatar
 
Join Date: May 2007
Location: on a sunny beach
Model: Z
OS: 10.2.1.12
PIN: X1ZPY34K
Carrier: VZW
Posts: 9,165
Post Thanks: 122
Thanked 146 Times in 116 Posts
Default

Quote:
You say that a BB has never been infected with a virus yet you say that spyware must be installed. This implies that a virus is put on a device via means other than install. If so, how does a WM device get infected with a virus without the user doing an install. If not, then why do you try point out a difference between a virus being installed or not being installed? Unless you realize that a virus can be installed on both if the user allows it which makes both equally susceptable.
Spyware and viruses are 2 very different things. There is a spyware program called Flexi-spy and a program that allows someone to read all sms messages online. Those 2 programs have to be installed manually on a BlackBerry and given permissions as well.

Viruses are file infectors -- they add malicious code to existing files and replicate themselves to spread. There are no viruses for the BlackBerry. Viruses and worms can spread in many ways without any user interaction. The Windows operating system has many known security vulnerabilities (a huge understatement) -- that's why Microsoft releases security patches every month. Windows Mobile devices run on a Windows based operating system that also has vulnerabilities.

BlackBerry's operating system is coded such that is is locked down very tightly, so that malicous code cannot inflitrate it, much like Linux operating systems on computers. Code that runs on the Windows OS will not run on Linux or Macs, and will not run on BlackBerrys.

I have gone to websites wiith known exploits for Windows on my BlackBerry. Nothing happens -- the sites won't load in the browser and sometimes I've gotten "unknown file type" . I've clicked on links to trojan malware... malicous executables on my BlackBerry and all that happens is an error message. I've tried to save malicious executables to my BlackBerry and they won't save and they won't run.

When the first BlackBerry virus, worm, trojan, or exploit is found it will make big news. Thus far none have been found.
__________________
Report spam text messages to 7726
#BlackBerry by choice #BlacBerry 10 is here!
Offline  
Old 01-23-2009, 08:57 PM   #27 (permalink)
Knows Where the Search Button Is
 
Join Date: Jan 2009
Model: 8330
PIN: N/A
Carrier: sprint
Posts: 48
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

I'm still not sure how you think a WM device is infected. I assume we can eliminate a user who installs a virus because that can happen on any device. So it sounds like you think a WM device can be infected by just hitting a web site which I can't find a record of, at least not recently.

A virus cannot magically install itself on any device. It needs someone to open the door (install) or it needs an open window like a listening service. The classic examples are IIS for web servers and SQL or database servers which are created to just listen for commands. I'm just not seeing these "many known security vulnerabilities".

Related to the topic, it seems that the top rated security devices are based on Windows CE but it does say that both BB and WM are able to work with "sensitive, but unclassified" data. If WM were so bad I'm not sure why it would be put in the same boat by the government as BB, unless what I'm saying has some truth to it and both can be made secure through proper administration. Or maybe I'm wrong.
Offline  
Old 01-23-2009, 09:33 PM   #28 (permalink)
BBF Spam Killer Moderator
 
daphne's Avatar
 
Join Date: May 2007
Location: on a sunny beach
Model: Z
OS: 10.2.1.12
PIN: X1ZPY34K
Carrier: VZW
Posts: 9,165
Post Thanks: 122
Thanked 146 Times in 116 Posts
Default

I think this will help explain.

Viruslist.com - Three Criteria for Malware Existence

Near the bottom of the page:
Quote:
For instance, most mobile phone vendors do not share this information, leaving both legal vendors and hackers helpless. On the other hand, some vendors of smart phones do publish their documentation. The first viruses for Symbian (Worm.SymbOS.Cabir.a) and Windows CE (WinCE.Duts.a) appeared shortly after the documentation was published in mid-2004.

The architecture of a well-built (constructed designed) OS or applications needs to take security into account. A secure solution does not allow new or unsanctioned programs extensive access to files or potentially dangerous services. This leads to difficulties, as a fully secure system, will block not only malware, but 'friendly' programs as well. As a result, none of the widely available systems can be called truly secure.

Java machines that launch Java applications in 'sandbox' mode come close to achieving secure conditions. As a matter of fact, there have been no viruses or Trojans which pose a serious threat written in Java for a long time, though non-viable proof of concept malware does occasionally appear. Malware written in Java appeared only when vulnerabilities in Java Virtual Machine security were discovered and publicized.
About the two mobile viruses mentioned:
Viruslist.com - Worm.SymbOS.Cabir.a

Runs on Windows CE:
Viruslist.com - Virus.WinCE.Duts.a

The BlackBerry platform runs on Java. Refer to the last paragraph in the quoted article.
__________________
Report spam text messages to 7726
#BlackBerry by choice #BlacBerry 10 is here!
Offline  
Old 01-23-2009, 10:58 PM   #29 (permalink)
BBF Spam Killer Moderator
 
daphne's Avatar
 
Join Date: May 2007
Location: on a sunny beach
Model: Z
OS: 10.2.1.12
PIN: X1ZPY34K
Carrier: VZW
Posts: 9,165
Post Thanks: 122
Thanked 146 Times in 116 Posts
Default

Some info from RIM about BlackBerry security. This explains why an email attachment can't infect a BlackBerry.

View Document

Quote:
The BlackBerry Attachment Service is designed to prevent malicious applications from accessing data on the BlackBerry smartphone by using binary format parsing to open attachments and prepare them to be sent to the BlackBerry smartphone. The BlackBerry smartphone does not run an application sent as an attachment in an email message. Therefore, an email attachment cannot be used to successfully deliver Trojan horse applications to a BlackBerry smartphone user.

White paper:
Livelink - Redirection

Page 10 explains how RIM controls the APIs.

Quote:
Using code signing to limit access to BlackBerry device application data RIM does not inspect or verify third-party Java applications that run on BlackBerry devices; however, RIM controls the use of BlackBerry device APIs that include sensitive packages, classes, or methods to prevent unauthorized applications from accessing data on the BlackBerry device. Each third-party Java application requires authorization to run on the BlackBerry device. MIDlets cannot access the memory of other application or access the persistent data of other MIDlets unless they are digitally signed by the RIM signing authority system.

Before you or a BlackBerry device user can run a third-party Java application that uses the RIM controlled APIs on the BlackBerry device, the RIM signing authority system must use public key cryptography to authorize and authenticate the application code. The third-party Java application developer must visit BlackBerry to register with the RIM signing authority system for access to the controlled APIs and use the BlackBerry Signature Tool, which is a component of the BlackBerry JD to request, receive, and verify a digital code signature from RIM for the application. Third-party Java application developers who create controlled access third-party APIs can act as a signing authority for those APIs. The application developer can download and install the BlackBerry Signing Authority Tool to allow other developers to register for access to the application developerís controlled APIs. Registered developers can use their BlackBerry Signature Tool to request, receive, and verify digital code signatures from the application developerís BlackBerry Signing Authority Tool for their applications. See the BlackBerry Signing Authority Tool Administrator Guide for more information about code signing and third-party Java applications.
__________________
Report spam text messages to 7726
#BlackBerry by choice #BlacBerry 10 is here!
Offline  
Old 01-26-2009, 09:10 AM   #30 (permalink)
Knows Where the Search Button Is
 
Join Date: Jan 2009
Model: 8330
PIN: N/A
Carrier: sprint
Posts: 48
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Let me try to summarize my point with some quotes. First, I like this quote on how to build a good architecture.

Quote:
The architecture of a well-built (constructed designed) OS or applications needs to take security into account. A secure solution does not allow new or unsanctioned programs extensive access to files or potentially dangerous services. This leads to difficulties, as a fully secure system, will block not only malware, but 'friendly' programs as well. As a result, none of the widely available systems can be called truly secure.

Java machines that launch Java applications in 'sandbox' mode come close to achieving secure conditions. As a matter of fact, there have been no viruses or Trojans which pose a serious threat written in Java for a long time, though non-viable proof of concept malware does occasionally appear. Malware written in Java appeared only when vulnerabilities in Java Virtual Machine security were discovered and publicized.
I think the key here is "there have been no viruses or Trojans which pose a serious threat written in Java for a long time, though non-viable proof of concept malware does occasionally appear". This does not say ever, or that it cannot happen. It also goes on to say that malware was created after vulnerabilities in the JVM were published, which seems to be the same road for MSFT (both pc and mobile) malware.

Now, against that information, I'd like to include this quote on how many view the BB security features.

Quote:
For the love of god, PLEASE show me where a Blackberry has EVER been infected with anykind of malware or virus. Yes there are spy programs out there but they MUST BE INSTALLED ON THE DEVICE MANUALLY. You can NOT go to a webpage, no matter how it's coded and it will install it without prompting the user first. I've seen first hand MANY Windows Mobile devices crash because of malware and badly coded websites.

It the device isn't so secure then why is it the number 1 device for the US Government? They check these things out much deeper then any carrier does before the certify them.
This is what I'm arguing against. It's this and the purely anecdotal argument that goes along the lines of "if there isn't any virus reported to date then it's impossible to infect". It's similar to the argument that Linux must be superior to Windows OS security because the volume of viruses is larger (and not maybe because the hackers are targeting the larger audience).

Against that I'd like to quote this which I think says what I've been trying to say about how both can be secure if you put forth an effort.

Quote:
President Obama is keeping his BlackBerry, according to the White House press office. While he'll be able to keep in touch with some personal friends using the device, if he wants to do secret government business he'll need one of two Windows CE smartphones: the Sectera Edge or the L3 Guardian.

The Edge and the Guardian are the result of an $18 million, NSA-sponsored program to develop a top-secret smart phone, according to Randy Siegel, Microsoft's lead enterprise mobility strategist.

Most BlackBerrys and Windows Mobile devices can work with "sensitive, but unclassified" data, according to Tom Liggett, the Sectera Edge product manager at General Dynamics. Those smart phones work with the FIPS 140-2 standard, which encrypts both data traffic and voice calls to a certain extent. And there are a lot of government functions, even in war, that aren't classified. In Iraq, for instance, FIPS 140-2-certified Windows Mobile devices are used for battle triage, roadside bomb detection, and even as sniper aids, Siegel said.

-- cut --

The Edge runs Windows CE, not Windows Mobile. Windows CE is the underlying kernel of Windows Mobile, but the Edge has more secure applications lying on top than the standard Windows Mobile suite. It can still do most of the things Windows Mobile devices do, Liggett said, including push email with Microsoft Exchange servers, playing media through Windows Media Player and editing Microsoft Word documents. (Yes, the government uses Microsoft Exchange, apparently.) Defense department users wanted something that looked like their Windows PCs, Liggett said.
All I'm trying to say is that some of the arguments I've seen are emotional and anecdotal. While a BB virus may not exist that doesn't mean that it's even been tried. People used to think Apple was immune until some hacker got fed up and gave it a try.

Also you can flip the WM argument the other way. More MSFT viruses may exist because more MSFT OS devices exist. Just because it's MSFT don't automatically think it's all bad. If the government sees fit to put BB and WM into the same security classification, and even put Win CE beyond those two into the ultra secure mobile device, it must mean that there is something, just a little something, that MSFT is doing right with security. Unless we want to say the government was totally stupid in their choosing the Win CE and WM phones being used today and that seems like a political topic.

Perhaps I am coming across as being too biased so I'll just let this be my last post on the topic as to not upset people more.
Offline  
Old 01-26-2009, 01:02 PM   #31 (permalink)
Knows Where the Search Button Is
 
Join Date: Jan 2009
Model: 8330
PIN: N/A
Carrier: sprint
Posts: 48
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

OK, I'm pathetic. I couldn't help but keep thinking about this quote below. While having RIM control what can or cannot be installed on your device will limit the number of applications that you have available (compared to a device which doesn't have such rules), I admit this is a great way to be secure. However I'm not sure that is very different from any other device that requires digital signatures from reliable sources.

Quote:
Using code signing to limit access to BlackBerry device application data RIM does not inspect or verify third-party Java applications that run on BlackBerry devices; however, RIM controls the use of BlackBerry device APIs that include sensitive packages, classes, or methods to prevent unauthorized applications from accessing data on the BlackBerry device. Each third-party Java application requires authorization to run on the BlackBerry device. MIDlets cannot access the memory of other application or access the persistent data of other MIDlets unless they are digitally signed by the RIM signing authority system.

Before you or a BlackBerry device user can run a third-party Java application that uses the RIM controlled APIs on the BlackBerry device, the RIM signing authority system must use public key cryptography to authorize and authenticate the application code. The third-party Java application developer must visit BlackBerry to register with the RIM signing authority system for access to the controlled APIs and use the BlackBerry Signature Tool, which is a component of the BlackBerry JD to request, receive, and verify a digital code signature from RIM for the application. Third-party Java application developers who create controlled access third-party APIs can act as a signing authority for those APIs. The application developer can download and install the BlackBerry Signing Authority Tool to allow other developers to register for access to the application developerís controlled APIs. Registered developers can use their BlackBerry Signature Tool to request, receive, and verify digital code signatures from the application developerís BlackBerry Signing Authority Tool for their applications. See the BlackBerry Signing Authority Tool Administrator Guide for more information about code signing and third-party Java applications.
On the other hand, MDM for WM appears to allow a company to totally limit what can be installed on a device, much the same way a company can do the same with something like a laptop. So if the goal is to protect the device and prevent the user from installing a virus I would think this an impressive protection option availble for WM. Of course a company has to choose to USE that feature.

Quote:
Mobile Device Manager gives IT enterprise control over what software can be installed and run on Windows Mobile 6.1 devices within a companyís mobile network. This helps the devices run faster and also keeps malware from getting onto a device or into the network. IT can also easily lock down communications and camera functionality, helping to ensure that a company maintains compliance.
From what I've read the MDM provides a lot of similar if not identical security methods that the BES provides. It's just a matter if a company uses those methods.

A vulnerability gap may exist between the two but I'm not so sure it's as extreme as perceived.

No really. I'll let it go this time. I think.
Offline  
Old 01-26-2009, 01:52 PM   #32 (permalink)
Thumbs Must Hurt
 
Join Date: Sep 2008
Model: Atrix
OS: 2.2.2
Carrier: AT&T
Posts: 95
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

I've been following this thread because I think the topic is very interesting, and I have to say a good case has been made on both sides. I have to agree with pretzelb, that there seems to be sufficient evidence to show that both BlackBerry and Windows Mobile devices can be equally secure if they are set up and handled properly.

I think Windows Mobile typically gets a bad rep because of the open source applications they allow. In many cases, it is up to the user to research and decide if an app is safe to use or not. But, I don't think this has to do with the potential security of the device; the user would be responsible for any such action. These instances would then not go under the "if set up and handled properly" category.
__________________
I would rather be rock climbing
Offline  
Old 01-26-2009, 08:54 PM   #33 (permalink)
BBF Spam Killer Moderator
 
daphne's Avatar
 
Join Date: May 2007
Location: on a sunny beach
Model: Z
OS: 10.2.1.12
PIN: X1ZPY34K
Carrier: VZW
Posts: 9,165
Post Thanks: 122
Thanked 146 Times in 116 Posts
Default

Quote:
On the other hand, MDM for WM appears to allow a company to totally limit what can be installed on a device, much the same way a company can do the same with something like a laptop. So if the goal is to protect the device and prevent the user from installing a virus I would think this an impressive protection option availble for WM. Of course a company has to choose to USE that feature.
The BES admin can also totally control a BlackBerry and its security. Page 4 -15 of this PDF that I quoted from previously.

Livelink - Redirection
__________________
Report spam text messages to 7726
#BlackBerry by choice #BlacBerry 10 is here!
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On





Copyright © 2004-2014 BlackBerryForums.com.
The names RIM © and BlackBerry © are registered Trademarks of BlackBerry Inc.