Trusting 3rd Party BlackBerry Apps: What Can They Do?

13 Comments

what hat hacker

BlackBerry Cool has been asking me about what BlackBerry apps can do and recently the notion of malicious applications has come up. In this article, I address what third party apps can do, and how it relates to the safety of your personal data.

The first area to look at are you emails. Emails can contain very private personal information including username/password combinations and if the user isn’t diligent, credit card information. It is possible to listen for incoming messages and pull out their contents, so you should always be cautious of any app looking to alter email permissions. I would have to look more into whether an app can read all of your existing messages that were already on your device before the app was installed. I can’t think of a good use case for this so I obviously haven’t tried it myself.

Username and Password information are commonplace with third party apps. As for stealing 3rd party passwords, it all depends on how the 3rd party app/service is storing things on the device. For example, a developer can listen to framework calls (I won’t divulge how) and check to see what parameters are passed into those calls (for example the identifier that specifies where a password is kept in persistent storage).

This sniffing technique opens up some fairly big holes in terms of security, and definitely makes it a bit tricky to properly manage passwords. However, RIM does indeed provide some sophisticated technology to ensure your passwords are properly protected in persistent storage. For example, there is a way to ensure that ONLY your app can access particular data, which effectively blocks data mining. BUT, and this is a big but, once your app pulls that data out of persistence and back into RAM, anyone can use the sniffing technique to get at your passwords. HOWEVER, now it’s much harder to do. With RIM’s protection methods, an attacker now has to have physical access to your device to sniff for data, so it would be impossible to write an app that automatically pulls out your data.

A 3rd party app can, without having to ask for permissions (in most cases, depending on the device security settings):

  • Read your entire contact list.
  • Read your calendar.
  • Read your memos.
  • Pull out unprotected information from the persistent store.
  • Listen for incoming phone calls and collect data on those calls.

That’s as much as I can think of off the top of my head. Ultimately it’s buyer beware. Companies like Multiplied Media (I’m the lead developer for Poynt), who strive to uphold the highest levels of trust and integrity between ourselves and ours users have built up that level of trust over time. There’s always the potential risk, just like with anything else, that an app might be doing things that you aren’t aware of or don’t want it to do. The good thing is there are many so called white-hat developers out there that are watching for these apps and will alert the community when a bad apple shows up.

Although RIM does have a fairly rigorous approval process, they have opted to treat App World more like an open market than Apple’s App Store. This gives BlackBerry users a leg up, because they can evaluate for themselves about what is good or bad (the true invisible hand market paradigm). But like in any free market, there can be products that don’t do what they say they do, or do more than they say they do. Ultimately what it comes down to is being informed as a consumer. Luckily there are great blogs like BlackBerry Cool to facilitate the information sharing process among consumers

I would invite as many developers as possible to join in that effort to ensure a fair and clean BlackBerry application community.

NOTE FROM EDITOR (KYLE): I have spoken with Mobihand recently about their vetting process for applications and they have assured me they take their commitment to customers seriously. When issues arise, as they did with NetworkAcc, they look into them. In this case, what Mobihand learned was inconclusive, so they decided to leave it in the catalog and let users decide for themselves. But they have an adaptable system, and are willing to work with bloggers to customize the store front. In this case, I have asked them to exclude NetworkAcc from our store, and I will ask them to do so with any other products that are questionable in what they offer.

  • Bla1ze

    BlackBerry OS 5.0.0 knows what you install – http://is.gd/52WR0

    Another great article referring to the security involved with BlackBerry apps. Although, I’m not sure why you stated you wouldn’t divulge the calls needed, they are actually listed in the RIM KB and openly available to all to view and can actually used for GOOD as described in the above link posted.

  • Bla1ze

    BlackBerry OS 5.0.0 knows what you install – http://is.gd/52WR0

    Another great article referring to the security involved with BlackBerry apps. Although, I’m not sure why you stated you wouldn’t divulge the calls needed, they are actually listed in the RIM KB and openly available to all to view and can actually used for GOOD as described in the above link posted.

  • http://www.momentem.net/ Terry @ momentem

    hi Peter,

    great article!

    There was an interesting article the other day about an iPhone developer who “stole” the users’ phone numbers which ended up in a lawsuit, read it at http://www.readwriteweb.com/archives/iphone_game_maker_apologizes_for_stealing_phone_numbers_calls_lawsuit_meritless.php

    We are a BlackBerry app developer and we do handle user personal information because it’s necessary to offer our call tagging service, however;
    a) we make the user aware and they know why we do it
    b) we have a strictly enforced publicly available privacy policy
    c) it goes without saying that we would never ever abuse that privilege

    I think all developers need to consider;
    - what personal information they really need in order to run the app (don’t grab anything you don’t absolutely need)
    - how they handle it and store it
    - how they notify the user
    … then most people are cool with it. It’s about credibility.

    However, “downloader beware” is the motto here. Would you let someone in your house if you didn’t know anything about them?

    Another example of “naughty naughty” in the iPhone world is this one http://www.ilounge.com/index.php/news/comments/itunes-app-used-to-grab-users-phone-numbers/

    Terry

  • http://www.momentem.net/ Terry @ momentem

    hi Peter,

    great article!

    There was an interesting article the other day about an iPhone developer who “stole” the users’ phone numbers which ended up in a lawsuit, read it at http://www.readwriteweb.com/archives/iphone_game_maker_apologizes_for_stealing_phone_numbers_calls_lawsuit_meritless.php

    We are a BlackBerry app developer and we do handle user personal information because it’s necessary to offer our call tagging service, however;
    a) we make the user aware and they know why we do it
    b) we have a strictly enforced publicly available privacy policy
    c) it goes without saying that we would never ever abuse that privilege

    I think all developers need to consider;
    - what personal information they really need in order to run the app (don’t grab anything you don’t absolutely need)
    - how they handle it and store it
    - how they notify the user
    … then most people are cool with it. It’s about credibility.

    However, “downloader beware” is the motto here. Would you let someone in your house if you didn’t know anything about them?

    Another example of “naughty naughty” in the iPhone world is this one http://www.ilounge.com/index.php/news/comments/itunes-app-used-to-grab-users-phone-numbers/

    Terry

  • http://www.momentem.net Terry @ momentem

    hi Peter,

    great article!

    There was an interesting article the other day about an iPhone developer who “stole” the users’ phone numbers which ended up in a lawsuit, read it at http://www.readwriteweb.com/archives/iphone_game_maker_apologizes_for_stealing_phone_numbers_calls_lawsuit_meritless.php

    We are a BlackBerry app developer and we do handle user personal information because it’s necessary to offer our call tagging service, however;
    a) we make the user aware and they know why we do it
    b) we have a strictly enforced publicly available privacy policy
    c) it goes without saying that we would never ever abuse that privilege

    I think all developers need to consider;
    - what personal information they really need in order to run the app (don’t grab anything you don’t absolutely need)
    - how they handle it and store it
    - how they notify the user
    … then most people are cool with it. It’s about credibility.

    However, “downloader beware” is the motto here. Would you let someone in your house if you didn’t know anything about them?

    Another example of “naughty naughty” in the iPhone world is this one http://www.ilounge.com/index.php/news/comments/itunes-app-used-to-grab-users-phone-numbers/

    Terry

  • Peter Werry

    Hey Bla1ze!

    I was actually referring to the technique one can use to sniff into frameworks calls at runtime to discover where 3rd party apps store passwords. You can’t do this by simply utilizing publicly documented runtime APIs that are found in the KB articles and javadocs. I think the technique was brushed over quickly at one of the soapbox discussions at devcon this year by one of the attendees. Hopefully no one was listening :)

    I think the important message to developers is to make use of RIMs private signing capabilities to wrap ControlledAccess objects around persistent data. If you’re going to be storing passwords, ControlledAccess is your new best friend.

  • Peter Werry

    Hey Bla1ze!

    I was actually referring to the technique one can use to sniff into frameworks calls at runtime to discover where 3rd party apps store passwords. You can’t do this by simply utilizing publicly documented runtime APIs that are found in the KB articles and javadocs. I think the technique was brushed over quickly at one of the soapbox discussions at devcon this year by one of the attendees. Hopefully no one was listening :)

    I think the important message to developers is to make use of RIMs private signing capabilities to wrap ControlledAccess objects around persistent data. If you’re going to be storing passwords, ControlledAccess is your new best friend.

  • RAVI

    HI

    WHATS UP

  • http://RAVI_MHASKE2@YAHOO.COM RAVI

    HI

    WHATS UP

  • RAVI

    WHATS UP

  • http://RAVI_MHASKE2@YAHOO.COM RAVI

    WHATS UP

  • Andy

    Well, are we or are we not exposed to the unwanted intrusions and how we can protect our privacies?

    Why on earth would an app want a permission acccess to my personal data on my phone to begin with?

  • Andy

    Well, are we or are we not exposed to the unwanted intrusions and how we can protect our privacies?

    Why on earth would an app want a permission acccess to my personal data on my phone to begin with?