[Richard Buckley]

There is a new paper posted today in SciRate:

I Know Why You Went to the Clinic: Risks and Realization of HTTPS Traffic Analysis

Abstract:
Revelations of large scale electronic surveillance and data mining by governments and corporations have fueled increased adoption of HTTPS. We present a traffic analysis attack against over 6000 webpages spanning the HTTPS deployments of 10 widely used, industry-leading websites in areas such as healthcare, finance, legal services and streaming video. Our attack identifies individual pages in the same website with 89% accuracy, exposing personal details including medical conditions, financial and legal affairs and sexual orientation. We examine evaluation methodology and reveal accuracy variations as large as 18% caused by assumptions affecting caching and cookies. We present a novel defense reducing attack accuracy to 27% with a 9% traffic increase, and demonstrate significantly increased effectiveness of prior defenses in our evaluation context, inclusive of enabled caching, user-specific cookies and pages within the same website.

So it is not surprising that in the BlackBerry Vendors' newsletter sent out today had an item title "New Privacy Guidelines and App Requirements"

With the upturn of privacy-infringing third-party apps in recent years, BlackBerry is implementing additional mechanisms to protect mobile app customers and their personal information. One such mechanism includes new privacy guidelines for BlackBerry World developers. The guidelines will assist you with recognizing Personally Identifiable Information (PII) and applying best practices for protecting users' information such as developing a privacy policy.

There is a Knowledge Base article available: Guidelines for Personally Identifiable Information

and a blog post: Apps, Privacy and Your Data

Good news for users who are not privacy or security savvy but are looking for a safer alternative in their smartphone ecosystem.

[qbnkelt]

This is a good read. Thank you.

Of particular interest is this:

Consider the Impact of Third-Party Code
If your app includes third-party code, understand how it works, the functionality it provides, and if or how it handles customers’ information. Ensure that appropriate contracts are in place with any third party service that you use. Consider how SDKs and third-party add-ins affect your app. For example, a third-party ad service might access and use PII that your app would not otherwise access.

[JonCBK]

Makes me not want to use apps on my BlackBerry. I carry an iphone as well. So generally apps go on that phone while email and messaging is handled by BlackBerry.

I'm concerned that once I can side load android apps easier I might get tempted to use more apps on the BlackBerry. And hence jeopardize it's security.

Posted via CB10

[Richard Buckley]

Makes me not want to use apps on my BlackBerry. I carry an iphone as well. So generally apps go on that phone while email and messaging is handled by BlackBerry.

I'm concerned that once I can side load android apps easier I might get tempted to use more apps on the BlackBerry. And hence jeopardize it's security.

Posted via CB10

As long as you get the apps from BlackBerry World you should have no issues with security. That is the whole point of the stringent requirements and screening.

But you're right. Sideloading is ok for people who aren't concerned about the security of their phone.

Posted via CB10

[Shanerredflag]

As I understand it all side loaded apps are partitioned and can't effect the BB10 security integrity. That said, one must not "carte blanche" permissions either.
There is a great explanation on a thread here on CB somewhere...will try and dig up and share here.

Is that a Z30...yes, yes it is.

[Richard Buckley]

As I understand it all side loaded apps are partitioned and can't effect the BB10 security integrity. That said, one must not "carte blanche" permissions either.
There is a great explanation on a thread here on CB somewhere...will try and dig up and share here.

Is that a Z30...yes, yes it is.

I would like to know where you get the partition idea from. Sideloading is just the use of tools created to all developers to loads their apps onto hardware. If the app is signed by a debug token the tools allow the developer to do some things that are not possible otherwise, like examine and edit the application local files. If the app is fully signed it is installed the same way as an application from BlackBerry World.

Posted via CB10

[Shanerredflag]

I would like to know where you get the partition idea from. Sideloading is just the use of tools created to all developers to loads their apps onto hardware. If the app is signed by a debug token the tools allow the developer to do some things that are not possible otherwise, like examine and edit the application local files. If the app is fully signed it is installed the same way as an application from BlackBerry World.

Posted via CB10

Partitioned was likely the wrong descriptor...have a look at Omnitechs reply here:
http://forums.crackberry.com/showthread.php?p=10073374

Is that a Z30...yes, yes it is.

[Richard Buckley]

Partitioned was likely the wrong descriptor...have a look at Omnitechs reply here:
http://forums.crackberry.com/showthread.php?p=10073374

Is that a Z30...yes, yes it is.

Yeah, sandbox is an overused term as well. When it was first coined it was used for systems like Qemu where software decodes and executes low level machine code. Then it was applied to virtual machines like Java. But through bad programing Java security is a joke.

In contrast on a BB10 device Android machine code executes directly on the ARM hardware. The QNX kernel has been modified to recognise and service Android system calls just as it would QNX system calls. Security isn't provided by trying to wall off the programs running. It is provided by robust coding where security is always the top priority. And the fact that the two companies (now one) have decades of experience in developing secure code.

Posted via CB10

[wincyUt]

Makes me not want to use apps on my BlackBerry. I carry an iphone as well. So generally apps go on that phone while email and messaging is handled by BlackBerry.

I'm concerned that once I can side load android apps easier I might get tempted to use more apps on the BlackBerry. And hence jeopardize it's security.

Posted via CB10

Are the apps on your iPhone any more secured? Don't understand what you mean by this "I carry an iphone as well"? Care to elaborate?

[Richard Buckley]

Are the apps on your iPhone any more secured? Don't understand what you mean by this "I carry an iphone as well"? Care to elaborate?

I understand him to mean that he uses the iPhone to run apps, but does the work that needs protection on the BlackBerry.

Posted via CB10