[downsindro]

This is the Android app:
'Runaway Trains' by Ebscer appworld.blackberry.com/webstore/content/90863

BlackBerry World never told me it was an Android app
None of the reviews said it was Android or not native
I wasn't even prompted to accept all permissions
BlackBerry settings didn't show the app was using permissions
The Android app bar didn't show automatically
Swipe down didn't bring the Android app bar

I only found out it was Android because it popped up a message saying it was Android.
Then I found out it could access all my shared files and there is no way to find out.

[Elite1]

What sort of popup message did you get and when/where/why did you get it?

I'm moving this thread to BB10 Apps Forum for now. Where you originally posted in Armchair CEO Forum is meant for ideas for BlackBerry's corporate direction and management.

Thread title was changed to be more concise & clear. (And a tad less dramatic.)

[travisredpath]

BlackBerry World never told me it was an Android app

It's not supposed to.

None of the reviews said it was Android or not native

If you didn't notice it was an Android app maybe nobody else did either.

I wasn't even prompted to accept all permissions
BlackBerry settings didn't show the app was using permissions

It's a pretty simple app so it's possible that it doesn't need any permissions. You said it could access your files though, where are you seeing it do this?

The Android app bar didn't show automatically
Swipe down didn't bring the Android app bar

If BB10 knows it's a game (using settings in the Android Manifest I think) it can disable these. Developers can also disable them manually when they repackage Android apps, if they want to.

It appears to fail allow you to pay for the upper levels (after 25) due to missing services that likely has to do with it being a repackaged Android app.

[downsindro]

Hey guys. You're probably right this was a bad example, but it was a real issue BlackBerry partially acknowledged at one point. For this app in particular, I'm familiar with the developer, Ebscer, and I doubt they would be abusing data, and I found the same app on Google Play which requests no permissions, but there is no way to prove what this app is capable of. The .bar descriptor requests 'access_shared', which you can to verify with a third party app or by looking through the installer info.

A few years ago side loaded Android apps showed the issue. It was reported to BlackBerry that these apps had full access to everything they requested and never showed a prompt and were completely hidden from the Permissions. This was before direct apk installs, these apps were 'Qnx/Android', and the issue might have been limited to a specific bar packager version, who knows. BlackBerry's response was "Granting all permissions silently was what side loaders wanted, and this was not an issue for apps in BlackBerry World."

How can someone even verify such a stupid claim? Not all Android apps had the issue, and even if you ignore the bar descriptor's permissions, apps don't always have a user facing feature that could prove they have access to some undisclosed permission. There's no way to extract apps from the device anymore and its pretty unlikely you could jump to the app's private directory to pry around so I don't see how you can inspect the manifest (maybe if you found a browser with the issue). Now that I think about it, their response was genius and possibly hilarious, I can't tell right now.

The real question is why is BB10 the absolute worst platform when it comes to app permissions. BBOS is probably still by far the best, if you can ignore the poorly categorized permissions. So much user control you could force a specific network or cripple the entire device into a never ending loop of errors. There's also Blackphone.

What else is wrong with BB10 when it comes to permissions?

1) Its the absolute worst. No explanation needed.

2) Developers approved to utilize 'restricted' permissions in apps are granted them automatically on install without informing the user.

3) You can't find out what permissions an app uses until after it is installed. Whats the big deal with excessive permissions? Requesting excessive permissions is a declaration of gross incompetence. The Android situation makes no sense when compared to the rest of the BB10 platform. Its as if their entire development team killed themselves or got fired as soon as Mike Lazaridis left. BB10 is the only platform that lets apps grant other apps read/write access to documents they may otherwise not be able to access directly. Its a minor gesture (not an actual gesture), but a lot fancier than 'share' or anything else you'd find on other platforms. Its almost the complete opposite of Android's hilarious broadcast with permission API.

Why would such a carefully thought out development platform bring in the Android runtime and force it on decent folks? It is absolutely disgusting. I would eat some human feces for the chance to uninstall it.

4) You have no idea what permissions you'll be forced to accept until you've purchased an app. At least if you knew you wouldn't even have a choice, like with Android, you could play it safe and avoid it. No such luck. The inability to avoid Android apps is horrific. I'm not speaking from a privacy standpoint. Its just such a poorly designed platform I can't stand seeing it show up in Device Monitor. How could BlackBerry been so casual about including it? You'd think they would have given bankruptcy a serious shot first.

5) Even paid native apps sometimes refuse to start if unnecessary permissions aren't granted. Paper Camera is a nice app. It could easily get by with just camera permission and 'share' functionality. But it insists on microphone and shared files. I wouldn't call that excessive, but they really went out of their way to abort starting. I doubt it would even get an exception if you stick to taking photos instead of videos videos. I don't think Apple is qualified to judge apps, but sometimes they reject apps that fail to start due to permission handling.

6) Even Android discloses every permission used by every app on the device. iOS may seem as simple as BlackBerry, but what it exposes to its users is actually all that the platform is capable of, so BlackBerry is the loser on all fronts. BlackBerry has chosen a small subset it feels we're capable of understanding, and only for apps it believes won't confuse us. They don't even bother to explain what the rest of the permissions do, what permissions are automatically granted to social accounts, and what else may be going on.

7) Some apps not written by RIM are still packaged as RIM and granted a ridiculous level of access. Its not entirely clear what they do (some of them) and why they have so much access.

8) Some stuff is readily accessible for any app willing to snoop around, with no permissions required. If you forget to turn off wifi, any app running (and Android apps are always running) can easily determine your exact location. I don't care about this personally but social networking sites try to be intelligent with this kind of information and end up disclosing unnecessary details about people so it really shouldn't be accessible by anyone. It seems to defeat the purpose of the wifi permission that sounds like it controls this type of access, why even have that?

9) Whats the deal with Bluetooth? Can't configure it until you turn it on, and when you do, all your accounts and SMS/MMS are immediately offered up, no matter how many times you disable them. Who knows how many rental cars are now preloaded with my offensive contacts and messages. You could disable auto-connect to have a chance to disable it, but then you might have to fumble around the settings while driving. Not exactly an app permission, but its unnecessary and almost hidden from view in recent releases.

10) There is no way to disable Internet access or IPv6 for an app. Verizon's hand in IPv6 guaranteed any app can get your location within 50 feet just by loading an ad. Sure this is Verizon's fault and other platforms have the same problem, but BlackBerry has the fewest options for circumventing this. It has the worst VPN support that also gives horrible battery drain compared to BBOS. BlackBerry could easily tunnel everything through its NOC or whatever, not like anyone else is using it. They owe us this much, and it could help make up for having the worst mobile browser available by reformatting web pages for garbage phones with 2 GB of memory. Just kidding. Best HTML5 compliance, responsibly display the web the way it was intended.
if (!Android) { disable_manual_zoom(); disable_reader_mode(); LOAD_JUMBO_AD(); alert("DOWNLOAD OUR APP ON iTunes!"); while(1); }

Hope that didn't crash anyone's browser. Why not check out some third party browsers. Who cares who wrote them or if they bypass SSL, do some banking, see if your passwords still work. GO FOR IT.

11) Almost guaranteed we'll never get selective permissions for the Android runtime. I can't see whats left of BlackBerry's "development" team ever jeopardizing the fabulous Android experience. Even if they get it right, good luck finding a third party store with Android 6.0 compliant apps. Regarding App Ops, it does absolutely nothing, do not rely on this app for any type of control whatsoever.

The Priv is looking a bit questionable, with every article avoiding any specific details of what personal data is fully accessible by default. But from John Chen's acknowledgement of the Blackphone, it seems like it has a chance. Its still the closest we're going to get to a secure BlackBerry. Even if they removed user profiles for some reason, for the first time ever, you can secure your Gmail on a BlackBerry device, for $24 a year.

[paulwallace1234]

" and its pretty unlikely you could jump to the app's private directory to pry around"

Good, not sure about yourself but I don't want anyone to have to ability to see a devs code; I've had my code stolen and used in someone else's App without permission or recognition when I was on Symbian (damn I even had 2 Apps completely cloned)

Personally I'd support more open permissions for BB10, I've got nothing to hide; they should be shown before you hit the download/ buy button and hidden permissions should be shown even if the user cannot change them (things like access_internet)



"5) Even paid native apps sometimes refuse to start if unnecessary permissions aren't granted."
That is actually against BBW rules as far as I know, the App should provide some sort of message to the user or work in a lower capacity.

[downsindro]

Its probably nothing, but still annoying there is even any doubt about this.

{"kind":"Archive","key":null,"_":{"attributes":{"A rchive-Manifest-Version":"1.1","Archive-Created-By":"blackberry-apkpackager version 2.0.2"}}},{"kind":"Entry-Point","key":"Entry-Point-Name","_":{"attributes":{"Entry-Point-User-Actions":"access_internet,access_shared,play_audio ,post_notification","Entry-Point":"android://Ebscer.Trains?activity-name=Ebscer.Trains.AppEntry","Entry-Point-Name":"Runaway Trains","Entry-Point-Icon":"android/res/drawable/icon.png","Entry-Point-Type":"Qnx/Android"}}}

"caps":["access_internet","play_audio","post_notification" ,"access_shared"]

[downsindro]

Yeah I agree about the prying around. I can't stand QML, but people write entire apps with that. I don't see why the build tools can't turn that into some kind of obfuscated binary. The 'strip' tool does a pretty good job with the executables.

It seems like BB10 has the capability to overlay directories with Path Manager or whatever its called, so someone could possibly hide their app binaries once they start executing, but like every other useful QNX feature, its not available to developers. It seems easy enough to let developers specify it to the launcher though, if they ever work on BB10 again. At least if they documented their useful features, like the VPN interface, account management, or CIFS daemons, people could fix some of the stuff BB10 is missing. Maybe its just me, but I haven't seen many apps do something impressive with the platform itself.

[downsindro]

More unnecessary restrictions. Even the BES admin can't override an app's permissions on BB10. As an BES customer, if you don't write the app completely yourself, you have to put your full trust into the apps you can find in the overwhelming pool of BlackBerry World. "This is by design." On the otherhand, if you install the same app in the personal space, you can modify the permissions and they apply to the workspace as well. Who is still working at BlackBerry? How did they ever gain the reputation 'secure'?

support.blackberry.com/kb/articleDetail?articleNumber=000036189&language=Eng lish

[paulwallace1234]

There is a sort of binary packaging, it's called Qt Resource or qrc for short; but BB10 doesn't work that well with it, for example some of my Apps use XML models but the XMListModel component only supports loading from the assets folder and not qrc meaning I have to keep mine unpackaged

Posted via CB10 v....not telling