[Gatmyer]

I found this interesting.

Web Security Analysis of 12 BlackBerry 10 Applications | FileArchiveHaven

A very good read on some apps which have good and bad Security. Also goes into why they are secure or not secure.

Thanks to the !Geeks United BBM channel for the link.

C00122408

Posted via CB10

[tinochiko]

Yes very interesting

Check Out TechCraze

[Gatmyer]

Yes very interesting

Check Out TechCraze

Thanks.

Following them now as well.

Posted via CB10

[RedxD]

Requesting lots of ads in the background living your battery and using up your data, lovely lol

Posted via CB10

[jonduran86]

And here we go...

[LoganSix]

Developers should be more careful about how they handle user data.

Posted from my Red Passport

[Dunt Dunt Dunt]

A lot of "Apps For" on this list... which is the same for most any platform, and one of the big reason that many today avoid "Apps For Apps". Thankfully we at least have the unofficially options for getting many of the original apps so we don't have to use these.

[Bla1ze]

A lot of "Apps For" on this list... which is the same for most any platform, and one of the big reason that many today avoid "Apps For Apps". Thankfully we at least have the unofficially options for getting many of the original apps so we don't have to use these.

Actually, the App for Apps, are likely among the safest because they're all just app generator apps lol. Of course, they're utterly useless but they're safer than pretty much anything else as you know it's just going to some stupid blog site anyway. The 'developers' (using the term loosely) behind those can't inject any outside code really.

[anon(4086706)]

I'm more interested on the difference between iGrann and Insta10

How come iGrann could perform IG stuff internally almost cleanly compared to Insta10? Is it because the former doesn't use any form of spoofing (it can directly utilize IG API's??) or third party advertisements whatsoever (making it effectively funded by actually buying the app?).

While Insta10 basically uses a remote server to spoof say... an iOS or an Android client plus it uses third party advertisements as a source of funds? Though I would appreciate Nem has control over the connection between client and the AWS server to be at least encrypted and scrambled and then the connection sent to IG servers for handshake from the said server at least follows IG's security standards.

I mean sure third party apps and all but at least the backend should tighten up a bit. We don't want to hear stories of snooping data within transits.I just find iGrann "cleaner" and it does the same job... just saying

[tinochiko]

Actually, the App for Apps, are likely among the safest because they're all just app generator apps lol. Of course, they're utterly useless but they're safer than pretty much anything else as you know it's just going to some stupid blog site anyway. The 'developers' (using the term loosely) behind those can't inject any outside code really.

I don't think that user meant apps that are named 'apps for' I think he was referring to the fact that some of the apps listed in the article are third party apps ( the original meaning of 'apps for xxxx') however I don't think this article speaks against third party apps in general, it's just highlighting that as users (and in particular BlackBerry users) we need to be aware of exactly what apps are doing with the data we freely give them, as the article states, there are legitimate uses, and less so... what we don't want is a developer taking advantage of the lack of a native app and not just charging users for its use, but then going on to data mine (not referring to any in particular'

For me all this means just developers being more open and transparent about their apps..



Check Out TechCraze

[RedxD]

I'm more interested on the difference between iGrann and Insta10

How come iGrann could perform IG stuff internally almost cleanly compared to Insta10? Is it because the former doesn't use any form of spoofing (it can directly utilize IG API's??) or third party advertisements whatsoever (making it effectively funded by actually buying the app?).

While Insta10 basically uses a remote server to spoof say... an iOS or an Android client plus it uses third party advertisements as a source of funds? Though I would appreciate Nem has control over the connection between client and the AWS server to be at least encrypted and scrambled and then the connection sent to IG servers for handshake from the said server at least follows IG's security standards.

I mean sure third party apps and all but at least the backend should tighten up a bit. We don't want to hear stories of snooping data within transits.I just find iGrann "cleaner" and it does the same job... just saying

They both use the Instagram API(unofficial one, the official one is read-only) but looks like igrann doesn't do shady stuff in the background while insta10 does, igrann only accesses Instagram's servers so I guess that's why it's cleaner

Posted via CB10

[tinochiko]

A lot of "Apps For" on this list... which is the same for most any platform, and one of the big reason that many today avoid "Apps For Apps". Thankfully we at least have the unofficially options for getting many of the original apps so we don't have to use these.

On the other hand for those who want a native experience and for a developer who has the skills to provide them , shouldn't be denied, but there should be better communication between the two, this is a widespread issue there was an article I read before that suggested it had to do with the fact that developers are typically not good with anything relating to the app apart from coding (i.e. Communicating with customers, ethical considerations etc.) obviously a generalisation but it's clear from the thread article that something isn't right

Check Out TechCraze

[Dunt Dunt Dunt]

I don't think that user meant apps that are named 'apps for' I think he was referring to the fact that some of the apps listed in the article are third party apps ( the original meaning of 'apps for xxxx') however I don't think this article speaks against third party apps in general, it's just highlighting that as users (and in particular BlackBerry users) we need to be aware of exactly what apps are doing with the data we freely give them, as the article states, there are legitimate uses, and less so... what we don't want is a developer taking advantage of the lack of a native app and not just charging users for its use, but then going on to data mine (not referring to any in particular'

For me all this means just developers being more open and transparent about their apps..



Check Out TechCraze

Yes thanks for clarifing....

Basically I think we all have to understand that our DATA is very valuable to to developers and advertisers, so we have to be careful of what apps we use.... and this requires that we trust where the apps are distributed from (3rd party apps stores, random download from some fourm, or official app store) and who the developer of the App is (big company with a lot of eyes on it or a small unknown developer).

[Bla1ze]

I don't think that user meant apps that are named 'apps for' I think he was referring to the fact that some of the apps listed in the article are third party apps ( the original meaning of 'apps for xxxx') however I don't think this article speaks against third party apps in general, it's just highlighting that as users (and in particular BlackBerry users) we need to be aware of exactly what apps are doing with the data we freely give them, as the article states, there are legitimate uses, and less so... what we don't want is a developer taking advantage of the lack of a native app and not just charging users for its use, but then going on to data mine (not referring to any in particular'

For me all this means just developers being more open and transparent about their apps..



Check Out TechCraze

Word. I gotcha. Sorry for the confusion Scalemaster.

[Bla1ze]

Edit #2: I’ve been asked about the actual logs. Tomorrow I will cleanup the fiddler logs (no private data for you hack types) and release the logs in the morning. The source code and decompiled binaries I can’t share obviously, you are on your own to get those. But I’ll do up a little article with it so that anyone can see what data is being sent just by using a simple proxy like Fiddler. I’ll also share some of the http strings being assembled by the Kelly class and why this one server poses a huge risk to users.

^^ Waiting for this.

[MobileMadness002]

I agree on the article, very interesting to read.

[senel]

Interesting article, basically summaries what was written about Nemory's apps in other thread here on CB.

Posted via CB10

[Nemory Studios]

My Response to the (Web Security Analysis Of 12 BlackBerry 10 Applications) article

Nemory Studios: Response - Web Security Analysis Of 12 BlackBerry 10 Applications

[Dunt Dunt Dunt]

My Response to the (Web Security Analysis Of 12 BlackBerry 10 Applications) article

Nemory Studios: Response - Web Security Analysis Of 12 BlackBerry 10 Applications

Thanks for your response...

But saying it's BlackBerry's fault or Snap Chat's fault doesn't change the fact that your Apps are getting poor ratings by a Security Analysis and that users data is vulnerable. Heck the original apps might not be rated all that high if they were on the platform, but they aren't.

But we all have to understand that developers have to make money... nothing is really free.

[anon(4086706)]

IMHO if the actual connections themselves are not HTTPS then it's probably really that messed up on the part of the SDK's. Though there must be something that could be encapsulated and encrypted to make the design a bit more sensible.

Also, since this got out, might as well tell potential users that you are collecting data for Ads as a disclaimer (somehow you have to make a living). Of course paid users shouldn't be collected in the first place

Don't take this badly though but I'm sure some guys here are pretty edgy regarding being spied on and whatnot. People would be kinder if transparency is involved.

[AnimalPak200]

Lol... why didn't they just title it: don't use Nemory Studios apps?


Kinda shady to pull ads and run them in the background though. That alone sets a pretty high level of suspicion for the rest of the app calls.

Posted via CB10

[Nemory Studios]

Lol... why didn't they just title it: don't use Nemory Studios apps?


Kinda shady to pull ads and run them in the background though. That alone sets a pretty high level of suspicion for the rest of the app calls.

Posted via CB10

the ads traffic are of Smaato.... not mine,

BlackBerry advertised it, created a webcast for us, recommended it to use it.

And it's not only my apps uses it. there are thousands.

Also flurry

[AnimalPak200]

the ads traffic are of Smaato.... not mine,

BlackBerry advertised it, created a webcast for us, recommended it to use it.

And it's not only my apps uses it. there are thousands.

Also flurry

Just read your response: http://nemorystudios.blogspot.com/20...of-12.html?m=1

Hope you can clear it all up and can continue to work on apps. All part of a learning process I suppose.

Posted via CB10

[nah.uhh]

the ads traffic are of Smaato.... not mine,

BlackBerry advertised it, created a webcast for us, recommended it to use it.

And it's not only my apps uses it. there are thousands.

Also flurry

THIS is why I question BlackBerry "security".
Posted this before but here we go again.
Bb10 permission control doesn't have any user prompts etc for INTERNET.

I've been saying since the playbook, native bb10 apps are only as safe as the developer. Stealing information is easy for bb10 developers and even android developers now on bb10.

Bbos Internet permission could be set to prompt on every connection (you could set rules to what websites it could connect to)

None of these issues would be issues if users knew what connections were being made.
On first run on the app, Bbos would have told me that the app is trying to make http connections to servers I don't recognize.. and I wouldn't have granted the permission.

Edit: my post is a about BlackBerry, not nem or any other developer.

PassportSQW100-1/10.3.1.2243

[LoganSix]

the ads traffic are of Smaato.... not mine,

BlackBerry advertised it, created a webcast for us, recommended it to use it.

And it's not only my apps uses it. there are thousands.

Also flurry

Can you clarify what you just posted? Are you acknowledging that you are running ads in the background of your apps and are claiming that is how it is supposed to work because BlackBerry suggested the ad service?