1. R3d13's Avatar
    Hi all

    I'm wondering about a few things regarding the misc/android folder:

    I noticed that all Downloads, Photos, etc., appear to be duplicated inside of the android folder. Those are symbolic links and should not take up the same storage space as the original files, correct? I opened up the Properties of the folders in android and they're the same file size as the originals..

    I have external SD storage and nothing on the SD card is referenced within the android folder. Does that mean it is safer to use the SD to store sensitive documents that I don't want Android apps to have access to?

    Thanks
    05-19-15 03:58 AM
  2. Bla1ze's Avatar
    I have external SD storage and nothing on the SD card is referenced within the android folder. Does that mean it is safer to use the SD to store sensitive documents that I don't want Android apps to have access to?
    Android apps are sandboxed anyway but sure, if it makes you feel better, put them on your SD card.
    05-19-15 03:59 AM
  3. R3d13's Avatar
    But the sandboxed Android app can access the files inside misc/android, including the library of photos and downloads that are linked, correct? That's what I'm not entirely sure of.

    I'd encrypt the SD card and put important stuff on there, but from what I understand the SD card's encryption key uses the Device's password, making it prone to brute-force attacks if the phone and SD were stolen. They really should use a separate key for better security. But that's another topic
    Austerman likes this.
    05-19-15 04:15 AM
  4. Bla1ze's Avatar
    But the sandboxed Android app can access the files inside misc/android, including the library of photos and downloads that are linked, correct? That's what I'm not entirely sure of.
    It actually depends on the app. Some apps read from the SD Card fine while others....... not so much. I dunno what the method to the madness is for that but I assume it's a cross between some apps being coded better than others and of course, how the Android runtime was coded by BlackBerry. As you already know, the OS is full of symbolic links which seem to confuse some apps in how they should run.
    05-19-15 04:16 AM
  5. baarn's Avatar
    I'd encrypt the SD card and put important stuff on there, but from what I understand the SD card's encryption key uses the Device's password, making it prone to brute-force attacks if the phone and SD were stolen. They really should use a separate key for better security. But that's another topic
    The device password is used to unlock a device internal key store. The device password itself is not the encryption key.
    This means that taking the SD card out and trying to brute force the device password to unlock it is pointless since it's not the key.
    Brute forcing the device password while the device is on with the SD card installed will be subject to the usual ten attempts before device wipe.
    05-19-15 04:54 AM
  6. R3d13's Avatar
    The device password is used to unlock a device internal key store. The device password itself is not the encryption key.
    This means that taking the SD card out and trying to brute force the device password to unlock it is pointless since it's not the key.
    Brute forcing the device password while the device is on with the SD card installed will be subject to the usual ten attempts before device wipe.
    I meant that the encryption "algorithm" (I shouldn't have said "key") uses the device's password to formulate the encryption key. Isn't that how encryption keys are generated - based on an input of characters?

    If the SD card is removed from the device and then brute-forced, you can unlock the device since both the device's and the SD's encryption keys were generated from the device's password.
    05-19-15 05:26 AM
  7. Richard Buckley's Avatar
    I meant that the encryption "algorithm" (I shouldn't have said "key") uses the device's password to formulate the encryption key. Isn't that how encryption keys are generated - based on an input of characters?

    If the SD card is removed from the device and then brute-forced, you can unlock the device since both the device's and the SD's encryption keys were generated from the device's password.
    This is old information. If was a vulnerability found in BBOS 6, and fixed then.

    Edit:

    If the algorithm was still as you say, people wouldn't loose their SDCARD data by encryping it then wiping the device. They would just have to know the device password used to encrypt it.

    Z10STL100-3/10.3.1.2708 SR 10.3.1.1865
    R3d13 likes this.
    05-19-15 07:35 AM
  8. baarn's Avatar
    I meant that the encryption "algorithm" (I shouldn't have said "key") uses the device's password to formulate the encryption key. Isn't that how encryption keys are generated - based on an input of characters?
    No, it shouldn't use the device's password to generate the encryption key.
    Generally speaking, a random key (or as random as possible on a deterministic machine like a computer) is generated and then saved in the password protected key store. The random key is often generated from external inputs, eg. timings of movements of a hard disk head, or input from a microphone, etc.
    As Richard said, if you encrypt your SD card on your BlackBerry device and then wipe your device, the key store is also deleted. Your SD card then becomes permanently inaccessible.

    If the SD card is removed from the device and then brute-forced, you can unlock the device since both the device's and the SD's encryption keys were generated from the device's password.
    No, for the above reason.
    R3d13 likes this.
    05-19-15 08:45 AM
  9. R3d13's Avatar
    Let me make sure I understood you correctly:

    If I encrypt both the device and SD card, and someone steals the device with the SD card, can they recover the device's password (in order to unlock it) by brute-force attacking the SD card first?

    I could have sworn I read this somewhere..

    If the answer is "no" for sure, I'm encrypting the SD card and moving stuff over
    05-19-15 09:05 AM
  10. baarn's Avatar
    If I encrypt both the device and SD card, and someone steals the device with the SD card, can they recover the device's password (in order to unlock it) by brute-force attacking the SD card first?
    ...
    If the answer is "no" for sure, I'm encrypting the SD card and moving stuff over
    I never like to talk in absolutes because the universe can be very cunning, but, unless BlackBerry have made a huge gaping and glaring mistake, then no.

    The biggest risk with encrypting your SD card is that you lock yourself out of it.
    Make sure you make regular off device clear text (or separately encrypted) backups. And test them regularly too...

    With regards to device passwords, in some ways it is the weakest link. A shoulder surfer or camera could pick up on a text password being entered. Picture password, although a brilliant concept, occasionally allows you to be lucky - I have unintentionally unlocked my device on a number of occasions, and sometimes my number comes up as a cluster near to the position in the picture.
    05-19-15 09:51 AM
  11. Richard Buckley's Avatar
    Let me make sure I understood you correctly:

    If I encrypt both the device and SD card, and someone steals the device with the SD card, can they recover the device's password (in order to unlock it) by brute-force attacking the SD card first?

    I could have sworn I read this somewhere..

    If the answer is "no" for sure, I'm encrypting the SD card and moving stuff over
    That could have happened with BBOS 6. The vulnerability was discovered by researchers, disclosed and closed. That's probably where you read it.

    Z10STL100-3/10.3.1.2708 SR 10.3.1.1865
    05-19-15 01:13 PM
  12. anon(679606)'s Avatar
    I never like to talk in absolutes because the universe can be very cunning, but, unless BlackBerry have made a huge gaping and glaring mistake, then no.

    The biggest risk with encrypting your SD card is that you lock yourself out of it.
    Make sure you make regular off device clear text (or separately encrypted) backups. And test them regularly too...

    With regards to device passwords, in some ways it is the weakest link. A shoulder surfer or camera could pick up on a text password being entered. Picture password, although a brilliant concept, occasionally allows you to be lucky - I have unintentionally unlocked my device on a number of occasions, and sometimes my number comes up as a cluster near to the position in the picture.
    While you mention it, I have fou d picture password difficult to use... maybe it's only me...

    Posted via CB10
    05-19-15 06:29 PM
  13. baarn's Avatar
    While you mention it, I have fou d picture password difficult to use... maybe it's only me...
    The usual response to that is:
    Don't make the mistake of putting your finger on your chosen number and then moving it into position. Doing so firstly reveals your number to a shoulder surfer, and secondly makes it difficult to accurately place the number.
    Instead, place your finger anywhere else on the screen and slide the number overlay around until one of your numbers is in position.
    anon(679606) likes this.
    05-19-15 06:51 PM
  14. anon(679606)'s Avatar
    One Thing I find enticing about the BlackBerry Passport is that I am still discovERing it at 6mo in...

    Thanks for the tip... works now for me !

    The usual response to that is:
    Don't make the mistake of putting your finger on your chosen number and then moving it into position. Doing so firstly reveals your number to a shoulder surfer, and secondly makes it difficult to accurately place the number.
    Instead, place your finger anywhere else on the screen and slide the number overlay around until one of your numbers is in position.
    05-19-15 07:04 PM

Similar Threads

  1. Boom beach and clash of clans saving game secret .....
    By da_flamer in forum Android Apps (Amazon Store & APK Files)
    Replies: 16
    Last Post: 01-25-16, 03:59 AM
  2. Replies: 49
    Last Post: 08-12-15, 09:58 PM
  3. Just got my Classic today and......
    By homer j in forum Verizon Wireless
    Replies: 8
    Last Post: 05-25-15, 06:59 AM
  4. Custom Shortcuts updated with more built-in icons and shortcut options
    By CrackBerry News in forum CrackBerry.com News Discussion
    Replies: 1
    Last Post: 05-19-15, 08:49 AM
  5. Does os7 support google contacts and calendar sync?
    By CrackBerry Question in forum Ask a Question
    Replies: 3
    Last Post: 05-19-15, 01:53 AM
LINK TO POST COPIED TO CLIPBOARD