- While we don't know how "evil" Google is compared to "BlackBerry", Google users also have to deal with this:
https://arstechnica.com/security/201...-android-user/
https://arstechnica.com/security/201...s-sought-root/
TrendLabs Security Intelligence BlogTwo Games Released in Google Play Can Root Android Devices - TrendLabs Security Intelligence Blog
Please anyone, could you provide me one single app that can root BB10 and deeply compromise the OS?
I think, if you are looking for games but don't want your OS to be compromised, BB10 is still woth a look.
Just because BB10 can't be rooted doesn't mean it's perfectly safe, it has an all-or-none permission problemBigBadWulf likes this.01-27-17 05:50 AMLike 1 -
I don't think it is much fun (trying to) to restore a device, if it has been rooted once against your will.01-27-17 06:12 AMLike 0 -
Once you have installed a malicious app, it's there. It's running. Even on BB10. And that also means, it has access to the data on your phone. Esp. sideloaded apps don't ask for permissions, afair. Then there are ways to sideload apps without a PC - directly on-device. A malicious app could e.g. swap the integrated BlackBerry calendar app with a modified one and you probably wouldn't notice it until the next reboot. (It could probably swap it back on shutdown, so you wouldn't notice anything at all.) Also the human factor is the same with BlackBerry. A seemingly legit app can ask for permissions and once you granted them, can do anything with it.
And, of course, you can restore most Android phones completely - including the operating system - like you can with BlackBerry devices and their autoloaders.BigBadWulf and Thud Hardsmack like this.01-27-17 06:32 AMLike 2 -
On Android, I would have to re-install the OS from a trustworthy source (preferably the OEM manufacturer).
See, many people in my family ask me to take care of their phone or computer.
I don't have time to do my research on how I can restore a rooted Android.
So, I gave them BB10,
Luckily they have found all the apps they need.
On a side note, even if you give an app all kinds of permissions its possibility to affect other apps seem to be very limited on BB10 (especially compared to Android).
At least that's my understanding from some post of the few BB10 devs on CB.
Of course, if I give an app permission to my contacts, sms and whatever, the app can steel these data, in that all OSes are absolutely equal.
Actually, another reason why I avoided Android in the past, was the absence of a granular app permission model (like on BBOS, BB10 or iOS)
In many ways Android has become more like BB10 these days, they introduced actionable quick settings, app permissions, a torch etc etc... things I enjoyed as *secure stock apps* long before Android users.01-27-17 07:00 AMLike 2 -
And to gain root, malware would have to use a very special security issue only existent in some very few (and old) versions of Android on specific devices. This was mostly due to bugs introduced by manufacturers modifying the Android OS.
And just because nobody publicly wrote about it yet, doesn't mean there aren't similar problems with some BBOS versions, too.
And have you talked to some Android devs about that? It's the same there. One app can't see other apps' files or even modify them. Only if an app gains root access, this might be possible. But as explained above, it is very unlikely to happen on any recent Android phone.BigBadWulf and Thud Hardsmack like this.01-27-17 07:15 AMLike 2 -
I don't make my risk assesments based on "what could happen in best case?"
I agree that many malicious apps from Google Play (the total download numbers over the last 2 years must have accumulated to several ten milllions by now) did not root the device, just stealing information (without agreement of the user) and/or showing annoying ads.
But there have been more apps like Brain Test as well, which can root the device, and that is my main concern here.
Note: I only talk about Google Play here!
And again: On BB10 I just uninstall the app, no factory reset needed, no re-install needed.
Just uninstall the app from BB10 and tell the user to be more careful in the future.
Edit:
Oh, I think I have to correct myself in one point.
Due to a bug in the Android Runtime on 10.3.2, you maybe cannot fully uninstall an apk.
In such cases, you would probably have to reload the OS to stay on the safe side.01-27-17 07:40 AMLike 0 -
There were only very few devices where those apps were able to root them at all. And those devices had security issues introduced by the manufacturer botching around in the Android source code. That's not at all a generic problem with Android or the Play Store.Thud Hardsmack likes this.01-27-17 07:46 AMLike 1 -
You cannot nullify that there have been apps in Google Play which successfully rooted devices.
That's simply a fact.
You are absolutely correct that we should not confuse download numbers with numbers of successfully compromised OSes.
I am not sure about "few devices", but okay, we both probably don't have any solid source for that (at least I don't have it at hand now).01-27-17 07:54 AMLike 0 - On BlackBerry Android, no one has been able to demonstrate a persistent root, thus seemingly making this debate moot.01-27-17 08:12 AMLike 3
-
My problem is that I don't know the future.
Based on my experience, I can only say that Android continously showed critical security holes that allow rooting.
And it's obviously that attackers release constantly malicious apps in Google Play.
That doesn't allow the conclusion that *all* malicious apps of Google Play *can* root BlackBerry Android, okay, I get it.
But the *possibility* that such an app will occur in Google Play and that it can root BlackBerry Android is significantly higher, compared to BB10.
Again: I would not make any risk assesment based on "what could happen in best case?".
Worst case scenarios seem to be more likely for Android, based on all known vulnerabilities of today and the past.01-27-17 08:29 AMLike 0 - There's the rub. The use of "possibility" and "significantly" are not scientific. We may find that BlackBerry Android is safe enough in all practical senses, and even more so when used in a containerized EMM solution - where we are most concerned about it anyway.01-27-17 08:41 AMLike 0
-
Your are refering to "practical sense".
Okay, I clearly remember a security report from Verizon, which basically concluded that smartphones are not incredibly safe, but attackers are simply not (yet) interested in mobile platforms.
That's you, living in the peaceful countryside and never locking your door, because there are *practically* no burglars in your area.This is the kind of "security" we are talking about.
People typically ask "how many devices have been compromised?" and then often conclude that the devices are "secure".
However, if we follow the news over the last 2 years then we realize that the attacks increase, especially for Android, so the answer to the same question is about to change.
BlackBerry is not making any statements whether BlackBerry Android could not be rooted through Stagefright vulnerabilities.01-27-17 09:08 AMLike 0 -
It's the same with Apple Macs which were said to be "secure", but this was only because nobody bothered to create malware for them. Now where they are used more and more, Mac-specific malware appeared naturally.
So in an alternate dimension where BB10 gained a huge userbase, you can bet that there would also be malware for BB10. And the absence of (public) information about BB10 vulnerabilities is no proof that they don't exist.Troy Tiscareno likes this.01-27-17 09:10 AMLike 1 - 01-27-17 09:15 AMLike 3
-
When BB10 was released, the very first OS version was vulnerable to a root attack, well, if I remember correctly.
A handful of other rather harmless security holes were reported later on.
So, some security researchers were looking at the phone.
I remember Justin Case, the guy who did a very complex root attack for the Blackphone.
He announced a few years ago that he will try BB10 next, never heard of him again, at least nothing about BB10.
In the end all my speculations and assumptions should be backed up by facts.
In other words, I have to start with what I know.
Matter of fact, the number of known critical vulnerabilities on Androidn is a 100 times higher than *all* known vulnerabilities of BB10.
I summarized it here:
http://forums.crackberry.com/general...l#post12713599
There are too many uncertainties about what we possibly perhaps maybe don't know, but I stick primarily to what I know, when I make a decision.01-27-17 09:24 AMLike 0 - And the only thing we know FOR CERTAIN, is that (whether though hardening, integrity detection, patching, or scanning by Google Play Services on the device) BlackBerry Android has never allowed elevated privileges through root.01-27-17 09:39 AMLike 0
- Matter of fact, the number of known critical vulnerabilities on Androidn is a 100 times higher than *all* known vulnerabilities of BB10.
I summarized it here:
http://forums.crackberry.com/general...l#post12713599
There are too many uncertainties about what we possibly perhaps maybe don't know, but I stick primarily to what I know, when I make a decision.01-27-17 09:57 AMLike 0 - This, still, is a very distorted way to look at it. 1st, as explained earlier, Android has a much larger userbase and thus far more people who have an interest in breaking it. Which leads to many more security vulnerabilities found. 2nd, Android is open source and security experts (and amateurs) from all over the world can look at the code and point out security issues. Android even pays them if they find a serious issue. Whereas BBOS is closed source and only a few people at BB have access to the code to see if it contains any problems. And they don't pay people pointing out problems.
But don't take my word for it. This month Gerald Weinberg discusses code quality on the Software Engineering Radio Podcast. Mr. Weinberg -- who has been coding for seven decades and worked on Project Mercury for NASA -- was asked that question. His answer is, as most programming professionals will also tell you, whether or not a project is open source has much less to do with the number of errors than the way the project is run. Just because anyone in the world can look at the code doesn't mean anyone actually does, or that they are looking effectively. Conversely just because only a select few look at the code doesn't mean they aren't very effective in finding and correcting errors.Superdupont 2_0 likes this.01-27-17 12:30 PMLike 1 - Ah yes, the old bromides that because the user base is small no one is trying to exploit the code; and that anyone can look at open source so it will have fewer problems. But neither of these ideas survive any amount of scrutiny. If publishing code in the open so anyone could look at it was such a great way of ensuring code quality researchers wouldn't be turning up security problems that have been in open source code for decades without anyone publicly pointing them out (we don't know how many people privately found and exploited these issues before they were published).
But don't take my word for it. This month Gerald Weinberg discusses code quality on the Software Engineering Radio Podcast. Mr. Weinberg -- who has been coding for seven decades and worked on Project Mercury for NASA -- was asked that question. His answer is, as most programming professionals will also tell you, whether or not a project is open source has much less to do with the number of errors than the way the project is run. Just because anyone in the world can look at the code doesn't mean anyone actually does, or that they are looking effectively. Conversely just because only a select few look at the code doesn't mean they aren't very effective in finding and correcting errors.
Generally speaking, we know Android data mines. This is verified. We assume Blackberry (for the most part) doesn't. But this is unverified because nobody has seen the code. We're just taking them at their word, and trusting that what they say is true.
Posted via CB10keliew likes this.01-28-17 04:08 PMLike 1 -
Posted via CB1001-28-17 04:15 PMLike 0 - 01-28-17 04:26 PMLike 0
-
That's a monumental task in 2017. Unfortunately, one that's largely falling in my lap.
Posted via CB1001-28-17 04:26 PMLike 0 - ... The difference comes in, and this is a big one for me, on Trust. With open source you know other people have looked at the code, published their results, and have a generally good idea about what that code is doing. With private code, that's not true. You have to trust the company has done a full and proper review, dedicated the necessary resources, properly fixed vulnerabilities, AND not hidden some secret code in there running in the background doing things you don't want done on your device. But there has to be that level of trust, because there's nobody to verify. There's really pros and cons to each approach.
...
Posted via CB10
You are right about trusting closed source companies to do the right thing, but over time it is easy to decide who is worth the trust. How many times has Microsoft told us that they have completely rewritten part of the windows interface only to later have the same bug affect versions of Windows back to XP? I've lost count.
The idea that a small user base doesn't get scanned for exploits comes from Apple advertising their OS as virus free, until they got hit by a virus.
The UK DOD recently announced they are dropping plans to build a secure military smartphone system on top of Samsung Android technology because it can't be secured. They are now going to try with iPhone 6.
BlackBerry was the leader in smartphone sales until the iPhone came out, and was a significant player for a couple years after. They managed to maintain a superior security posture for their products during that time.
The world is complicated. You can't make sweeping decisions about complex issues based on one data point. Open source does not mean more or less secure. Neither does closed source. Neither factor gives any predictions about security. It would be nice if they did, my life would be a lot simpler.
LeapSTR100-2/10.3.3.2163keliew and Superdupont 2_0 like this.01-28-17 04:42 PMLike 2 -
And how a British mobile service provider should be able to improve the security of a closed-source operating system even they can't get their hands on, is beyond me. So there's that.01-28-17 04:52 PMLike 0 - 01-28-17 05:15 PMLike 3
- Forum
- BlackBerry 10 Phones & OS
- BlackBerry 10 OS
BlackBerry discusses the future of BB10
Similar Threads
-
2 versions of Mercury?
By Who-cut-the-cheese in forum BlackBerry KEYoneReplies: 22Last Post: 01-25-17, 06:01 AM -
Help with older version of Chromecast app
By PSB1 in forum More for your BlackBerry 10 Phone!Replies: 5Last Post: 01-19-17, 04:52 AM -
1 Year with the Priv
By Bfalcon1 in forum BlackBerry PrivReplies: 22Last Post: 01-18-17, 10:34 PM -
Mercury Parts and alledged specs appear on Blackberry Repair / Parts dealer
By chetmanley in forum BlackBerry KEYoneReplies: 12Last Post: 01-18-17, 12:12 PM -
My BB 9720 always rebooting. what i have to do for solve the problem. Plz.
By CrackBerry Question in forum Ask a QuestionReplies: 1Last Post: 01-16-17, 09:13 PM
LINK TO POST COPIED TO CLIPBOARD