02-16-17 12:02 AM
368 ... 56789 ...
tools
  1. Fret Madden's Avatar
    While we don't know how "evil" Google is compared to "BlackBerry", Google users also have to deal with this:

    https://arstechnica.com/security/201...-android-user/

    https://arstechnica.com/security/201...s-sought-root/

    TrendLabs Security Intelligence BlogTwo Games Released in Google Play Can Root Android Devices - TrendLabs Security Intelligence Blog


    Please anyone, could you provide me one single app that can root BB10 and deeply compromise the OS?
    I think, if you are looking for games but don't want your OS to be compromised, BB10 is still woth a look.
    The malware in the first link wouldn't be stopped by BB10, because it's not cryptoware. It uploads data to servers prior to asking for root, and with the way the runtime works it would probably deny root but call home and engage the countdown for the criminals to start selling data. The second one requires users to grant them access. This one is troublesome because it can gain root on its own, but again it requires someone to blindly install it without checking anything.

    Just because BB10 can't be rooted doesn't mean it's perfectly safe, it has an all-or-none permission problem
    BigBadWulf likes this.
    01-27-17 05:50 AM
  2. Superdupont 2_0's Avatar
    Just because BB10 can't be rooted doesn't mean it's perfectly safe, it has an all-or-none permission problem
    But you can sideload/install any game on BB10 and can be sure that the OS integrity will not be deeply compromised.
    I don't think it is much fun (trying to) to restore a device, if it has been rooted once against your will.
    01-27-17 06:12 AM
  3. mbirth's Avatar
    But you can sideload/install any game on BB10 and can be sure that the OS integrity will not be deeply compromised.
    I don't think it is much fun (trying to) to restore a device, if it has been rooted once against your will.
    Maybe lets define what "compromised" mean to you...

    Once you have installed a malicious app, it's there. It's running. Even on BB10. And that also means, it has access to the data on your phone. Esp. sideloaded apps don't ask for permissions, afair. Then there are ways to sideload apps without a PC - directly on-device. A malicious app could e.g. swap the integrated BlackBerry calendar app with a modified one and you probably wouldn't notice it until the next reboot. (It could probably swap it back on shutdown, so you wouldn't notice anything at all.) Also the human factor is the same with BlackBerry. A seemingly legit app can ask for permissions and once you granted them, can do anything with it.

    And, of course, you can restore most Android phones completely - including the operating system - like you can with BlackBerry devices and their autoloaders.
    BigBadWulf and Fret Madden like this.
    01-27-17 06:32 AM
  4. Superdupont 2_0's Avatar
    [...] Once you have installed a malicious app, it's there. It's running. Even on BB10.
    [...] And, of course, you can restore most Android phones completely - including the operating system - like you can with BlackBerry devices and their autoloaders.
    And then I uninstall it from BB10 and the problem is solved.
    On Android, I would have to re-install the OS from a trustworthy source (preferably the OEM manufacturer).

    See, many people in my family ask me to take care of their phone or computer.
    I don't have time to do my research on how I can restore a rooted Android.

    So, I gave them BB10,
    Luckily they have found all the apps they need.

    On a side note, even if you give an app all kinds of permissions its possibility to affect other apps seem to be very limited on BB10 (especially compared to Android).
    At least that's my understanding from some post of the few BB10 devs on CB.

    Of course, if I give an app permission to my contacts, sms and whatever, the app can steel these data, in that all OSes are absolutely equal.
    Actually, another reason why I avoided Android in the past, was the absence of a granular app permission model (like on BBOS, BB10 or iOS)
    In many ways Android has become more like BB10 these days, they introduced actionable quick settings, app permissions, a torch etc etc... things I enjoyed as *secure stock apps* long before Android users.
    keliew and blackbp like this.
    01-27-17 07:00 AM
  5. mbirth's Avatar
    And then I uninstall it from BB10 and the problem is solved.
    On Android, I would have to re-install the OS from a trustworthy source (preferably the OEM manufacturer).
    Nope, without root access, nothing can modify system apps. So when you factory reset the device, everything is back to normal.

    And to gain root, malware would have to use a very special security issue only existent in some very few (and old) versions of Android on specific devices. This was mostly due to bugs introduced by manufacturers modifying the Android OS.

    And just because nobody publicly wrote about it yet, doesn't mean there aren't similar problems with some BBOS versions, too.


    See, many people in my family ask me to take care of their phone or computer.
    I don't have time to do my research on how I can restore a rooted Android.

    So, I gave them BB10,
    Oh, come on. How did you find out how to restore a BlackBerry device? You went on the homepage of the manufacturer, didn't you? It's the same with the Android devices.



    On a side note, even if you give an app all kinds of permissions its possibility to affect other apps seem to be very limited on BB10 (compared to other Android).
    At least that's my understanding from some post of the few BB10 devs on CB.
    And have you talked to some Android devs about that? It's the same there. One app can't see other apps' files or even modify them. Only if an app gains root access, this might be possible. But as explained above, it is very unlikely to happen on any recent Android phone.
    BigBadWulf and Fret Madden like this.
    01-27-17 07:15 AM
  6. Superdupont 2_0's Avatar
    Nope, without root access, nothing can modify system apps. So when you factory reset the device, everything is back to normal
    Sorry, but it's a fact that there has been malware in Google Play already which rooted devices.
    I don't make my risk assesments based on "what could happen in best case?"

    I agree that many malicious apps from Google Play (the total download numbers over the last 2 years must have accumulated to several ten milllions by now) did not root the device, just stealing information (without agreement of the user) and/or showing annoying ads.
    But there have been more apps like Brain Test as well, which can root the device, and that is my main concern here.

    Note: I only talk about Google Play here!

    And again: On BB10 I just uninstall the app, no factory reset needed, no re-install needed.
    Just uninstall the app from BB10 and tell the user to be more careful in the future.

    Edit:
    Oh, I think I have to correct myself in one point.
    Due to a bug in the Android Runtime on 10.3.2, you maybe cannot fully uninstall an apk.
    In such cases, you would probably have to reload the OS to stay on the safe side.
    01-27-17 07:40 AM
  7. mbirth's Avatar
    But there have been more apps like Brain Test as well, which can root the device, and that is my main concern here.
    Would you please stop ignoring those parts of my posts which nullify your statements?

    There were only very few devices where those apps were able to root them at all. And those devices had security issues introduced by the manufacturer botching around in the Android source code. That's not at all a generic problem with Android or the Play Store.
    Fret Madden likes this.
    01-27-17 07:46 AM
  8. Superdupont 2_0's Avatar
    Would you please stop ignoring those parts of my posts which nullify your statements?
    I addressed it by saying: I don't make my risk assesments based on "what could happen in best case?"

    You cannot nullify that there have been apps in Google Play which successfully rooted devices.
    That's simply a fact.

    You are absolutely correct that we should not confuse download numbers with numbers of successfully compromised OSes.

    I am not sure about "few devices", but okay, we both probably don't have any solid source for that (at least I don't have it at hand now).
    01-27-17 07:54 AM
  9. conite's Avatar
    On BlackBerry Android, no one has been able to demonstrate a persistent root, thus seemingly making this debate moot.
    mbirth, BigBadWulf and Fret Madden like this.
    01-27-17 08:12 AM
  10. Superdupont 2_0's Avatar
    On BlackBerry Android, no one has been able to demonstrate a persistent root, thus seemingly making this debate moot.
    Good point, but BlackBerry is continously fixing the media server (Stagefright), so I assume their Android devices are in all likelihood vulnerable to root attack.

    My problem is that I don't know the future.
    Based on my experience, I can only say that Android continously showed critical security holes that allow rooting.
    And it's obviously that attackers release constantly malicious apps in Google Play.

    That doesn't allow the conclusion that *all* malicious apps of Google Play *can* root BlackBerry Android, okay, I get it.

    But the *possibility* that such an app will occur in Google Play and that it can root BlackBerry Android is significantly higher, compared to BB10.

    Again: I would not make any risk assesment based on "what could happen in best case?".
    Worst case scenarios seem to be more likely for Android, based on all known vulnerabilities of today and the past.
    01-27-17 08:29 AM
  11. conite's Avatar

    But the *possibility* that such an app will occur in Google Play and that it can root BlackBerry Android is significantly higher, compared to BB10.
    There's the rub. The use of "possibility" and "significantly" are not scientific. We may find that BlackBerry Android is safe enough in all practical senses, and even more so when used in a containerized EMM solution - where we are most concerned about it anyway.
    01-27-17 08:41 AM
  12. Superdupont 2_0's Avatar
    There's the rub. The use of "possibility" and "significantly" are not scientific. We may find that BlackBerry Android is safe enough in all practical senses [...] .
    Yeah, my math skills are certainly too limited, but I am sure one can prove mathematically that Android is less secure in all kind of scenarious, simply because the number of *critical* vulnerabilities is much higher and also the appearance of malicious apps in the Google Play.

    Your are refering to "practical sense".
    Okay, I clearly remember a security report from Verizon, which basically concluded that smartphones are not incredibly safe, but attackers are simply not (yet) interested in mobile platforms.

    That's you, living in the peaceful countryside and never locking your door, because there are *practically* no burglars in your area.This is the kind of "security" we are talking about.
    People typically ask "how many devices have been compromised?" and then often conclude that the devices are "secure".

    However, if we follow the news over the last 2 years then we realize that the attacks increase, especially for Android, so the answer to the same question is about to change.

    BlackBerry is not making any statements whether BlackBerry Android could not be rooted through Stagefright vulnerabilities.
    01-27-17 09:08 AM
  13. mbirth's Avatar
    But the *possibility* that such an app will occur in Google Play and that it can root BlackBerry Android is significantly higher, compared to BB10.
    But this also has a lot to do with the fame of the system. Why put in any effort into infecting those "few" (sorry) remaining BBOS users when you can try to get 88% of all smartphones.

    It's the same with Apple Macs which were said to be "secure", but this was only because nobody bothered to create malware for them. Now where they are used more and more, Mac-specific malware appeared naturally.

    So in an alternate dimension where BB10 gained a huge userbase, you can bet that there would also be malware for BB10. And the absence of (public) information about BB10 vulnerabilities is no proof that they don't exist.
    Troy Tiscareno likes this.
    01-27-17 09:10 AM
  14. mbirth's Avatar
    BlackBerry is not making any statements whether BlackBerry Android could not be rooted through Stagefright vulnerabilities.
    There's a bounty of about $1000 for the first one who gets root on a PRIV. So if there was a possibility, we would already have root for the PRIV.
    01-27-17 09:15 AM
  15. Superdupont 2_0's Avatar
    So in an alternate dimension where BB10 gained a huge userbase, you can bet that there would also be malware for BB10. And the absence of (public) information about BB10 vulnerabilities is no proof that they don't exist.
    My view is a bit different, although I understand your view.

    When BB10 was released, the very first OS version was vulnerable to a root attack, well, if I remember correctly.
    A handful of other rather harmless security holes were reported later on.
    So, some security researchers were looking at the phone.

    I remember Justin Case, the guy who did a very complex root attack for the Blackphone.
    He announced a few years ago that he will try BB10 next, never heard of him again, at least nothing about BB10.

    In the end all my speculations and assumptions should be backed up by facts.
    In other words, I have to start with what I know.

    Matter of fact, the number of known critical vulnerabilities on Androidn is a 100 times higher than *all* known vulnerabilities of BB10.
    I summarized it here:

    http://forums.crackberry.com/general...l#post12713599

    There are too many uncertainties about what we possibly perhaps maybe don't know, but I stick primarily to what I know, when I make a decision.
    01-27-17 09:24 AM
  16. conite's Avatar

    There are too many uncertainties about what we possibly perhaps maybe don't know, but I stick primarily to what I know, when I make a decision.
    And the only thing we know FOR CERTAIN, is that (whether though hardening, integrity detection, patching, or scanning by Google Play Services on the device) BlackBerry Android has never allowed elevated privileges through root.
    01-27-17 09:39 AM
  17. mbirth's Avatar
    Matter of fact, the number of known critical vulnerabilities on Androidn is a 100 times higher than *all* known vulnerabilities of BB10.
    I summarized it here:

    http://forums.crackberry.com/general...l#post12713599

    There are too many uncertainties about what we possibly perhaps maybe don't know, but I stick primarily to what I know, when I make a decision.
    This, still, is a very distorted way to look at it. 1st, as explained earlier, Android has a much larger userbase and thus far more people who have an interest in breaking it. Which leads to many more security vulnerabilities found. 2nd, Android is open source and security experts (and amateurs) from all over the world can look at the code and point out security issues. Android even pays them if they find a serious issue. Whereas BBOS is closed source and only a few people at BB have access to the code to see if it contains any problems. And they don't pay people pointing out problems.
    01-27-17 09:57 AM
  18. Richard Buckley's Avatar
    This, still, is a very distorted way to look at it. 1st, as explained earlier, Android has a much larger userbase and thus far more people who have an interest in breaking it. Which leads to many more security vulnerabilities found. 2nd, Android is open source and security experts (and amateurs) from all over the world can look at the code and point out security issues. Android even pays them if they find a serious issue. Whereas BBOS is closed source and only a few people at BB have access to the code to see if it contains any problems. And they don't pay people pointing out problems.
    Ah yes, the old bromides that because the user base is small no one is trying to exploit the code; and that anyone can look at open source so it will have fewer problems. But neither of these ideas survive any amount of scrutiny. If publishing code in the open so anyone could look at it was such a great way of ensuring code quality researchers wouldn't be turning up security problems that have been in open source code for decades without anyone publicly pointing them out (we don't know how many people privately found and exploited these issues before they were published).

    But don't take my word for it. This month Gerald Weinberg discusses code quality on the Software Engineering Radio Podcast. Mr. Weinberg -- who has been coding for seven decades and worked on Project Mercury for NASA -- was asked that question. His answer is, as most programming professionals will also tell you, whether or not a project is open source has much less to do with the number of errors than the way the project is run. Just because anyone in the world can look at the code doesn't mean anyone actually does, or that they are looking effectively. Conversely just because only a select few look at the code doesn't mean they aren't very effective in finding and correcting errors.
    Superdupont 2_0 likes this.
    01-27-17 12:30 PM
  19. JSmith422's Avatar
    Ah yes, the old bromides that because the user base is small no one is trying to exploit the code; and that anyone can look at open source so it will have fewer problems. But neither of these ideas survive any amount of scrutiny. If publishing code in the open so anyone could look at it was such a great way of ensuring code quality researchers wouldn't be turning up security problems that have been in open source code for decades without anyone publicly pointing them out (we don't know how many people privately found and exploited these issues before they were published).

    But don't take my word for it. This month Gerald Weinberg discusses code quality on the Software Engineering Radio Podcast. Mr. Weinberg -- who has been coding for seven decades and worked on Project Mercury for NASA -- was asked that question. His answer is, as most programming professionals will also tell you, whether or not a project is open source has much less to do with the number of errors than the way the project is run. Just because anyone in the world can look at the code doesn't mean anyone actually does, or that they are looking effectively. Conversely just because only a select few look at the code doesn't mean they aren't very effective in finding and correcting errors.
    There seems to be truth on both sides of the open source vs private code debate. The thing that I seem to think about open source is that after a certain level of complexity, there are very few people with the knowledge to find such vulnerabilities....let alone the time, inclination, resources, or money. That said, most of those very same people can be hired for a (relatively) nominal cost to examine private code all day long. My guess is that a thoroughly examined private code set is just as, if not more, examined than public. The difference comes in, and this is a big one for me, on Trust. With open source you know other people have looked at the code, published their results, and have a generally good idea about what that code is doing. With private code, that's not true. You have to trust the company has done a full and proper review, dedicated the necessary resources, properly fixed vulnerabilities, AND not hidden some secret code in there running in the background doing things you don't want done on your device. But there has to be that level of trust, because there's nobody to verify. There's really pros and cons to each approach.

    Generally speaking, we know Android data mines. This is verified. We assume Blackberry (for the most part) doesn't. But this is unverified because nobody has seen the code. We're just taking them at their word, and trusting that what they say is true.

    Posted via CB10
    keliew likes this.
    01-28-17 04:08 PM
  20. JSmith422's Avatar
    If you haven't read it yourself aren't you merely parroting what you've heard as opposed to presenting concrete facts? The ToS isn't terribly dense in the slightest.
    I've read every TOS for every device, piece of software and service I use. I've yet to find one from any major company that defines with any specificity exactly what is collected and exactly how it is used. I've done extensive research on many tech companies and all of the majors, and bottom line for me was that I just can't find a level of trust for Google, so I don't use their services. That said, I'd be interested in seeing the TOS you're referring to and to know which Google services they apply to, can you post a link?

    Posted via CB10
    01-28-17 04:15 PM
  21. BigBadWulf's Avatar
    Shouldn't there be just as much concern for a server hack of BlackBerry's NOC as the Google's?
    01-28-17 04:26 PM
  22. JSmith422's Avatar
    I'd love to see proof about that and whether the (anonymous) data, if existing, is of any value or just some one-time statistical counter to see how many Android users are there.
    We're trying to find proof too, one way or the other....there's just a lot of conjecture on both sides of the debate. For our company, we don't want any information (statistical or otherwise) leaving our devices without or express knowledge and permission. One of the problems we see is that things are somewhat mutually exclusive, it's very difficult to have "pure statistical data" beamed home without inadvertently collecting "less anonymous" information, like IP Address. Just because a company doesn't log IP , doesn't mean they can't log IP addresses simply by flipping a switch.

    That's a monumental task in 2017. Unfortunately, one that's largely falling in my lap.

    Posted via CB10
    01-28-17 04:26 PM
  23. Richard Buckley's Avatar
    ... The difference comes in, and this is a big one for me, on Trust. With open source you know other people have looked at the code, published their results, and have a generally good idea about what that code is doing. With private code, that's not true. You have to trust the company has done a full and proper review, dedicated the necessary resources, properly fixed vulnerabilities, AND not hidden some secret code in there running in the background doing things you don't want done on your device. But there has to be that level of trust, because there's nobody to verify. There's really pros and cons to each approach.

    ...

    Posted via CB10
    Unless someone, or some groups, publishes the result of a complete code review you don't know if anyone has looked at open source at all, except for code where they have published vulnerabilities. That is a big problem with open source code. For the vast majority of it no one gets paid to do code reviews. The only incentive (other than altruism) to look at open source is that it is easily available and one can build a reputation by finding problems. That is why code like the StageFright library can go for 10 years without any major issues reported. Then when one group finds a major problem other groups start looking at it. Where there is one problem there are usually others. StageFright (now with a new name) is an easy win for researchers. But what about all the other code used in various products because it was free.

    You are right about trusting closed source companies to do the right thing, but over time it is easy to decide who is worth the trust. How many times has Microsoft told us that they have completely rewritten part of the windows interface only to later have the same bug affect versions of Windows back to XP? I've lost count.

    The idea that a small user base doesn't get scanned for exploits comes from Apple advertising their OS as virus free, until they got hit by a virus.

    The UK DOD recently announced they are dropping plans to build a secure military smartphone system on top of Samsung Android technology because it can't be secured. They are now going to try with iPhone 6.

    BlackBerry was the leader in smartphone sales until the iPhone came out, and was a significant player for a couple years after. They managed to maintain a superior security posture for their products during that time.

    The world is complicated. You can't make sweeping decisions about complex issues based on one data point. Open source does not mean more or less secure. Neither does closed source. Neither factor gives any predictions about security. It would be nice if they did, my life would be a lot simpler.


    LeapSTR100-2/10.3.3.2163
    keliew and Superdupont 2_0 like this.
    01-28-17 04:42 PM
  24. mbirth's Avatar
    The UK DOD recently announced they are dropping plans to build a secure military smartphone system on top of Samsung Android technology because it can't be secured. They are now going to try with iPhone 6.
    Do you have a legit source for that? Because this article says something about the Samsung Note being dropped because iPhones were already widely spread throughout the MoD. No security issues. (See the "Update" part at the end of the article.)

    And how a British mobile service provider should be able to improve the security of a closed-source operating system even they can't get their hands on, is beyond me. So there's that.
    01-28-17 04:52 PM
  25. thurask's Avatar
    Shouldn't there be just as much concern for a server hack of BlackBerry's NOC as the Google's?
    You see, unlike Google or any other company on the planet, BlackBerry is apparently infallible.
    mbirth, BigBadWulf and Fret Madden like this.
    01-28-17 05:15 PM
368 ... 56789 ...

Similar Threads

  1. 2 versions of Mercury?
    By Who-cut-the-cheese in forum BlackBerry KEYone
    Replies: 22
    Last Post: 01-25-17, 06:01 AM
  2. Help with older version of Chromecast app
    By PSB1 in forum Android Apps (Amazon Store & APK Files)
    Replies: 5
    Last Post: 01-19-17, 04:52 AM
  3. 1 Year with the Priv
    By Bfalcon1 in forum BlackBerry Priv
    Replies: 22
    Last Post: 01-18-17, 10:34 PM
  4. Replies: 12
    Last Post: 01-18-17, 12:12 PM
  5. Replies: 1
    Last Post: 01-16-17, 09:13 PM
LINK TO POST COPIED TO CLIPBOARD