1. EFats's Avatar
    I got a few minutes to feel a bit smug about by Blackberry devices after watching this little TV clip from CBC: Are your apps spying on you? Apps and your privacy - Marketplace - CBC News &
    'We're paying with our data': Why privacy can be a problem with apps - Technology & Science - CBC News

    It was really eye opening to the non-Blackberry users in the family, who are really quite concerned now. (Though I'm sure it will be temporary). Fairly interesting segment where they showed just how easy it was to grab data from the phone with a really easy to use application. They could even take pictures on demand from the front facing camera without the user knowing.

    As for me, maybe there's a bit of false sense of security. I generally stay away from any Android ports and when I run them, if possible, I turn off all my radios. I pointed out to my iPhone user that my Blackberry's always tell me what sort of permissions an app is requesting and I can deny any or all of them if I wish. (Generally anything asking for something that is not explained or doesn't make sense, I uninstall right away).

    I think this is part of what should be meant when Blackberry say security is baked into the system from the very beginning. Yes, I know Marshmallow/Nougat allows finer grain app permissions, but that's only just over a quarter of the Android user base. And the people using an older Android phone are out of luck, cause your phone probably isn't going to get updated. (I like to believe my Q10 & Z10 were more secure to start with and you know, it still gets an update today). Sure, Android now does better app permissions, but it makes me think, what else did they miss cause this wasn't a priority when they first designed the OS AND system (i.e. phone hardware)? I think iOS fares better, you are supposed to get finer grain permissions per app (but not at install time). However, in practice, I don't recall the user ever being asked. Certainly the iPhone user in the family doesn't remember ever granting any permissions to any app, even though we know some of those apps need access to local files, contacts, camera, microphone and network connections to function.

    Sadly, most people really, really do not care about security!

    A bit of an side, I think in the show they also demonstrated how much the white hats could do knowing just your phone number. Hey, name a messenging app that doesn't require your phone number? :-)
    I think the free e-mail services also now require phone numbers to sign up too, right?
    01-08-17 11:05 PM
  2. bobshine's Avatar
    iOS does has granular permission. As opposed to other OS, granular permission on iOS is off by default and apps has to request permissions upon first use

    Security and functionality don't go hand to hand together, that's what people have to understand. If you want to keep your life 100% private, then don't buy a cellphone. Even with your blackberry and all permissions turned off, your carrier can track your location and theoretically can do target advertising.
    Elephant_Canyon likes this.
    01-08-17 11:14 PM
  3. Bla1ze's Avatar
    I'm confused as to why you think BlackBerry 10 should have specifically been mentioned. The article itself isn't so much about 'apps doing things behind your back', it's basically about 'what you're agreeing to when using these apps that you don't think about'.

    There's nothing in BlackBerry 10 that fundamentally stops users from handing over their data without thinking about it. If I download XYZ App and it wants to pilfer my call log and I give it the permission to do so, there's nothing in BlackBerry 10 that stops it. I gave it the permission to do so.

    I can retract that permission, sure or never allow it to begin with but that's the extent of it and again, you would have to be paying attention to what it does in the first place to even consider that. Goes back to the whole knowing what you're agreeing to when using apps that you don't think about.

    The only place BlackBerry 10 could have been mentioned is here:

    App stores like Apple's iTunes and Google's Play have guidelines that require apps to disclose what permissions they want and what they do with the data. But it's still possible for apps to push past what you'd expect and ask for data they don't need.
    Because it's just as true for BlackBerry, BlackBerry 10 and BlackBerry World. The system can, and has been exploited before.
    01-08-17 11:18 PM
  4. thurask's Avatar
    Any platform can have apps that overstay their welcome, there isn't something inherent to BlackBerry 10 that makes developers good Samaritans. About the only "positive" for BB10 here is that it has less than 1/10 the possible vectors, if one could spin that into a positive.
    01-08-17 11:31 PM
  5. Richard Buckley's Avatar
    ...

    Security and functionality don't go hand to hand together, that's what people have to understand. If you want to keep your life 100% private, then don't buy a cellphone. Even with your blackberry and all permissions turned off, your carrier can track your location and theoretically can do target advertising.
    I don't know why people keep saying this when it isn't true. I've spent the last 30 years writing software that implements the required functionality securely. It can be done. It is sometimes, but not always, more expensive up front; but is usually less costly in the long run. But no one looks at TCO any more.


    LeapSTR100-2/10.3.3.2163
    01-09-17 04:32 AM
  6. bobshine's Avatar
    I don't know why people keep saying this when it isn't true. I've spent the last 30 years writing software that implements the required functionality securely. It can be done. It is sometimes, but not always, more expensive up front; but is usually less costly in the long run. But no one looks at TCO any more.


    LeapSTR100-2/10.3.3.2163
    Here a clear example: Facebook can connect you with your friends based on GPS location... so it will advise you when one of your friend is near. To do that, well you obviously have to share your location with your friends and a group of contacts. Automatically that will decrease your privacy... seems logical.
    01-09-17 10:15 AM
  7. Richard Buckley's Avatar
    Here a clear example: Facebook can connect you with your friends based on GPS location... so it will advise you when one of your friend is near. To do that, well you obviously have to share your location with your friends and a group of contacts. Automatically that will decrease your privacy... seems logical.
    Here is a clear counter example. When I paid for gas on the way to work, a service provider (Interact) took money out of my account and put it in the gas station account. Even though I had less money than I started with the was no security issue. For that money I received goods and or services.

    If the pump had a skimmer on it and thieves emptied my account that would be a security problem.

    I have no problem with add supported services, nor with companies gathering data and selling it to make money that pays for a service I want and makes a profit for the company, as long as they are up front and honest about it. I do have a problem with companies that say that they need data to provide the service even when they don't. For example I don't choose to find Friends on Facebook by geography, and they don't require me to share my location data with them. Their services do what I want without that. So all that is fine.

    What I don't want to do is hand over my data on their terms without any reasonable quid pro quo. But all this is a long way from the idea of providing functionality reduces security. If we were to pay the actual cost of a geographical hookup service the service provider wouldn't have to monetize our data and could build a system that would handle that data in a secure way. We are now in an era when people don't want to pay what things cost so companies work around that issue. But you don't need the cheese cloth security Android provides to run either model, but getting your software for free does increase profits. But I get to choose the payment model I will use out of those available, you can choose yours. But you shouldn't make the mistake of believing one is inevitable and the other impossible.

    LeapSTR100-2/10.3.3.2163
    iled likes this.
    01-09-17 04:13 PM
  8. bobshine's Avatar
    Here is a clear counter example. When I paid for gas on the way to work, a service provider (Interact) took money out of my account and put it in the gas station account. Even though I had less money than I started with the was no security issue. For that money I received goods and or services.

    If the pump had a skimmer on it and thieves emptied my account that would be a security problem.

    I have no problem with add supported services, nor with companies gathering data and selling it to make money that pays for a service I want and makes a profit for the company, as long as they are up front and honest about it. I do have a problem with companies that say that they need data to provide the service even when they don't. For example I don't choose to find Friends on Facebook by geography, and they don't require me to share my location data with them. Their services do what I want without that. So all that is fine.

    What I don't want to do is hand over my data on their terms without any reasonable quid pro quo. But all this is a long way from the idea of providing functionality reduces security. If we were to pay the actual cost of a geographical hookup service the service provider wouldn't have to monetize our data and could build a system that would handle that data in a secure way. We are now in an era when people don't want to pay what things cost so companies work around that issue. But you don't need the cheese cloth security Android provides to run either model, but getting your software for free does increase profits. But I get to choose the payment model I will use out of those available, you can choose yours. But you shouldn't make the mistake of believing one is inevitable and the other impossible.

    LeapSTR100-2/10.3.3.2163
    You just demonstrated yourself the fact that more features equals more risk. In this case, having the convenience of interact paiement increases your security risk cause the reader could have a cloning device.

    I am not against more feature. But it's a trade off: the more feature a device has the more complexe it gets, the more security risk. Android allows outside apps to be installed, so more risk. iOS allows only App store apps... less risk. Simple. Get yourself a dumb phone... less risk of your pictures gets hacked cause they don't upload it to the cloud.
    01-09-17 07:24 PM
  9. Richard Buckley's Avatar
    You just demonstrated yourself the fact that more features equals more risk. In this case, having the convenience of interact paiement increases your security risk cause the reader could have a cloning device.

    I am not against more feature. But it's a trade off: the more feature a device has the more complexe it gets, the more security risk. Android allows outside apps to be installed, so more risk. iOS allows only App store apps... less risk. Simple. Get yourself a dumb phone... less risk of your pictures gets hacked cause they don't upload it to the cloud.
    If you mean the risk of the gas pump having a skimmer, rather the contrary. There are ways of implementing card payment systems that are not vulnerable to skimming, they are being rolled out over time. The reason they weren't implemented in the first place is that the payment companies took the calculated risk of not investing the the money and effort into securing the system from the start. The big difference is that in order to convince people to use the systems they agreed to accept the majority of the risk.

    in many ways IT security is today in a place where aviation safety was 20 or 30 years ago. Roll something out without a lot of thought and accept the risk because that looked like the best way to make money. After something bad happens investigate and fix the problems found, rinse and repeat. There is only so far that can take you in improving safety and we got there in the 80's or 90's. Similarly there is only so far that can take you in security. Some industries realised that about the same time as the aviation safety industry did. Most either haven't, or are still in the mode that it is better to make the money first and accept the risk. The problem is all the risk is pushed onto the user. You don't have to look any further than this site to see that the predominant belief is "the greatest risk to smartphone security is the user". That's like blaming passengers for airplane accidents. Who should be in a better position to secure a software system, the users or the programmers and operators? Would you say that airline passengers are responsible for making sure their airplane is properly maintained, fuelled, de-iced and piloted?

    Now before you point out that air planes still crash, take a look at the relative frequency scope and economic cost of aviation accidents compared with software security.

    No, the state of software security is the way it is because the people who can make a difference choose to have it this way. Just look at an EULA for attribution of liability and compare that ti the liability an airliner manufacturer shoulders. Or really compare the liability of a software engineer -- as we like to call ourselves -- with the liability insurance any other branch of engineers.

    LeapSTR100-2/10.3.3.2163
    01-10-17 04:35 AM

Similar Threads

  1. Apps Disappearing From Home Screen on Dtek60
    By Jonathank in forum BlackBerry DTEK60
    Replies: 12
    Last Post: 02-24-17, 08:33 PM
  2. App not patching
    By fecosix in forum Android Apps (Amazon Store & APK Files)
    Replies: 8
    Last Post: 01-12-17, 10:11 PM
  3. Bad Blackberry Classic experince? Should I give BB a 2nd chance?
    By CrackBerry Question in forum Ask a Question
    Replies: 4
    Last Post: 01-09-17, 01:46 PM
  4. BB10 pdf files not compatible with android PDF apps
    By TP_bbp8 in forum BlackBerry Priv
    Replies: 9
    Last Post: 01-09-17, 09:15 AM
  5. Mood texting app
    By aboldcurve in forum BlackBerry Android OS
    Replies: 0
    Last Post: 01-08-17, 04:42 PM
LINK TO POST COPIED TO CLIPBOARD