10-22-13 05:03 AM
34 12
tools
  1. pappymappylappy's Avatar
    Under application permissions, I see the Permissions drop down for "internet".

    However, nobody needs to ask. Everybody gets internet for my OS for some reason.

    For example, I can block a poker game from getting access to my Email messages that it requests. However I dont have the option to prevent this program from accessing the internet. And infact it can freely do so. Well, I want to use it for online play anyway, but if I were inclined to prevent similar programs from accessing the internet on my device, there is no way to do it basically?

    Or is this feature not activated yet for this new OS that still needs work, or is there something wrong with my OS?
    07-13-13 12:50 AM
  2. KermEd's Avatar
    I think it's a dummy setting to be honest.

    If I add it to an app it installs the permission without asking.

    That said I've never tested denying it before...

    Posted via CB from my LE
    07-13-13 12:51 AM
  3. pappymappylappy's Avatar
    I think it's a dummy setting to be honest.

    If I add it to an app it installs the permission without asking.

    That said I've never tested denying it before...

    Posted via CB from my LE
    Can you even deny it?

    I cant even choose it.

    Also, the only programs I see under the permissions tab are some third party programs.

    However, all of them get internet access and I cant turn it off. Its not even an option on the screen under Application Permissions. Is yours like that too?
    07-13-13 12:54 AM
  4. KermEd's Avatar
    Yeah your right.

    I checked my app secure browser, which explicitly asks for Internet permissions in the xml files.

    No settings to actually disable it's Internet access in the app settings screen once installed.

    Additionally, the asking for Internet access never actually reaches the users during installation.

    Posted via CB from my LE
    07-13-13 12:59 AM
  5. 93Aero's Avatar
    There should be a mobile version of Little Snitch.
    07-13-13 01:03 AM
  6. pappymappylappy's Avatar
    Yeah your right.

    I checked my app secure browser, which explicitly asks for Internet permissions in the xml files.

    No settings to actually disable it's Internet access in the app settings screen once installed.

    Additionally, the asking for Internet access never actually reaches the users during installation.

    Posted via CB from my LE
    Sorry I'm new to this. So you mean you have a developer platform so you can see actual system files? And from there you can see internet permissions?

    All I have is the phone OS interface. From there, under securities tab and Application Permissions, none of the programs have a toggle for me to select whether internet is allowed or not. Basically they all have it if they want I think. I have the King Poker game that runs perfectly fine on multiplayer and I cant shut its connection down if I wanted. No option whatsoever under Application Permissions.

    This is in distinct contrast to my old BB that allowed me to allow each and every program whether they have access to data, Wifi, bluetooth etc. Very specific. In my phone BB10, its completely dumbed down. Only a few selections. And it seems they dont even have to give the courtesy to ask. They just get access to it, like the internet.
    07-13-13 01:03 AM
  7. pappymappylappy's Avatar
    There should be a mobile version of Little Snitch.
    Blackberry prides themselves on security. They should be providing this. Let law enforcement and security services get access all they want on some backdoor, but they gotta clamp down on all third party apps from getting access to the internet without permission.
    07-13-13 01:15 AM
  8. KermEd's Avatar
    1)
    So you mean you have a developer platform so you can see actual system files? And from there you can see internet permissions?
    ...
    2)
    This is in distinct contrast to my old BB that allowed me to allow each and every program whether they have access to data, Wifi, bluetooth etc. Very specific. In my phone BB10, its completely dumbed down. Only a few selections. And it seems they dont even have to give the courtesy to ask. They just get access to it, like the internet.
    1) Sort of - more or less. There is an xml file inside the package that we shows what permissions are requested - kind of like a checklist. One of them is Internet access.

    2) Yeh I never looked at it that carefully but you are right. I see no way to block an app from Internet access at this point... keeping in mind that might change on an OS update at some point.

    Posted via CB from my LE
    07-13-13 01:37 AM
  9. pappymappylappy's Avatar
    1) Sort of - more or less. There is an xml file inside the package that we shows what permissions are requested - kind of like a checklist. One of them is Internet access.

    2) Yeh I never looked at it that carefully but you are right. I see no way to block an app from Internet access at this point... keeping in mind that might change on an OS update at some point.

    Posted via CB from my LE
    Thanks. How are you seeing the .xml files of the programs you downloaded?

    Wow I'm kind of disappointed if that is the case. So this is a problem on Blackberry's end then. This is a huge fail again IMO. I already think them not allowing old apps be used in BB10 is a huge fail. This is an even huger fail. They always prided themselves on security. Yet this would constitute the biggest security related mistake ever. Not allow the user to block, even implicitly from their end, the access of phone functions given to third party apps?

    Geez, I mean Im sure there are law enforcement backdoors programmed into the OS. This is fine. I just dont want some third party program accessing the net and data from my phone at will.

    I just tried a few programs. The King poker game can play multiplayer without asking for my persmission to go online. I cant block them either. Wifi, data, whatever works it gets. Same with battleship game, all in access. Internet radio app has access to internet but never asked for permission and cant block. The chess program can access the browser at will. Has a database of chess players you can click to see their profile and they load you into their online wikipedia page. LOL. This is such a huge fail. 100% unfettered access from third party apps for the internet and other functions. Makes you wonder what else they have access to. Even if you clicked decline, they might still have access, but at least it would have given you the perception of a choice.. LOL.
    Last edited by pappymappylappy; 07-13-13 at 01:56 AM.
    07-13-13 01:42 AM
  10. Richard Buckley's Avatar
    Thanks. How are you seeing the .xml files of the programs you downloaded?

    Wow I'm kind of disappointed if that is the case. So this is a problem on Blackberry's end then. This is a huge fail again IMO. I already think them not allowing old apps be used in BB10 is a huge fail. This is an even huger fail. They always prided themselves on security. Yet this would constitute the biggest security related mistake ever. Not allow the user to block, even implicitly from their end, the access of phone functions given to third party apps?

    Geez, I mean Im sure there are law enforcement backdoors programmed into the OS. This is fine. I just dont want some third party program accessing the net and data from my phone at will.

    I just tried a few programs. The King poker game can play multiplayer without asking for my persmission to go online. I cant block them either. Wifi, data, whatever works it gets. Same with battleship game, all in access. Internet radio app has access to internet but never asked for permission and cant block. The chess program can access the browser at will. Has a database of chess players you can click to see their profile and they load you into their online wikipedia page. LOL. This is such a huge fail. 100% unfettered access from third party apps for the internet and other functions. Makes you wonder what else they have access to. Even if you clicked decline, they might still have access, but at least it would have given you the perception of a choice.. LOL.
    You are correct in that legacy BB devices one could select whether an application had access to the internet. That said, I'm not sure that it was used very often, I know it confused users who would then create support calls because the application wouldn't work without internet access. The utility and necessity of connectedness in a smartphone application has evolved considerably since the legacy permission set was created. The permissions changed considerably from BBOS 5 through 7 and would have likely continued to evolve to what we have on BB10 if BBOS development continued.

    I am curious as to what security risk you feel an application like King Poker poses because it has internet access. Certainly an application that has access to shared files, or PIM data and the internet could be used to steal data. What do you think an application without such access can do? BlackBerry uses technology from Trend Micro to scan App World for applications that do this, but there is a onus on users to do their due dilligence as well in installing applications.
    SDTRMG likes this.
    07-13-13 10:29 AM
  11. KermEd's Avatar
    Just to be clear. We have to ask for permission to access your data. It's Internet access we ask for, but the ask is automatically accepted.

    I have a particular dislike for the term 'fail'.

    What I will say is RIM is allowing internet access to go unblocked for applications. But apps that need it are still being registered to RIM's servers and analyzed during testing.

    The lock down on Internet apps will come to the OS if it's ever needed

    Posted via CB from my LE
    07-13-13 12:08 PM
  12. Gerii's Avatar
    You can't disable it because only Android apps have to add a permission to access the Internet and you can't disable single permissions for Android apps. Other apps can access the Internet even if they aren't listed in the settings app.

    Posted via CB10
    07-13-13 12:22 PM
  13. SDTRMG's Avatar
    I don't see what the big deal is, I ti understand to a point but ios and to an extent android don't even give you an option to block most app permissions , this is actually a set in the right direction for security on a modern Os even if it needs to be fine tuned a little or lot more. I see a lot of bbos people complaining about this, I still use my ipad and g nexus and like that I can block certain permissions on bb10.

    Posted via CB10
    07-13-13 12:22 PM
  14. anon(6174160)'s Avatar
    Just to be clear. We have to ask for permission to access your data. It's Internet access we ask for, but the ask is automatically accepted.

    I have a particular dislike for the term 'fail'.

    What I will say is RIM is allowing internet access to go unblocked for applications. But apps that need it are still being registered to RIM's servers and analyzed during testing.

    The lock down on Internet apps will come to the OS if it's ever needed

    Posted via CB from my LE
    So basically apps ask but definitely get? And there is no way for the user to shut it down? So a malware can also ask and definitely get access? Then even all those 100s of stupid puzzle 'games' can have internet access all they want when they clearly dont need it and you wouldnt even know they are using the data?

    Well, you say lock down will come when needed. Is this an "oops... oh well sorry about that" hindsight kinda thing?
    07-13-13 12:27 PM
  15. Gerii's Avatar
    Native/WebWorks/Air apps don't have to ask the user.

    Posted via CB10
    07-13-13 12:29 PM
  16. anon(6174160)'s Avatar
    I don't see what the big deal is, I ti understand to a point but ios and to an extent android don't even give you an option to block most app permissions , this is actually a set in the right direction for security on a modern Os even if it needs to be fine tuned a little or lot more. I see a lot of bbos people complaining about this, I still use my ipad and g nexus and like that I can block certain permissions on bb10.

    Posted via CB10
    Were you a BB user before?

    Yes and thats why some people still prefer the BB. But it seems they are moving to the mainstream, in which case they lose that advantage. Its almost like BB throwing away the keyboard phones for future devices. Thanks but I will be out. Iphone >>>>>>> Z10. Sorry, Im only here for the Q10. Same with the security aspects. If they are like iOS where app security is questionable, then what the hell, if device security is down the drain anyway, and you throw away the keyboard phone, I guarentee you even I will be an iPhone user.

    The old BB allowed you to choose permissions with a much higher degree of control. So in many ways, this is a move BACKWARDS by not allowing more control.

    I also cant even see an option to have internet switched off from permissions.
    07-13-13 12:32 PM
  17. anon(6174160)'s Avatar
    Native/WebWorks/Air apps don't have to ask the user.

    Posted via CB10
    They dont have to ask but when you goto Application Permissions do you see the option there to turn it off or not?

    I think there are two issues. One is applications dont need to ask. The other is applications that grab access, cant be denied access.

    Frankly that means the user has absolutely no way to know whether applications use the internet and data at all. If your software can ask for access and get it without permission, and there is no way to switch it off, then youre basically sitting duck. You are completely oblivious to what the app is doing.
    07-13-13 12:34 PM
  18. KermEd's Avatar
    I think there are two issues. One is applications dont need to ask. The other is applications that grab access, cant be denied access.
    You got it. Now, lazy developers that don't ask for Internet access may one day find their apps broken if security policies change. I won't feel bad for them .

    I've always seen this as a bit of a security gap. Now, with that said, even if they did as for Internet access - its not like we can see what data is being sent. Now I'm making the assumption RIM does not look close at URL streams during app testing.

    But, as a developer, I can only transmit data I can access. Which means I can't transmit what you do in your banking apps or in the browser. I can transmit the options you select in my program.

    Someone once asked if we could theoretically transmit your shared documents and photos - yes. But I don't know that even nefarious folks would want it. The data there has no value (its expensive to transmit, store. Photos of someone cat aren't exactly worth anything, same with a half written note on a book someone is writing.) the time and effort to parse the data isn't worth the investment.

    Where it has a risk, is a fake TD banking app where they collect your data.

    Apps on bb10 have much less access to user info over bbos5/6/7 which might be why too..

    Posted via CB from my LE
    07-13-13 12:55 PM
  19. KermEd's Avatar
    Ah I should mention a good use case.

    Some of my apps have remote kill switches and remote pop-up alerts.

    So, I have a master configuration file buried in the cloud. Some of my apps will request and read it when you launch them. If it can't read or find the file it ignores it. But if the file has flags sent, it alters the program.

    I do this for two reasons. One, if there is a broken service - so let's say the plugin server for my wysieyg html editor is offline - I can remotely notify all my users / or gray out the option with a text box below it saying "Offline".

    Two: if I find out there is a major bug that causes risky issues for client (like those backward developers for that music app that started deleting everyone's shared documents and did so little to fix it) I can remotely kill the app for all clients with a message saying why.

    I actually do user notifications periodically (I update the news for the app and what im doing next) in media connect.

    Posted via CB from my LE
    Richard Buckley likes this.
    07-13-13 01:03 PM
  20. anon(6174160)'s Avatar
    You got it. Now, lazy developers that don't ask for Internet access may one day find their apps broken if security policies change. I won't feel bad for them .

    I've always seen this as a bit of a security gap. Now, with that said, even if they did as for Internet access - its not like we can see what data is being sent. Now I'm making the assumption RIM does not look close at URL streams during app testing.

    But, as a developer, I can only transmit data I can access. Which means I can't transmit what you do in your banking apps or in the browser. I can transmit the options you select in my program.

    Someone once asked if we could theoretically transmit your shared documents and photos - yes. But I don't know that even nefarious folks would want it. The data there has no value (its expensive to transmit, store. Photos of someone cat aren't exactly worth anything, same with a half written note on a book someone is writing.) the time and effort to parse the data isn't worth the investment.

    Where it has a risk, is a fake TD banking app where they collect your data.

    Apps on bb10 have much less access to user info over bbos5/6/7 which might be why too..

    Posted via CB from my LE
    But the point is it should be left to the user. I would say the majority of apps do not legitimately need an internet connection. The only reason some may still want it is to return user usage information as feedback for their software. Still, this is a privacy option best left for the user to OPT IN.

    I see this as problematic. I dont think all apps should have internet access. Control over this should have been very tight.

    You also mentioned BB checks the apps put on the app store. I dont think so. If anything its probably a major push over, and the whole thing is a paper pushing operation. I dont think they have engineers comb through the program or even take a look at source code to understand what the program does etc. I think its not unreasonable to expect some malware can easily slip through the cracks and make it onto app world. Also, I already downloaded some games that dont work for the Q10 as they simply ported over from android. If anything functionality would have been the least they would check in due diligence right? So the security aspect of apps, I am sure comes later, and thus become even more questionable.

    Not only is there 'security' or 'privacy' issues but I also see it as potentially being bad for people's data usage. Most people have limited data plans. The last thing they need is some app constantly sending pings back to the home server or sending information etc to keep using more data.

    I have to say I am getting more and mroe disappointed with blackberry as I move along in this experience of the Q10. I think the Q10 phone design and some aspects of BB10. But things like poor battery life, thermal issues, certain BB10 OS issues (this application permissions being one of many issues I have) is not making this transfer from 9700 to Q10 all that pleasant. I think if they keep this up they will lose customers and its not hard to see why.
    07-13-13 01:07 PM
  21. anon(6174160)'s Avatar
    Ah I should mention a good use case.

    Some of my apps have remote kill switches and remote pop-up alerts.

    So, I have a master configuration file buried in the cloud. Some of my apps will request and read it when you launch them. If it can't read or find the file it ignores it. But if the file has flags sent, it alters the program.

    I do this for two reasons. One, if there is a broken service - so let's say the plugin server for my wysieyg html editor is offline - I can remotely notify all my users / or gray out the option with a text box below it saying "Offline".

    Two: if I find out there is a major bug that causes risky issues for client (like those backward developers for that music app that started deleting everyone's shared documents and did so little to fix it) I can remotely kill the app for all clients with a message saying why.

    I actually do user notifications periodically (I update the news for the app and what im doing next) in media connect.

    Posted via CB from my LE
    There are some uses of it for sure. But again, this does not negate the fact the users of a software should ideally have the choice to allow it or not. It should be an OPT IN approach.

    Infact, it seems its not even a matter of Opt In/Opt Out. Its essentially mandatory and users dont have a choice or say in the matter at all. I think internet access should be left to the app developer to clearly state in a disclaimer why they need internet access for their apps so users can opt in. Not all programs should be cloud based.

    Finally, even more critical, is that Blackberry should be defending users here. The phone and the BB10 OS itself should allow users the option to switch off any function they dont like. Even if it bricks the program.

    On a side note, are app developers even allowed to make killswitches for programs? I mean this seems kinda aggressive and I'm not sure about user agreements and all but it seems like something that users should clearly accept in some form of disclaimer first right? Particularly for paid apps. See this is exactly another reason why net access should be limited.

    I know iOS apps have kill switches and BB10 can push apps to you, but these are from Apple HQ and your carrier respectively. And the user clearly signed an agreement with these parties that allows them to do this. However I dont think users agreed with third party apps to allow them to killswitch a program on command? Another reason why internet control needs to be on major clamp down.
    07-13-13 01:20 PM
  22. KermEd's Avatar
    Totally get you guys. And I'm on board with what your saying. I fully agree it's a gap and should be in the hands of users.

    I'm just saying the risk is smaller. It's still there it's just smaller than it appears because of sand boxing

    If they could access your contacts + Internet without permission I'd be terrified for example. But if it's a soduko game, all it can really do is tell the servers how many puzzles you got right / wrong.

    Not saying its 0 risk. Just lower risk thanks to the other precautions added.

    Posted via CB from my LE
    SDTRMG likes this.
    07-13-13 01:24 PM
  23. anon(6174160)'s Avatar
    Totally get you guys. And I'm on board with what your saying. I fully agree it's a gap and should be in the hands of users.

    I'm just saying the risk is smaller. It's still there it's just smaller than it appears because of sand boxing

    If they could access your contacts + Internet without permission I'd be terrified for example. But if it's a soduko game, all it can really do is tell the servers how many puzzles you got right / wrong.

    Not saying its 0 risk. Just lower risk thanks to the other precautions added.

    Posted via CB from my LE
    I think history has shown its a constant fight and malware will find its holes eventually and exploit it. But at the least they should block off or allow access control to all programs.

    Yes for a soduku game thats one of the uses. However thats assuming the app developers have no mal intent. THis may be the most common scenario but thats not what security is about. Security is about defending against that small chance of issues. Maybe the program disguises as a popular game for the user, but really its a botnet, and your phone is used to spam ppl etc. I mean all of this stuff is possible when you give it net access.

    Or what about this, it starts off an innocent program with full net access. However because it has continued access, the malware gets uploaded to the program after the fact. Its a trojan basically. It sits there. No problems at all. Can send and accept data on its own without the user knowing. On good and bad days its a working game everybody loves. Then the malware developer flips a switch some random day and uploads the current flavor of malware of the day to everyone, and everyone using the app gets made and exploited. And then after their dirty work is done they clean the malware off everyone so nobody realizes anything. Then the program sits there waiting all the while gaining more popularity as a fun game. Then the next time he updates the latest and greatest in malware for their next gig. I see HUGE problems with just blindly giving apps access to the internet with absolutely ZERO user access control.

    See it should be like this. Popular Online Multiplayer Poker game = Yes to internet access. I am willing to take the risk. A simple puzzle solving game = No to internet access. I dont care what app developers have to say. MSN Messenger for chatting with others = yes to internet access. Skype for making internet voip calls = yes to internet access. Compass app = No to internet access.
    07-13-13 01:34 PM
  24. KermEd's Avatar
    What could the malware do though?

    There is a difference. Apps like Secure Browser, I had to go through a 1 month testing, major analysis etc to get it approved. And they did do a code analysis on it to make sure I'm not taking private info.

    But let's assume someone builds a malware injection. What can that malware do they couldn't have just done right off the bat? Like they could just include it in the release.

    Posted via CB from my LE
    07-13-13 01:41 PM
  25. KermEd's Avatar
    The reason why I am saying this. Is iOS has malware apps. They have the code from day 1 in a disabled state. On day 90 it enables itself. Once enabled it makes a thousand 1 dollar in app purchases for apps you don't even have. Then disables itself.

    Android has the same only it uses malware as a background process. It so harvest data from SMS and email to steal bank transfers etc.

    RIM doesn't have that problem because they require user prompt validation for in app. And apps can't run in the background. I just don't see malware injection bring a risk you don't have today. The malware could just as easily be dormant.

    The malware still can only access your game statistics and my documents you know what I mean?

    Posted via CB from my LE
    SDTRMG likes this.
    07-13-13 01:49 PM
34 12

Similar Threads

  1. Easytune, the suspicious new kid
    By LtHavoc21 in forum BlackBerry 10 Apps
    Replies: 11
    Last Post: 10-19-13, 12:32 PM
  2. App to download videos?
    By Blackman91 in forum PlayBook Apps & Games
    Replies: 9
    Last Post: 07-26-13, 03:52 AM
  3. How do you check for all background processes and programs running?
    By pappymappylappy in forum BlackBerry 10 OS
    Replies: 10
    Last Post: 07-17-13, 10:44 PM
  4. Where does the Playbook keep downloaded podcasts?
    By DaveTheA in forum PlayBook Apps & Games
    Replies: 6
    Last Post: 07-13-13, 12:17 PM
  5. How to remove calender notifications from lock screen?
    By cpeterson19 in forum BlackBerry 10 OS
    Replies: 4
    Last Post: 07-13-13, 09:42 AM
LINK TO POST COPIED TO CLIPBOARD