[anon(6174160)]

What could the malware do though?

There is a difference. Apps like Secure Browser, I had to go through a 1 month testing, major analysis etc to get it approved. And they did do a code analysis on it to make sure I'm not taking private info.

But let's assume someone builds a malware injection. What can that malware do they couldn't have just done right off the bat? Like they could just include it in the release.

Posted via CB from my LE

Difference is avoiding possible detection by App world screeners. Even though Im sure that operation is quite possibly a push over anyway since a lot of apps got out that were found to be data mining or there are still many apps that simply dont work. They made it though so not sure how good it is, but at least thats one thing - avoiding first stage check.

[anon(6174160)]

The reason why I am saying this. Is iOS has malware apps. They have the code from day 1 in a disabled state. On day 90 it enables itself. Once enabled it makes a thousand 1 dollar in app purchases for apps you don't even have. Then disables itself.

Android has the same only it uses malware as a background process. It so harvest data from SMS and email to steal bank transfers etc.

RIM doesn't have that problem because they require user prompt validation for in app. And apps can't run in the background. I just don't see malware injection bring a risk you don't have today. The malware could just as easily be dormant.

The malware still can only access your game statistics and my documents you know what I mean?

Posted via CB from my LE

RIM never had that problem because they were more security conscious, more application control, and less popular as a platform. Same reason why linux sees less malware not just because its a tigher platform but because its less popular. Security by obscurity.

Well BB is definitely less popular now, but it seems they've joined iOS and Android in the low security aspect and decided to throw that one out the door and let apps get unlimited internet access and who knows what else.

And you said prompting validation? We all know by now they dont need to do this for internet access. Didnt prompt. Cant change anything about it either. Finally running in the background? Well... welcome to OS 10.2 - the latest and greatest in background running apps. The malware developers are drooling over this. Now you get unlimited access to internet plus background processes. All on a platform everyone and their mother thinks implicitly is a hard shell and impenetrable - so nobody would know to look.

Red flags all over. They need to clamp down internet access control ASAP and also let users decide whether programs are allowed to do background processes.

I can tell you, my first choice for both cases is no by default. I dont want any apps getting internet access unless I specifically opt them in. I dont care that it bricks the software. I also dont like the idea of background processes. Never have since my early days using Windows. I keep that thing locked tight and I intend to do so for my phone if at all possible.

[KermEd]

Sorry by prompting I mean to make appworld purchases for you.

And yes this is what worries me about 10.2 as well.

I've reviewed all the security models as I build a lot of apps. And I don't feel exposed. But I do see a lot of single points of failure.

Posted via CB from my LE

[SDTRMG]

Were you a BB user before?

Yes and thats why some people still prefer the BB. But it seems they are moving to the mainstream, in which case they lose that advantage. Its almost like BB throwing away the keyboard phones for future devices. Thanks but I will be out. Iphone >>>>>>> Z10. Sorry, Im only here for the Q10. Same with the security aspects. If they are like iOS where app security is questionable, then what the hell, if device security is down the drain anyway, and you throw away the keyboard phone, I guarentee you even I will be an iPhone user.

The old BB allowed you to choose permissions with a much higher degree of control. So in many ways, this is a move BACKWARDS by not allowing more control.

I also cant even see an option to have internet switched off from permissions.

I came from the iPhone 5 and also used BlackBerry up until 2012, so I find that funny because switching to it is no better, they get access to Al your info period

There's a big difference mot only between the bb10 and bbos, but also between app development, you think it's a step backward and your allowed your opinion, bit many apps need certain permissions to run like it or not, some people can't handle change. feel free to switch back to bbos.

Posted via CB10

[Richard Buckley]

Assessing the security of a platform also means knowing a lot about how the platform functions. No complex system is going to be without vulnerabilities but there are things that you can do that actually reduce the vulnerability and things that may appear to but don't.

An application can't upload malware to itself after it has been installed because the executable code has to be in the cryptographically verified part of the application sandbox. Changing any of that will break the signature and the OS will not load the application. Android doesn't do this, as we have seen due to problems with the cryptography 99% of Android phones can't even validate the APKs from Google Play. Now that's done by a separate application. These two systems differ in this respect because BlackBerry chose security as the primary principle, Google chose performance.

On BlackBerry an application can not simply avoid running certain code for the first 90 days to get malware past inspection in BlackBerry World, There are two reasons: the initial scanning very probably includes static analysis of the code, and code coverage tests (BlackBerry isn't stupid), and they are continuously re-scanning the applications: BlackBerry Works with Trend Micro to Expand Protection for Customers Against Malware, Privacy Issues in Third-Party Applications | CrackBerry.com

[pappymappylappy]

Assessing the security of a platform also means knowing a lot about how the platform functions. No complex system is going to be without vulnerabilities but there are things that you can do that actually reduce the vulnerability and things that may appear to but don't.

An application can't upload malware to itself after it has been installed because the executable code has to be in the cryptographically verified part of the application sandbox. Changing any of that will break the signature and the OS will not load the application. Android doesn't do this, as we have seen due to problems with the cryptography 99% of Android phones can't even validate the APKs from Google Play. Now that's done by a separate application. These two systems differ in this respect because BlackBerry chose security as the primary principle, Google chose performance.

On BlackBerry an application can not simply avoid running certain code for the first 90 days to get malware past inspection in BlackBerry World, There are two reasons: the initial scanning very probably includes static analysis of the code, and code coverage tests (BlackBerry isn't stupid), and they are continuously re-scanning the applications: BlackBerry Works with Trend Micro to Expand Protection for Customers Against Malware, Privacy Issues in Third-Party Applications | CrackBerry.com

I'm no app developer, but you mean to tell me someone cant program a virtual machine like platform that can run any specific code in the right format that utilizes the net for its purposes?

You mean you cant have this code be uploaded as encrypted text, have the program decrypt and read the text which gives instructions on what to send over the net using features already hard programmed into this virtual machine or emulator? I dont think you'd need to neccesarily 'recompile' the app for such a function to work. Afterall its no different than an app reading an email or some text. No changing of the software would be needed. And I'm not even an app developer.

If someone wants to do something, they can. I think history has proven that much. Often its a just a matter of time before someone outsmarts the system in place. Certainly though, not giving users the ability and choice to block certain apps from unneecessary access doesnt help with the security aspect of the device does it? I really cant see how giving some third party app (not BB native apps) full data access can be a good thing for security and privacy. I really dont. This isnt a case where a program can ask for security updates itself so needs constant net access (like google chrome does). Many of these third party apps in app world simply do not need internet to function. Yet, you have no idea what each program does after you download them. They can be accessing data, uploading and downloading from your phone and you wouldnt have a clue nor can you do anything about it. Tell me, how does a puzzle app or one of many stupid 'tips' apps need internet access?

[Richard Buckley]

I'm no app developer, but you mean to tell me someone cant program a virtual machine like platform that can run any specific code in the right format that utilizes the net for its purposes?

Yes you could, but the more generic you make it, the more obvious it would be that it is an interpreter (a more generic term for what you are refering to). Then the question would be, why does a simple puzzle have an interreter. The more specific you make it the more obvious it would be that the malware isn't part of the documented behaviour of the app. Behaviour that is not consistent with the stated purpose of an application is grounds to have the application removed from BlackBerry World, even if that behaviour is benign.

You mean you cant have this code be uploaded as encrypted text, have the program decrypt and read the text which gives instructions on what to send over the net using features already hard programmed into this virtual machine or emulator? I dont think you'd need to neccesarily 'recompile' the app for such a function to work. Afterall its no different than an app reading an email or some text. No changing of the software would be needed. And I'm not even an app developer.

Cryptography is also easily to spot. All cryptographic operations of an application, including connecting to web servers over SSL/TLS must be disclosed at the time the application is submitted and the vendor must provide any necessary export documentation for the cryptography. But yes this could be done, but see above.

If someone wants to do something, they can. I think history has proven that much. Often its a just a matter of time before someone outsmarts the system in place. Certainly though, not giving users the ability and choice to block certain apps from unneecessary access doesnt help with the security aspect of the device does it? I really cant see how giving some third party app (not BB native apps) full data access can be a good thing for security and privacy. I really dont. This isnt a case where a program can ask for security updates itself so needs constant net access (like google chrome does). Many of these third party apps in app world simply do not need internet to function. Yet, you have no idea what each program does after you download them. They can be accessing data, uploading and downloading from your phone and you wouldnt have a clue nor can you do anything about it. Tell me, how does a puzzle app or one of many stupid 'tips' apps need internet access?

People have wanted to get priviledge escallation to root on BlackBerry devices since they first came out. As yet I have not seen anyone able to provide proof that they have done so. Just because people are able to do it so easily on Windows (7 and earlier), iOS, Android, Linux doesn't mean they can do it on BBOS or BB10. But it is worth considering what BlackBerry security really promisses to the user; that is security of personal or corporate data. They do not promise that a program you install on your machine won't send and receive data from servers on the web. In fact since the launch of BB10 almost all the PR they have produced has been about how well the platform allows applications to send and receive data from servers on the web. They do promise that, unless you give an application permission, it can not get at your personal data. They also promise that they are using the best technology available to scan applicatiions submitted to BlackBerry World for cases where they act outside the purpose and usage the authors document.

The truth is that every version of iOS and Android so far released have been Jailbroken or Rooted. iOS is getting better, Andoid just isn't. Once broken or rooted there is usually an application that can do the work for the technically unsophisticated. As you point out, if I can write an app that can root your android phone, I can wrap that in a gambling application and own your android phone. If you don't like the BB10 security model, and I get that you don't, your best bet would be Windows Phone 8. Microsoft finally seems to understand and have made a robust secure OS. I don't know if apps need permission to use the net, you'ld have to find that out for yourself.

I have contacts on the BlackBerry Security Emergency Response Team. If you find an application approved in BlackBerry World that does what you suggest I will introduce you to them.

[tonyblaze]

(like those backward developers for that music app that started deleting everyone's shared documents and did so little to fix it)

Posted via CB from my LE

[DimuthTharaka]

Hey guys I was looking for some inspection software web sites and I got this one. It seems better than others. Can anyone please check this one for me. Here home inspection software the site. Thank you.