1. tg1's Avatar
    And therefore cause a security threat to BlackBerry OS10? Just wondering as I have been working with Cobalt's Google Play store. I have to admit Google has some damn good apps that BlackBerry just doesn't have they have to figure out the app market. I have RBC app from BlackBerry world and RBC from Google play store and it is night and freaking day difference. Like the RBC BlackBerry App is in the freaking dark ages. Sad but true. You will have to pry my BlackBerry Passport from my cold dead hands but it will have Google apps running. Shame.

    Brought to you by my Awesome BlackBerry Passport.
    08-03-15 01:02 AM
  2. Bla1ze's Avatar
    A direct problem - Likely not. On BB10 the Android SMS system isn't used, instead the stock BB10 app is loaded anytime for SMS/MMS interactions. You'd really have to go out of your way to force use of the Android SMS/MMS system in order for it to work.

    A indirect problem - It's not out of the realm of possibility that the issue may exist within the Android runtime and a small patch would be required just for the sake of saying it has been patched.

    In the end, the issue is mostly with OEM's that haven't sent the patch the Google created out to devices. As the Android runtime is based off of AOSP with some customization, it may already have the fixes in place but it's hard to say without any deeper knowledge of the runtime.

    As of right now, BlackBerry has issued no statements on it through SIRT. - https://twitter.com/bbsirt
    tg1 likes this.
    08-03-15 03:51 AM
  3. bazillus's Avatar
    Is the Stagefright problem on Android affect BlackBerry runtime...-img_20150806_181915.png
    Well, the runtime is affected... PassportSQW100-1/10.3.2.2204
    Superdupont 2_0 likes this.
    08-06-15 11:20 AM
  4. gariac's Avatar
    A direct problem - Likely not. On BB10 the Android SMS system isn't used, instead the stock BB10 app is loaded anytime for SMS/MMS interactions. You'd really have to go out of your way to force use of the Android SMS/MMS system in order for it to work.

    A indirect problem - It's not out of the realm of possibility that the issue may exist within the Android runtime and a small patch would be required just for the sake of saying it has been patched.

    In the end, the issue is mostly with OEM's that haven't sent the patch the Google created out to devices. As the Android runtime is based off of AOSP with some customization, it may already have the fixes in place but it's hard to say without any deeper knowledge of the runtime.

    As of right now, BlackBerry has issued no statements on it through SIRT. - https://twitter.com/bbsirt
    Is it me, or shouldn't we have a BBM channel instead of Twitter for this news.

    Posted via CB10
    08-06-15 11:43 AM
  5. gariac's Avatar
    It is possible the "Stage fright" detector just looks for auto-retrieve of MMS, not an actual exploit.

    Posted via CB10
    08-06-15 11:44 AM
  6. Superdupont 2_0's Avatar
    Is the Stagefright problem on Android affect BlackBerry runtime...-img_20150806_182858.png

    Yep, same here.
    I installed the Stagefright Detector App (Source: Google Playstore)

    Posted via CB10
    08-06-15 11:45 AM
  7. Richard Buckley's Avatar
    Click image for larger version. 

Name:	IMG_20150806_182858.png 
Views:	1525 
Size:	79.8 KB 
ID:	365557

    Yep, same here.
    I installed the Stagefright Detector App (Source: Google Playstore)

    Posted via CB10
    I suspect that the app is just checking the library for vulnerability. Not surprising that, or as gariac mentioned, just checking for auto-retrieve which is default on in Android installations. A known mitigation is to turn auto-retrieve off. So if you can do that, or better still, not have an Android MMS application installed then you should be OK.
    Larry Harper likes this.
    08-06-15 12:53 PM
  8. gariac's Avatar
    I suspect that the app is just checking the library for vulnerability. Not surprising that, or as gariac mentioned, just checking for auto-retrieve which is default on in Android installations. A known mitigation is to turn auto-retrieve off. So if you can do that, or better still, not have an Android MMS application installed then you should be OK.
    A real detector would have a harmless exploit as a payload. That is, make the phone do something to indicate it is pwned.

    Stage Fright uses a very low level vector. That is why it can achieve such a high level of permission (system level, a step down from root). The BlackBerry Android player seems more sandboxed.

    Posted via CB10
    08-06-15 01:41 PM
  9. padrini's Avatar
    Statement from BlackBerry regarding StageFright:

    BlackBerry is aware that certain applications report that BlackBerry 10 devices are affected by the vulnerabilities known as StageFright. Only some of these issues affect the Android Runtime on BlackBerry 10 devices. MMS messages are not interpreted by the Android Runtime by default. Additionally, BlackBerry 10 is not vulnerable to the StageFright ASLR bypass.

    Although these vulnerabilities represent a low risk to BlackBerry 10 customers, we are planning to remediate any vulnerable code in future updates.

    Thanks,
    BBSIRT

    After that I reached out again regarding other ways to exploit it and their response was this:

    Although we highlighted MMS due to the amount of media coverage it received, we have assessed all attack vectors outlined by the researcher and factored them into our risk assessment, and still consider this to be a low risk to BlackBerry 10 customers.*


    Posted via CB10
    Bla1ze, Bilaal, tg1 and 2 others like this.
    08-06-15 04:39 PM
  10. BCITMike's Avatar
    When they said "Additionally, BlackBerry 10 is not vulnerable to the StageFright ASLR bypass," they should have just said "...and consider this to be a no risk to BlackBerry 10 customers."
    08-11-15 01:51 AM
  11. tw_'s Avatar
    I upgraded my Passport to 10.3.2.2474 and now I get the green bar in Stagefright Detector:

    Is the Stagefright problem on Android affect BlackBerry runtime...-img_20150916_222950.jpg
    joydi likes this.
    09-16-15 03:45 PM

Similar Threads

  1. Why I cant install whats app from BlackBerry beta zone
    By Suresh14594 M in forum BlackBerry Z10
    Replies: 3
    Last Post: 08-03-15, 08:48 AM
  2. Replies: 4
    Last Post: 08-03-15, 01:11 AM
  3. Car stereo and BlackBerry
    By Dario McCollin in forum General BlackBerry Discussion
    Replies: 1
    Last Post: 08-03-15, 12:50 AM
  4. my phone bb9220 is not turning on
    By CrackBerry Question in forum Ask a Question
    Replies: 1
    Last Post: 08-02-15, 11:08 PM
  5. Maximum Exchange account on Android Phones
    By PatelHrishikesh in forum Ask a Question
    Replies: 1
    Last Post: 08-02-15, 11:06 PM
LINK TO POST COPIED TO CLIPBOARD