[Joshu42]

I was wondering what does this Sandboxing for the Android apps do exactly. The android apps can access the contacts I think and pictures, not sure what else but how does the sandbox work exactly to prevent the android apps from sharing information or keep the device secure? When some android apps pop up in the background without permission do they share any info with google? I know google isn't a security threat but all the same just want to understand the limitations the Sandbox sets for these Android apps.

The Android runtime is sandboxed. It means that any app, OS included in this sandbox will never get access to BB10 Rom, neither memory will be shared. The Android runtime is not a point of entry to install "custom BB10 Rom"...

Nothing to do with App permissions.

[ZeroBarrier]

The Android runtime is sandboxed. It means that any app, OS included in this sandbox will never get access to BB10 Rom, neither memory will be shared. The Android runtime is not a point of entry to install "custom BB10 Rom"...

Nothing to do with App permissions.

You know, I had almost given up hope that there were any intelligent and knowledgeable users such as your self lurking forums. I'm very glad to see there's a few lurking around still.

Posted via CB10

[powereds]

Strange. After Bishkin's "joking", the room went silent. How come no one except Bishkin laughed?

Posted via CB10

Here are the possible reasons why the room went to silent mode.

1. Didn't get Bishkin's joke
2. Can't take Bishkin's joke

You are welcome to add more.

"But I say this to you, love your enemies and pray for those who persecute you;" - Matthew 5:44

[Malazm]

Here are the possible reasons why the room went to silent mode.

1. Didn't get Bishkin's joke
2. Can't take Bishkin's joke

You are welcome to add more.

"But I say this to you, love your enemies and pray for those who persecute you;" - Matthew 5:44

3. Dumbstruck that it could even be referred to as a joke.

Posted via CB10

[Deckard79]

The Android runtime is sandboxed. It means that any app, OS included in this sandbox will never get access to BB10 Rom, neither memory will be shared. The Android runtime is not a point of entry to install "custom BB10 Rom"...

Nothing to do with App permissions.

If something is 'sandboxed', that doesn't automatically mean there aren't any security implications to what platform the sandboxed runtime is on.

For example, we know that the Android runtime does have access to BlackBerry Hub, as well as settings that control the device's hardware.

We also know that BB10.3 is setup to recognise and install .APK packages as if they were native .BAR packages. Prior to installing, BB10 runs a security check on the file if you wait long enough. This however is easily skippable.

Truth be told, we simply DO NOT KNOW how much of a security compromise the Android runtime is on BlackBerry 10.

This however may prove to be mute in the next few months if BlackBerry's rumoured plans to migrate to Android come to fruition.

[Richard Buckley]

If something is 'sandboxed', that doesn't automatically mean there aren't any security implications to what platform the sandboxed runtime is on.

For example, we know that the Android runtime does have access to BlackBerry Hub, as well as settings that control the device's hardware.

We also know that BB10.3 is setup to recognise and install .APK packages as if they were native .BAR packages. Prior to installing, BB10 runs a security check on the file if you wait long enough. This however is easily skippable.

Truth be told, we simply DO NOT KNOW how much of a security compromise the Android runtime is on BlackBerry 10.

This however may prove to be mute in the next few months if BlackBerry's rumoured plans to migrate to Android come to fruition.

Actually we do know rather a lot. For example we know that Android system calls are serviced by the QNX kernel, just as BB10 system calls are. That means an Android program running on BB10 has no better chance of compromising the kernel than a native program does. So if we take an example like StageFright; if someone manages to craft code that actually gets the vulnerable library to run in the BB10 Android run time, and exercises the vulnerability, they would have to defeat the QNX kernel (not an Android kernel) to get root on the device. There may be ways to act maliciously from within the Android run time by using an applications permissions to access personal data. But that not the same class of problem.

This is why I don't like to call this approach "sandboxing" which conjures up ideas of walled in playgrounds. BB10 doesn't need need sandboxes because all the sharp knives and dangerous power tools are kept locked away in the tool shed.

[Deckard79]

There may be ways to act maliciously from within the Android run time by using an applications permissions to access personal data.

But that's exactly what I'm getting at with my previous post. I don't classify security exclusively as the ability to compromise core native system code. The fact that a fairly old mobile OS runtime has access to the parts of BB10 that handle personal data is by definition going to be an individual risk.

And yes, I share your dislike of the term 'sandboxing', primarily because it seems to be termed here as a one-stop security guarantee, which of course it is not.


Posted via CB10

[Richard Buckley]

But that's exactly what I'm getting at with my previous post. I don't classify security exclusively as the ability to compromise core native system code. The fact that a fairly old mobile OS runtime has access to the parts of BB10 that handle personal data is by definition going to be an individual risk.

And yes, I share your dislike of the term 'sandboxing', primarily because it seems to be termed here as a one-stop security guarantee, which of course it is not.


Posted via CB10

But those avenues for acting maliciously are common to BB10, iOS and Windows as well. If you give an application permission to read your contacts, it can send the to a server for nefarious purposes. BlackBerry Guardian, if you use it, does a lot to protect you from Android applications that do this. If you only get your native applications from BlackBerry World you are protected there as well. But this can't be perfect. If an application has a valid reason to upload your contacts, but then also uses them for undisclosed purposes you have still been victimized. There isn't much any echo system can do to prevent this other than ban such applications when they are found out. No sandbox will ever protect you from this, just like no door lock will protect you from a thief you let into your home.

Z10STL100-3/10.3.2.2252 SR 10.3.2.2168

[Deckard79]

But those avenues for acting maliciously are common to BB10, iOS and Windows as well. If you give an application permission to read your contacts, it can send the to a server for nefarious purposes. BlackBerry Guardian, if you use it, does a lot to protect you from Android applications that do this. If you only get your native applications from BlackBerry World you are protected there as well. But this can't be perfect. If an application has a valid reason to upload your contacts, but then also uses them for undisclosed purposes you have still been victimized. There isn't much any echo system can do to prevent this other than ban such applications when they are found out. No sandbox will ever protect you from this, just like no door lock will protect you from a thief you let into your home.

Z10STL100-3/10.3.2.2252 SR 10.3.2.2168

I disagree with your point that it's the same risk associated with other platforms:

BB10 doesn�t come with Google Play Store access or Google Services. Amazon Store compatibility is a mixed bag, and BlackBerry devices are blacklisted on many apps. Users are positively encouraged to find alternative means to obtain (often illegally) APK Apps, obtain modified commercial APKs etc. The Android runtime is there to provide a partial solution to the 'app-gap', but the tradeoff is that BlackBerry have little-to-no control over what actually ends up running on their devices. This is not the case with WP, iOS, or Android devices running the Google ecosystem.

BlackBerry Guardian is skippable - the scan is optional, and we do not genuinely know its effectiveness anyway.

Furthermore, this is an old Android build. Is it impossible for an exploit via the Android runtime to install a little background process that has access to sensitive data? I'm not so confident.

The Android runtime sits invisibly on a BB10 device. We never know exactly what it is doing, and we have very little control over what it does. We do not have access to background processes, and an ability to terminate them in the same way that Android users do.

I see where you're coming from but I'm not convinced, sorry. Might have to agree to disagree.


Posted via CB10

[Bishkin]

I see where you're coming from but I'm not convinced, sorry. Might have to agree to disagree.

I think you have nearly agreed.

[kbz1960]

FYI I am not an IT professional. That said:

I have been busy doing some research and have come across some pertinent information regarding the end of the line for network security. This would be the user and the phone. As some have stated the phone is not the most important part but from what I have read all parts can be equally as important for a secured and layered ecosystem of security.
When it comes to IT strategies, layering security makes sense for the Android environment. If you look at the mobile security stack in layers (starting from the bottom up) as network/carrier layer, hardware layer, operating system layer, and application layer, the chances of exploits increase as you climb up the ladder. Enterprises also have less control the lower we go in the stack which brings me to the phones hardware and software in the hands of the users.

iOS
iOS device users can install apps that have not been vetted by Apple, after jailbreaking their devices. Apparently there are ways and tools to do a silent kind of iOS jailbreak app that manages to hide the jailbroken status of the device, which would allow attackers to take advantage of a device. Attackers can then target iOS and Android devices through similar means, including SMS or through Wi-Fi hotspots
iOS devices can also be targeted through websites. The attack requires a user to visit a web page on their iPhone or iPad. If that user installs a hostile configuration profile, then the enterprise is at risk for intercepted traffic, fake app installation, sophisticated phishing, and APTs,�.

Android
The Android ecosystem has two main security risks, according to mobile security experts:

�The Google Play Store (apps are not vetted as well as iTunes store)
�The fragmentation of devices and OS versions

The Android platform does have some serious factors to consider and that would be as you may have guessed it, fragmentation. There are multiple versions of Android in the market, even on current devices. Manufacturers often make their own changes and patches to Android, so they could be behind Google's latest version of the current update release. To make matters worse, carriers and manufacturers may not update their devices' Android version when Google does, or they take months or even years to do so.
Android is possible to be secured yes but it is definitely more complicated and workload heavy. The IT specialist can try and apply all the security restrictions he or she wants but by limiting the functionality of the phone they risk pushing the end user into unsafe practices like non compliance cloud services.

Conclusion
In the end I find that if I were an IT professional ( there are IT professionals like there are window installers. Sometime you get a new window and it ends up leaking) I would choose to combine BlackBerry's hardware and phones software with BES10 for the easiest most secure solution since BlackBerry devices have not yet been exploited by rooting or jailbreaks. With no hardware or software vulnerabilities there is less risk involved. As one person commented that it just make it easier to manage due to less complication and we all know that with too much complications in (which can be ongoing) there is greater chance for error. After all it only takes one employee to decide he can do what he wants to cause a leak in your window
Sticking with what Mr. Chen says. And hope this is a decent answer for OP.





Posted via CB10

Would you still choose the same if BlackBerry phone is running Android?

[Richard Buckley]

I disagree with your point that it's the same risk associated with other platforms:

Ok, first I didn't say the same risk was associated, I said the same avenues for acting maliciously are common among platforms.

BB10 doesn’t come with Google Play Store access or Google Services. Amazon Store compatibility is a mixed bag, and BlackBerry devices are blacklisted on many apps. Users are positively encouraged to find alternative means to obtain (often illegally) APK Apps, obtain modified commercial APKs etc. The Android runtime is there to provide a partial solution to the 'app-gap', but the tradeoff is that BlackBerry have little-to-no control over what actually ends up running on their devices. This is not the case with WP, iOS, or Android devices running the Google ecosystem.

An android application doesn't need Google Services to harvest data from a device. Also, while individuals are free to decide that they don't want to participate with Google Services, the data mining that Google Services performs is for nominally legitimate business reasons. Google trades consumer data for free services like web searching, email, document management, and the rest. You may feel it is a good deal, or a bad deal, but it is not malicious activity.

BlackBerry Guardian is skippable - the scan is optional, and we do not genuinely know its effectiveness anyway.

True the scan is optional, but then so are device passwords, restricting application permissions and other security features. As far as effectiveness, being personally willfully blind or ignorant does not extend to others. If you do not know how effective Trend-Micro and BlackBerry are at detecting malware that is because you have not educated yourself with the available information. The learning curve is steep because the subject is complex, but the information is available.

Furthermore, this is an old Android build. Is it impossible for an exploit via the Android runtime to install a little background process that has access to sensitive data? I'm not so confident.

I said as much myself. Which is why it is important to let BB Guardian scan Android applications and to follow that advice, if you have sensitive data on the device and you care about privacy and security.

The Android runtime sits invisibly on a BB10 device. We never know exactly what it is doing, and we have very little control over what it does. We do not have access to background processes, and an ability to terminate them in the same way that Android users do.

I see where you're coming from but I'm not convinced, sorry. Might have to agree to disagree.
Posted via CB10

Again, you may never know exactly what the Android runtime is doing, or feel you have little control over what it does. That does not apply to everyone. The rest of that paragraph just isn't true.

[The_Passporter]

Would you still choose the same if BlackBerry phone is running Android?

Actually YES! I have found peace of mind and comfort with the BB10 OS and find it very customizable out of box. I don't care for all the bells and whistles with all the adds and tracking and glitchy apps that are actually second to apple's app performance. Don't care for battery life of android and all that it does in the background either. If I want my phone to do something I'll ask it to not have it read my mind and go dead in 6 hours lol.

I know this isn't security issues but this is my answer. I think the BB10 OS has much promise and look forward to what is to come.

Sorry had to edit my answer to YES. I guess I misunderstood the question but I think you got what I meant.

Posted via CB10

[The_Passporter]

Just would like to say thank you to both you guys for offering your opinions on the Sandbox for android and how it works from both your perspectives. This does still clear things up for me and others to broaden our understanding. :-)

Posted via CB10