[chetmanley]

Hello,

Did a search and while others have asked the same question, it's never been answered.

Does anyone know why these services are running, despite Blackberry Diagnostics being selected off under settings?

Blackberry Hub+ Services has a running service called TelemetryService which runs constantly. I've noticed this service is present in all of their apps like Password Keeper.

Under Cached Background Processes, Blackberry Diagnostics is always present, and returns if stopped.

Can anyone confirm if these apps are phoning home? and if they are, what information they are sending, and if that's the case, why their processes are running even though Diagnostics is supposed to be deactivated?

Thank you

- A blackberry fan who doesn't like seeing the word Telemetry on a "secure/private" Blackberry.

[chetmanley]

Following the techniques used by a blogger who recently discovered the One+5 was sending home far more data than it should - and prompting the co-founder to make a statement https://www.tomsguide.com/us/oneplus...ews-25968.html - I've found that Blackberry HUB+Services are indeed periodically contacting a blackberry server, but can't figure out what is being sent. I've tried 3 pieces of software: Zap, Charles, and SSL packet capture. While Zap and Charles have revealed interesting things about other apps I have installed, only SSL packet capture is able to reveal the BB Hub+services connection, but the app doesn't reveal what is being sent.

Anyone with more expertise around here who might be able to shine some light on this?

[chetmanley]

I've played around with no-root firewall apps. These apps have allowed me to block all the unwanted connection requests coming from my Keyone - and there are a lot more than I thought there would be.

Unfortunately, these no-root firewall apps require the VPN service, which means a true VPN app can't run at the same time. The only way around this is to use a Root-require firewall app that works without the VPN service.
So, using a firewall app I've been able to block what I suspect are the unwanted telemetry connections phoning home to BB from the BB Hub+Services app suite, leaving just the proper connections to my email server.

I've also noticed that BBM Enterprise makes a lot of connection attemps to a number of Mixpanel servers (sometimes one every second - I assume its because I've blocked it and its trying to connect to different servers). This was noted by another crackberry user regarding BBM and the BB Shop. https://forums.crackberry.com/blackb...-proof-981845/

The Mixpanel component was monitoring all the screen taps and what was done from within the BBM app, and sending it back to their servers.

I'm disappointed to see the same connections being made from within the BBM Enterprise app, although I have no idea what is being reported since the BB shop no longer exists.


A recent thread was started under the Keyone forum discussing if BB could create an embedded Firewall app. I think that is a fantastic idea and it would be cool if it was combined with DTEK somehow.

https://forums.crackberry.com/blackb.../#post13030686

[chetmanley]

Thought I'd post an update about what I've found while using two firewall apps over the last month.

Blackberry Hub+Services: Makes legit connections to my email servers. But also makes a connection back to BB which appears to be completely not required for the function of the app. I think this connection relates to the ever present BB Telemetry Service - I'm not sure what its sending, but when it does connect it uploads 1.5kb and downloads 6.5kb.

BBM Consumer: Oh boy - where to begin.

Simply opening the application results in the following connections:
Taobao - appears to be a chinese e-commerce site
Crashlytics
Alipay - Chinese payments
Yimg - "Yimg.com is a domain which is used by yahoo buzz.It is an widget company and a part of networking sites and other technologies used for user tracking."
Liftoff.io App marketing/advertising and analytics

Plus the required BBM servers for messages, channels, etc.

Once on the feeds page we get the following:
Google double click
Analisis.io

And on the Discover page you get many more advertising, tracking, and analytic connections:
Facebook
Mixpanel - has been previously documented by another Crackberry user who found that on BB10 BBM, it would connect with mixpanel server every time the screen is touched in the BBM Shop.
And a whole host more....

BBM Enterprise:

Much better than BBM consumer- it only connects to BBM Enterprise servers, but it still makes a connection to a Mixpanel server, even though the shop no longer exists...

BB Keyboard:

Regularly connects to Swiftkey to get language pack updates, but I've also found it connects to media-assets-01.thedrum.com
Not sure why a keyboard application needs to connect to thedrum.com ?

Not sure if its a glitch with the firewall reporting, but it also reports a connection to
firefox.settings.services.mozilla.com
a cloudfront server
a sharethrough server - more advertising?

Blackberry.ddt.checkin:

Despite having Diagnostics turned off, this application seems to be making connections back to a blackberry server ifs.blackberry.com

That's about it for BB Applications.

On the Android OS side of the house, under "Android System" the phone makes regular connections to TCL servers for AOTA, mozilla, jwplatform - media delivery?, Qualcomm Izat cloud (which I think is for updating the gps constellation, and hopefully not for their telemetry purposes as can be seen on the Priv), apptimize.com and a few others including Pool which is a time reference server.


And for other applications like weather apps, adobe, and google maps/photos and Here maps..... basically every app you install with internet connectivity - its making connections to facebook, google, 3rd party analytics providers and advertisers.

So even if you turn off every permission an application can have access to, that application can still phone home with whatever system info it can scrape off you device - ip addresses, wifi/bluetooth access point names, etc..


To summarize - if you want a truely private device, you need to get a phone you can root. Install a firewall application, and run a simultaneous VPN to obscure you connections from your service provider or hotel etc...

Sadly, while a BB might be secure - its not very private. We can run noroot firewall applications to control the flood of connections being made without our knowledge, but without root access, we can't implement all the functions needed to maximize privacy.

[gizmo21]

Thx all for the insight of privacy taken a bit lightly on BlackBerry Apps.


Would be interesting to know if BlackBerry Hub+ Suite for non-BB devices starts the same Telemetry service and if on a rootable device a root-firewall could gather even more data on this topic (even if perhaps the apps differ from the preinstalled bb-device versions).

[chetmanley]

I just realized I should point out I'm not running Google Play Services on my Keyone. So I didn't include any of those connections, but I have been watching them on my Priv which does have GPS.

You can probably guess - no surprise here - with GPS active, the Priv makes many many connections back to google. Here are a couple examples
adservice.google
google-analytics
ads.doubleclick
and many more google servers

I also forgot to mention that BB Hub, while it doesn't appear to make any connections in and of itself, all your emails from companies do make connections. Most emails phone home in some shape or form, or to 3rd parties. With the firewall you can block these connections from the HUB, and just get the pure email content.

Here are some examples of connections made by a few popular apps - just going to include the advertising and tracking:

Microsoft Office (word/powerpoint/excel)
adjust.com (anayltics)

Adobe Acrobat
Two facebook servers

Office Suite
Facebook
google tag manager
data.flurry.com
google-analytics
graph.facebook.com

Google Photos
google-analytics.com
app-measurement.com

Rosetta Stone
graph.facebook.com
crashlytics
doubleclick
adobe dtm (tracking and pixel tags)
appboy
googleadservices
googleapis.com

Shazam
graph.facebook.com
scorecardresearch.com
beacon.shazam.com

Anyway - the list goes on and on. My hope here is that by sharing what I've learned it will shed some light on what goes on behind the scenes on our devices. I think we all knew this was happening, but to actually see it happening live while you use your phone sorta drives the point home.

Hopefully Blackberry can take their DTEK app a step further by incorporating some sort of Firewall functionality as already discussed, and live up to their old Priv ad of "The Privilege of Privacy" ....lol

[chetmanley]

Thx all for the insight of privacy taken a bit lightly on BlackBerry Apps.


Would be interesting to know if BlackBerry Hub+ Suite for non-BB devices starts the same Telemetry service and if on a rootable device a root-firewall could gather even more data on this topic (even if perhaps the apps differ from the preinstalled bb-device versions).

I think Cobalt's version of the blackberry apps have the Telemetry services removed because it was causing issues. So that is something I'm seriously considering - moving to a rootable device that still promising security updates (I'm thinking Essential phone). And install the blackberry apps on there which have been modified to remove the telemetry packages.


The firewall app I'm using now which has provided the most info on the server names is Netguard. Its 10$ from google play to get all the features, or you can buy it from him directly for a donation if you dont have google play installed.

[ray689]

Why is this shocking to anyone? I would bet BBOS and BB10 devices also did the same with with BlackBerry servers.

[conite]

I blame the evil corporations and their insidious scheme to make profits to pay their employees and shareholders.

[chetmanley]

Why is this shocking to anyone? I would bet BBOS and BB10 devices also did the same with with BlackBerry servers.

As I wrote above, I think everyone assumed some collection was happening on one level or another. What surprised me was the sheer volume and frequency.

I'm sure BBOS and BB10 devices do the same (we know BB10 BBM does in any case), but when Blackberry offers an option to disable diagnostics, but the phone still runs telemetry services and appears to be phoning home, that is very misleading.

Unfortunately I don't have the skills or the technical background to dig into this much further to figure out what is being sent. So unless BB comes forward to clear the air, I'm going to assume the worst. Maybe nothing is being sent at all, but like has been proven with the One+5, and recently Google regarding location tracking, perhaps everything is being sent...

So, yes, I think it would be shocking to most users who assume Android Permissions are the be all and end all of data collection control, and that if they have them toggled off, they are safe. In fact some of my friends don't even realize those permissions exist yet.

Just because its happening, doesn't mean we should accept it. There will always be users out there who don't put in the effort to get smart on these issues, and the data collectors will always be there to scoop up what ever they can at their expense. But for the few of us who do care, we should be given the option to control this information beyond what is made available to us at present.

[Invictus0]

Good research OP. I tried NetGuard on my non BB Android phone with Hub+ services from Google Play installed and I was able to replicate your tests (it only connected to my email accounts and a blackberry domain). Hub+ doesn't seem to have a running telemetry services on my phone so it could be for something else (checking available apps?).

[Event4izon]

Thought I'd post an update about what I've found while using two firewall apps over the last month.

Blackberry Hub+Services: Makes legit connections to my email servers. But also makes a connection back to BB which appears to be completely not required for the function of the app. I think this connection relates to the ever present BB Telemetry Service - I'm not sure what its sending, but when it does connect it uploads 1.5kb and downloads 6.5kb.

BBM Consumer: Oh boy - where to begin.

Simply opening the application results in the following connections:
Taobao - appears to be a chinese e-commerce site
Crashlytics
Alipay - Chinese payments
Yimg - "Yimg.com is a domain which is used by yahoo buzz.It is an widget company and a part of networking sites and other technologies used for user tracking."
Liftoff.io App marketing/advertising and analytics

Plus the required BBM servers for messages, channels, etc.

Once on the feeds page we get the following:
Google double click
Analisis.io

And on the Discover page you get many more advertising, tracking, and analytic connections:
Facebook
Mixpanel - has been previously documented by another Crackberry user who found that on BB10 BBM, it would connect with mixpanel server every time the screen is touched in the BBM Shop.
And a whole host more....

BBM Enterprise:

Much better than BBM consumer- it only connects to BBM Enterprise servers, but it still makes a connection to a Mixpanel server, even though the shop no longer exists...

BB Keyboard:

Regularly connects to Swiftkey to get language pack updates, but I've also found it connects to media-assets-01.thedrum.com
Not sure why a keyboard application needs to connect to thedrum.com ?

Not sure if its a glitch with the firewall reporting, but it also reports a connection to
firefox.settings.services.mozilla.com
a cloudfront server
a sharethrough server - more advertising?

Blackberry.ddt.checkin:

Despite having Diagnostics turned off, this application seems to be making connections back to a blackberry server ifs.blackberry.com

That's about it for BB Applications.

On the Android OS side of the house, under "Android System" the phone makes regular connections to TCL servers for AOTA, mozilla, jwplatform - media delivery?, Qualcomm Izat cloud (which I think is for updating the gps constellation, and hopefully not for their telemetry purposes as can be seen on the Priv), apptimize.com and a few others including Pool which is a time reference server.


And for other applications like weather apps, adobe, and google maps/photos and Here maps..... basically every app you install with internet connectivity - its making connections to facebook, google, 3rd party analytics providers and advertisers.

So even if you turn off every permission an application can have access to, that application can still phone home with whatever system info it can scrape off you device - ip addresses, wifi/bluetooth access point names, etc..


To summarize - if you want a truely private device, you need to get a phone you can root. Install a firewall application, and run a simultaneous VPN to obscure you connections from your service provider or hotel etc...

Sadly, while a BB might be secure - its not very private. We can run noroot firewall applications to control the flood of connections being made without our knowledge, but without root access, we can't implement all the functions needed to maximize privacy.

Thanks for this, a very interesting read. Like was said earlier, I don't think people are necessarily surprised by this, myself included. When it's laid out in front of you and you look at it in more detail though, it's concerning, to me at least.

[chetmanley]

Good research OP. I tried NetGuard on my non BB Android phone with Hub+ services from Google Play installed and I was able to replicate your tests (it only connected to my email accounts and a blackberry domain). Hub+ doesn't seem to have a running telemetry services on my phone so it could be for something else (checking available apps?).

Interesting - maybe that connection isn't for telemetry, but perhaps license verification?

I've noticed some differences between the Priv and the Keyone regarding what is shown under Running Services.

See below (Priv on the left, keyone on the right). Both show the same services, but in very different ways.

Dataminer - really?

[Invictus0]

Interesting - maybe that connection isn't for telemetry, but perhaps license verification?

Probably, Hub+ is running a service called "LicenseStateMonitorService" and that URL/port seems to be where BlackBerry's license checks for BES occur so it might for Hub+ as well.

Licensing in BlackBerry Enterprise Service 10 version 10.1

I've noticed some differences between the Priv and the Keyone regarding what is shown under Running Services.

See below (Priv on the left, keyone on the right). Both show the same services, but in very different ways.

Dataminer - really?

Could be a Marshmallow vs Nougat thing? Are you sure all telemetry services are disabled?

Data mining doesn't have to be a "dirty" word, it's really just the practice of analyzing data.

Edit: I've stopped the LicenseState service and now the only connection being made is to my email servers so that might be what it's used for.

Edit 2: Just saw that there is a telemetry service running under a separate Hub+ listing called "com.blackberry.infrastructure:telemetry" but NetGuard isn't picking anything up now that the LicenseState service is stopped. It could be running but not actually doing anything?

[chetmanley]

Probably, Hub+ is running a service called "LicenseStateMonitorService" and that URL/port seems to be where BlackBerry's license checks for BES occur so it might for Hub+ as well.

Licensing in BlackBerry Enterprise Service 10 version 10.1



Could be a Marshmallow vs Nougat thing? Are you sure all telemetry services are disabled?

Data mining doesn't have to be a "dirty" word, it's really just the practice of analyzing data.

Edit: I've stopped the LicenseState service and now the only connection being made is to my email servers so that might be what it's used for.

What's the BB Hub+ IP address being reported on your firewall? I'm curious if its the same as the one on my phone (74.82.72.232).

Edit: just discovered a new Hub+ Services connection on my Priv (no accounts added to Hub+) ccl.eval.blackberry.com (74.82.74.2)

I'm sure I've covered all the options for telemetry services on my keyone, I don't think I've missed any.

[Invictus0]

What's the BB Hub+ IP address being reported on your firewall? I'm curious if its the same as the one on my phone (74.82.72.232).

I'm sure I've covered all the options for telemetry services on my keyone, I don't think I've missed any.

It's actually not showing me an IP, just the URL. I'm using the free version of NetGuard so that could be why.

Check out the update to my previous post. If you enable BlackBerry specific telemetry on your device and stop the license service, do you see any new connections with NetGuard?

[chetmanley]

It's actually not showing me an IP, just the URL. I'm using the free version of NetGuard so that could be why.

Check out the update to my previous post. If you enable BlackBerry specific telemetry on your device and stop the license service, do you see any new connections with NetGuard?

Yea you need the full version to get all the IP filtering and traffic logs.

On both my Priv and Keyone I've turned on BB Diagnostics to see what changes occur. So far nothing new on the Keyone, but on the priv I started to see the CCL.Blackberry connection. How to import IT Policy Rule for disabling CCL Data Collection

I'm going to wait out and see if I get more of these connections, and how often they occur. If they occur regularly, I'll then turn diagnostics back off and see if they stop.

As for stopping the telemtry and license services - I didn't see a change in the connections. It was still pinging 74.82.72.232 or 235. But something I hadn't seen until stopping those services was a connection to Crashlytics. I guess stopping the services triggered this connection. It's also possible that stopping the services is so temporary that I don't see a difference in the connections being made because the system restarts the service.

Will keep ya posted with what I find.

[G_Unit MVP]

Why is this shocking to anyone?

I don't see any posters been shocked... just a user sharing his finds.

[G_Unit MVP]

So, yes, I think it would be shocking to most users who assume Android Permissions are the be all and end all of data collection control, and that if they have them toggled off, they are safe. In fact some of my friends don't even realize those permissions exist yet.

Those are just "placebo switches". The user can toggle them on or off, and Google couldn't care less, they keep doing whatever they want.

[chetmanley]

Here is what I've found on both the keyone and priv.

With BB Diagnostics turned on, connections begin to appear to two servers:
ccl.eval.blackberry.com (74.82.74.2)
ccl.blackberry.com (74.82.74.1)

A quick google search yields that CCL has something to do with "context collection library data collection" across all apps.
How to import IT Policy Rule for disabling CCL Data Collection

These connections don't appear under the Blackberry Diagnostics App, but instead they flow through BB Hub+ Services which is surprising.

This conclusion is supported by the fact that com.blackberry.dm runs under Hub+Services when diagnostics is disabled (See right screen shot above of keyone).
When Diagnostics is enabled, then com.blackberry.dm appears as its own service (Left screenshot of the priv) which can be individually stopped (although it restarts).

So it appears that BB Diagnostics is using the Hub+Services app to make connections back to blackberry when diagnostics are turned on.

This still doesn't explain what the other Hub+Services connections to blackberry are however. These connections are not required to run the app.
(74.82.72.232 and 235)

The two theories discussed so far are Telemetry (for blackberry apps), License Verification, or maybe both since more than one BB IP is being connected to.

As was suggested by @Invictus0, I tried stopping both services to see if the connections stopped, but the phone just restarts the services. So I can't tell if those services are linked to the connections being made.


So in summary:

If you have BB Diagnostics switched off - it appears that it does indeed switch off, and no connections regarding BB Diagnostics are made.
(Although com.blackberry.dm still appears to run, just now within Hub+Services)

Verdict still out on if Hub+Services suite apps send telemetry or not.

[Invictus0]

Yea you need the full version to get all the IP filtering and traffic logs.

On both my Priv and Keyone I've turned on BB Diagnostics to see what changes occur. So far nothing new on the Keyone, but on the priv I started to see the CCL.Blackberry connection. How to import IT Policy Rule for disabling CCL Data Collection

I'm going to wait out and see if I get more of these connections, and how often they occur. If they occur regularly, I'll then turn diagnostics back off and see if they stop.

As for stopping the telemtry and license services - I didn't see a change in the connections. It was still pinging 74.82.72.232 or 235. But something I hadn't seen until stopping those services was a connection to Crashlytics. I guess stopping the services triggered this connection. It's also possible that stopping the services is so temporary that I don't see a difference in the connections being made because the system restarts the service.

Will keep ya posted with what I find.

Is it actually sending back telemetry data though? We'd have to check using a program like Fiddler or Wireshark. I don't know if he's still an active member but KermEd did something similar a few years on BB10.

Follow Up: Web Security Analysis & Brief How To – FileArchiveHaven

I haven't seen a NetGuard alert for the CCL URL yet but I'll let you know if it pops up.

[ray689]

I don't see any posters been shocked... just a user sharing his finds.

Maybe not shocked but surprised a little. And really, what is the ultimate goal/outcome? Not really much can be done to avoid these things if one wants to be connected is any sort of way.

[chetmanley]

Is it actually sending back telemetry data though? We'd have to check using a program like Fiddler or Wireshark. I don't know if he's still an active member but KermEd did something similar a few years on BB10.

Follow Up: Web Security Analysis & Brief How To – FileArchiveHaven

I haven't seen a NetGuard alert for the CCL URL yet but I'll let you know if it pops up.

I've gone back and tried Owasp and Charles SSL decryption proxy, but no luck figuring out what's being sent. Running these applications show some of the connections being made (not nearly as well as Netguard), but they aren't decrypting them. Some apps don't allow proxying so their connections may not even show up in these tests. I tried Fiddler, but all I got was the type of SSL/TLS encryption being used... Maybe I'm missing a setting. I've got each apps root certificate installed on the device, and I'm proxying through my PC, so I know its connected.

I've actually had better luck with SSL packet capture on android (by the same dev who made noroot firewall). It shows whats inside some google packets, but not whats inside BB packets.

[chetmanley]

Maybe not shocked but surprised a little. And really, what is the ultimate goal/outcome? Not really much can be done to avoid these things if one wants to be connected is any sort of way.

None of these connections are required to run the software. I've blocked them all and the applications run perfectly fine. - 10 years ago people used to call this stuff spyware -guess times have changed....

[ray689]

None of these connections are required to run the software. I've blocked them all and the applications run perfectly fine. - 10 years ago people used to call this stuff spyware -guess times have changed....

You are still being tracked be it your carrier, wifi, or websites you visit. It's unavoidable really.