01-28-18 08:04 AM
67 123
tools
  1. thegioman's Avatar
    Guys,

    Just been playing with the Locker facility on my BB Motion. Think I might have stumbled across security flaw???

    If I use the built in film Mgr 'Files' to search for the Locker directory it fails to find anything, which is what you would expect. However, I also have File Commander installed and if I do the same thing and search for Locker it finds it and and displays all the sub directories. If you then tap into, say Documents, it displays all your documents which will open without any security requirements ie finger print if you tap on them to open. The same goes with pictures. I moved a picture into the image directory within the Locker and again went through the same process. And again when you click on the image it opens up.

    I didn't think the Locker facility would allow this. Even if it displays the contents of the directory it shouldn't allow you to view the file without fingerprint / pattern authorisation.

    Can someone who has File Commander try this out and see if they experience the same issue. Thanks.
    01-01-18 02:48 PM
  2. pdrsantos's Avatar
    oh my! I can view all content!
    Yes it is true I can view all content clearly. Huge huge flaw!
    01-01-18 03:03 PM
  3. anon(9803228)'s Avatar
    Guys,

    Just been playing with the Locker facility on my BB Motion. Think I might have stumbled across security flaw???

    If I use the built in film Mgr 'Files' to search for the Locker directory it fails to find anything, which is what you would expect. However, I also have File Commander installed and if I do the same thing and search for Locker it finds it and and displays all the sub directories. If you then tap into, say Documents, it displays all your documents which will open without any security requirements ie finger print if you tap on them to open. The same goes with pictures. I moved a picture into the image directory within the Locker and again went through the same process. And again when you click on the image it opens up.

    I didn't think the Locker facility would allow this. Even if it displays the contents of the directory it shouldn't allow you to view the file without fingerprint / pattern authorisation.

    Can someone who has File Commander try this out and see if they experience the same issue. Thanks.
    Interesting. Could you try this out also with other file mgr apps, like for example Solid Explorer? Just curious.
    01-01-18 03:33 PM
  4. pdrsantos's Avatar
    with file Manager (file Explorer) , Zen UI, ASUS computer inc the same happens. I can view content of locker
    01-01-18 03:42 PM
  5. thegioman's Avatar
    I can confirm that Solid Explorer allows you to view files and open them...
    anon(9803228) likes this.
    01-01-18 03:48 PM
  6. bb10adopter111's Avatar
    I think the point of the Locker is to prevent any syncing to cloud services, keeping the files on the local device. I'm not sure it was designed to prevent the user (who is authorized) from accessing the files locally, through any appropriate app.

    Can someone else either confirm or refute this?

    Posted with my trusty Z10
    01-01-18 03:51 PM
  7. chetmanley's Avatar
    I've tried a number of different file explorers on my Keyone (Dec patch) and none of them reveal the Locker folder (I ensured that show hidden files was checked). The only place I can see the Locker folder is when connected to my computer, but when I open the Locker Folder in Windows Explorer, it appears empty.

    Maybe its a problem on the Motion and not the Keyone?
    01-01-18 04:10 PM
  8. f_d's Avatar
    No, according to all the various marketing literature it is intended to prevent someone who picks up your device from seeing private files and photos. They say it is supposed to require password or fingerprint access and they use the word "secure" all over the place implying, but never outright stating that the storage is somehow encrypted or otherwise protected.

    In reality, the files are just moved into a subdirectory named "Locker" that the built-in apps cannot see, but 3rd party apps can easily navigate to this subdirectory and access all contents without any kind of access controls.

    A big huge fail on BlackBerry's part here, but I think this is mainly TCL selling BlackBerry corporate a bill of goods and nobody at BlackBerry doing any due diligence as it appears the locker app was written by TCL.. I'm trying to decompile it as we speak to see how this thing works, but my older tools are having a bit of trouble, so I may need to go in and edit the manifest files.. I'll report back if I can get it successfully decompiled.
    chetmanley likes this.
    01-01-18 04:17 PM
  9. bb10adopter111's Avatar
    No, according to all the various marketing literature it is intended to prevent someone who picks up your device from seeing private files and photos. They say it is supposed to require password or fingerprint access and they use the word "secure" all over the place implying, but never outright stating that the storage is somehow encrypted or otherwise protected.

    In reality, the files are just moved into a subdirectory named "Locker" that the built-in apps cannot see, but 3rd party apps can easily navigate to this subdirectory and access all contents without any kind of access controls.

    A big huge fail on BlackBerry's part here, but I think this is mainly TCL selling BlackBerry corporate a bill of goods and nobody at BlackBerry doing any due diligence as it appears the locker app was written by TCL.. I'm trying to decompile it as we speak to see how this thing works, but my older tools are having a bit of trouble, so I may need to go in and edit the manifest files.. I'll report back if I can get it successfully decompiled.
    TCL wrote the app??? I didn't know they had anyone writing software. I'm curious to see where this issue leads. I can see four possibilities:

    1) The Locker works as intended, keeping designated files from syncing to cloud services, but it allows local access to a properly logged on user by design, and the marketing people didn't understand the specification. (This would constitute a marketing error.)

    2) The Locker doesn't work as intended because the team defining the requirements never identified the possibility that a user would add a third party file manager. It was coded correctly, but with incomplete requirements. (Analyst error)

    3) The Locker doesn't work as intended because it was coded incorrectly and improperly tested prior to release. (Development AND testing error)

    4) Any combination of multiple errors 1, 2, and 3

    Of those scenarios, my biggest concern would be number 3, which would represent incompetence by the developers on a security feature.

    Posted with my trusty Z10
    01-01-18 04:37 PM
  10. f_d's Avatar
    Got the app decompiled and all it does is an elaborate password, pattern or fingerprint authentication check, then if it succeeds, it opens the file manager pointed at the Locker subdirectory. End of app. No attempt at encryption or anything else.. Now the Manifest does appear to ask for permissions to access secure storage, but this I think this is to allow the password / fingerprint mechanism to work vs securely storing the actual private file contents.

    There is NO mechanism at all to prevent cloud sync. I can point Google Drive at a file in the Locker (there's a roundabout procedure for this) and it will sync and so will Dropbox and every other cloud drive app I've tried.

    In short, the locker app as it is now, is completely useless.
    anon(9803228) likes this.
    01-01-18 04:45 PM
  11. bb10adopter111's Avatar
    Got the app decompiled and all it does is an elaborate password, pattern or fingerprint authentication check, then if it succeeds, it opens the file manager pointed at the Locker subdirectory. End of app. No attempt at encryption or anything else.. Now the Manifest does appear to ask for permissions to access secure storage, but this I think this is to allow the password / fingerprint mechanism to work vs securely storing the actual private file contents.

    There is NO mechanism at all to prevent cloud sync. I can point Google Drive at a file in the Locker (there's a roundabout procedure for this) and it will sync and so will Dropbox and every other cloud drive app I've tried.

    In short, the locker app as it is now, is completely useless.
    OK. So, if I understand you, it's use case is limited to the following (extremely narrow) scenario:

    The authorized user placing files in the locker will avoid the default could syncing due to the different folder location, and anyone using the normal default Pictures app on the phone won't see the images. If the user wants to open the folder through the Locker app, a security check is performed.

    But ANY other app that can use the file manager can access the files in the folder without any additional security checks, and they can be set to sync with any desired cloud services.

    Posted with my trusty Z10
    01-01-18 04:55 PM
  12. f_d's Avatar
    You are very focused on the cloud sync aspect, but you're kind of missing the point.. Blackberry's own marketing literature does not mention cloud at all, but aims the Locker at privacy: you leave your device or hand it to someone and your private files are supposed to be protected so that they can't see them without password or fingerprint. This basically does not work at all because although the built-in apps do not look in the Locker folder location by default, it is trivial in most cases to make them go there, and most 3rd party apps whether on-device or cloud, have no problems at all accessing this supposedly "secure" and protected content..
    phuoc likes this.
    01-01-18 05:29 PM
  13. bb10adopter111's Avatar
    You are very focused on the cloud sync aspect, but you're kind of missing the point.. Blackberry's own marketing literature does not mention cloud at all, but aims the Locker at privacy: you leave your device or hand it to someone and your private files are supposed to be protected so that they can't see them without password or fingerprint. This basically does not work at all because although the built-in apps do not look in the Locker folder location by default, it is trivial in most cases to make them go there, and most 3rd party apps whether on-device or cloud, have no problems at all accessing this supposedly "secure" and protected content..
    I focus on the Cloud sync issue because that's the most common way that photos and videos get hacked. According to the marketing materials, images stored in the Locker are not uploaded to the cloud. It's one of the key reasons to use the Locker.

    Of course, it's also supposed to be secure on the local device!
    Posted with my trusty Z10
    01-01-18 06:20 PM
  14. thegioman's Avatar
    So the Locker facility fails to deliver any real level of privacy? Madness!

    Need someone from BB / TCL to clarify the position with this as currently its farcical.
    anon(9803228) likes this.
    01-01-18 07:25 PM
  15. chetmanley's Avatar
    Would be nice if we had the option to uninstall those applications or at least disable them also.
    anon(9803228) likes this.
    01-01-18 07:53 PM
  16. tickerguy's Avatar
    Yeah, that's just utterly ridiculous.

    For comparison the LG V20 has a "locked" photos function -- in their gallery app you can select and "lock" a picture. It disappears out of the gallery if you do that.

    Well, it's not really "gone" either; it is moved to phone storage (if it was on the SD card) in a funky directory and it has an extension added to the name.

    But... it's also AES-128CBC encrypted too! So while you CAN find it, you CAN read the name of it, and it's present on the device good luck trying to actually access the contents.

    Now what I don't know is how they derived the key. The security on that app is a 4-digit PIN, it's linked (somehow) to your Google account (used by the Play store) and your fingerprint, as the fingerprint scanner is enough to lock or unlock (decrypt and put back where it originally was) an image. But the means to generate a secure symmetric AES key from various input sources (e.g. RSA public keys) are quite well-understood and secure -- so at least at first blush it looks pretty decent.

    BlackBerry/TCL should have at least gone that far, since the underlying OS has AES libraries (has to, in order to implement native storage encryption) -- so there's really no excuse for not having done so.
    01-01-18 08:56 PM
  17. thurask's Avatar
    Which version of the Files app, and which version of the system software is this on?

    Last I checked, BB specifically modified the filesystem access API to prevent internal storage/Locker from being accessible outside of Files, if the OS was new enough.
    01-01-18 08:58 PM
  18. conite's Avatar
    I can NOT see the Locker folder with Solid Explorer on KEYᵒⁿᵉ running AAS212.
    Last edited by conite; 01-01-18 at 10:43 PM.
    01-01-18 09:06 PM
  19. f_d's Avatar
    aar748 latest available OS for Motion..
    01-01-18 10:14 PM
  20. HigherThanMars's Avatar
    Wow, well that's a bummer. I hope they update this app so that it encrypts and hides the entire subdirectory and all files within. You would think that's how it would work in the first place....
    01-02-18 12:46 AM
  21. bb10adopter111's Avatar
    I can NOT see the Locker folder with Solid Explorer on KEYᵒⁿᵉ running AAS212.
    Hmm, given that Solid has a great reputation, that also raises the issue that the Locker Mode may work with correctly implemented file managers but be vulnerable to file managers that don't follow the rules.

    Posted with my trusty Z10
    01-02-18 07:56 AM
  22. conite's Avatar
    Hmm, given that Solid has a great reputation, that also raises the issue that the Locker Mode may work with correctly implemented file managers but be vulnerable to file managers that don't follow the rules.

    Posted with my trusty Z10
    I actually think locker mode requires the latest OS for it to be fully and correctly implemented.
    01-02-18 07:57 AM
  23. thegioman's Avatar
    bb Motion AAR748

    Interestingly, the built in file manager 'Files' does not find the Locker directory when you search for it and you can't see it in the list of subdirectories.
    However, as I stated previously, File Commander displays the Locker directory, subdirectories and contents within the sub directories which you can tap and open.
    01-02-18 08:05 AM
  24. conite's Avatar
    bb Motion AAR748

    Interestingly, the built in file manager 'Files' does not find the Locker directory when you search for it and you can't see it in the list of subdirectories.
    However, as I stated previously, File Commander displays the Locker directory, subdirectories and contents within the sub directories which you can tap and open.
    Not on AAS212 on the KEYᵒⁿᵉ though.
    01-02-18 08:16 AM
  25. bb10adopter111's Avatar
    I actually think locker mode requires the latest OS for it to be fully and correctly implemented.
    Yes, that's correct, but not what I was trying to say. I was referring to third party file managers, not Android itself.

    Posted with my trusty Z10
    01-02-18 08:22 AM
67 123

Similar Threads

  1. Living on Blackberry Island in the Sea of Android and iOS
    By darkone778 in forum New to the Forums? Introduce Yourself Here!
    Replies: 8
    Last Post: 01-19-18, 02:54 PM
  2. Using Exported Andriod Chat Backup from Passport to Keyone on SD Card
    By Warrior_Scholar in forum BlackBerry KEYone
    Replies: 3
    Last Post: 01-08-18, 02:02 PM
  3. RSS feeds in Hub
    By badharks in forum BlackBerry KEYone
    Replies: 1
    Last Post: 01-02-18, 05:26 AM
  4. Transfer from Samsung S8 to bbr keyone
    By George Fragkistas in forum Ask a Question
    Replies: 2
    Last Post: 01-02-18, 02:39 AM
  5. In my BLACKBERRY Z30 I am getting a error at startup
    By CrackBerry Question in forum Ask a Question
    Replies: 2
    Last Post: 01-01-18, 02:04 PM
LINK TO POST COPIED TO CLIPBOARD