1. gadgetfreak2's Avatar
    Just wondering, does RIM review all apps submitted to appworld for malicious code, etc. before allowing to be downloaded?
    06-13-12 02:15 PM
  2. Shao128's Avatar
    Yes and no.

    Im my opinion RIMs approval process is more about ensuring the app meets any requirements as far as proper screen shots and valid description (ie using TM in the proper places)

    Testing of the apps seems very limited. They allow through a lot of apps that do things they shouldn't or apps that do nothing at all. Then again so has Apple. So if you are asking if they review apps like Apple, then yes.
    Azensun likes this.
    06-13-12 02:23 PM
  3. gadgetfreak2's Avatar
    So here is my big HYPOTHETICAL question. One of America's enemies realizes that BB (although some say is dying) is used by many government agencies and big-businesses. Many will have VERY strict IT policies but many will be more lax. This enemy creates a free (or maybe even small cost to keep some legitimacy) program (game, app, whatever) which MANY people download and use.

    Now, since all apps require that we modify permissions, no one thinks twice about doing so. Meanwhile, this popular app is really a Trojan horse and transmitting data to our enemy.

    Is this possible? Or have I been watching too much TV ?
    Trini-34 likes this.
    06-13-12 02:30 PM
  4. apengue1's Avatar
    Everything is possible, all that changes between different brands is the probability of this happening. For RIM, it would probably be more improbable than others.

    And yes, you have been watching too much tv
    Tim1131 likes this.
    06-13-12 02:49 PM
  5. CharlesH's Avatar
    So here is my big HYPOTHETICAL question. One of America's enemies realizes that BB (although some say is dying) is used by many government agencies and big-businesses. Many will have VERY strict IT policies but many will be more lax. This enemy creates a free (or maybe even small cost to keep some legitimacy) program (game, app, whatever) which MANY people download and use.

    Now, since all apps require that we modify permissions, no one thinks twice about doing so. Meanwhile, this popular app is really a Trojan horse and transmitting data to our enemy.

    Is this possible? Or have I been watching too much TV ?
    The Blackberry is I think the only phone platform certified for classified material. And you can bet that those that do have access to sensitive material have "appropriate" IT policies. If it had been any other platform, I really doubt President Obama would have been able to keep his personal cell phone when he took office.
    06-13-12 03:05 PM
  6. gadgetfreak2's Avatar
    Understood. For those with strict policies, chances are no 3rd party apps are allowed. But for those that have lax policies, is my hypothetical situation possible? Or does RIM review and make sure that no one can submit a harmful app to appworld?
    06-13-12 03:11 PM
  7. Trini-34's Avatar
    I have noticed a lot of apps requesting access to my personal info (pictures, videos, recorded media and such). Granted, I totally overstand the need for some apps require access to such to perform correctly (example- app called "Today's Alarm Clock requires access to your pictures so you can place your personal picture on app page) but some others are very questionable. I do not allow/grant access to any of my files, but, I do allow gps locations (due to certain apps). Very interesting post, great question.

    +1 Way too much TV.
    06-13-12 03:16 PM
  8. Sultan Al Sooz's Avatar
    Unfortunately, i discovered few apps (by using a hex editor on their COD files) that steal pin numbers using HTTP GET and POST methods, no average user will be able to figure this out. (they can also steal a lot more data this way)

    My recommendation is to try to investigate :
    -1st connectivity permission is the most dangerous, very difficult to trace, never allow it unless you are 100% sure. (use a hex editor on their COD files after download)
    -2nd sending a hidden email then immediately deleting it using code. (check your email/server logs)
    -3rd sending SMS (by nature it is hidden from sms inbox, but it will show up in your bills)

    i just touch the surface but hope this helps
    06-13-12 10:22 PM
  9. guerllamo7's Avatar
    OP,
    The bottom line is that RIM makes a safer phone but only the user can ensure complete security.
    The scenario you mention does not require an app. A malicious website could also be used and it could pose as a well know popular site that could attach some kind of virus to any OS.

    Think of it this way:
    If you have a BlackBerry it is like swimming in a cove with pretty high reefs, so a shark could get through. Having an iPhone is like swimming in the open ocean so it is more likely a shark could have you for dinner. Having an Android phone is like swimming at night in the open ocean near the Farallon Islands with a bucket of bloody fish tied to your waist.

    Well, maybe that is a bit much but although there is no device that guarantees your security, the security levels are: Best BlackBerry, Medium Apple, Lowest Android. Just google security issues with devices and you can read tons of articles that basically confirm the above.
    06-13-12 11:10 PM
  10. Tre Lawrence's Avatar
    No device protects a user who does not use said device with common sense.
    06-13-12 11:32 PM
  11. Xopher's Avatar
    I know when I submit apps to App World, I see hits coming from RIM in the analytics, so I know they are at least installing it on devices and running the app. If I remember, they test to make sure the app installs, runs (without crashing), doesn't affect key services, and uninstalls properly. They probably test a few other things as well, along with checking description, and such.

    One of the stronger things is the signing process. The fact that RIM controls the signing keys means that they know who has signed an application. If someone does write an application with malware included, RIM will know who wrote/signed/submitted. It makes it much easier to detect malicious developers, as well as lock keys out when they feel the need. It might not a deterrent for all attacks, but it is a step that does help to keep malware to a minimum.

    There was an app that copied someones address book back to their servers so it could match you up with other users. When RIM found out, they disabled the keys for that developer. They could no longer sign their apps and submit them to App World.
    06-14-12 03:42 PM
  12. emtunc's Avatar
    Unfortunately, i discovered few apps (by using a hex editor on their COD files) that steal pin numbers using HTTP GET and POST methods, no average user will be able to figure this out. (they can also steal a lot more data this way)

    My recommendation is to try to investigate :
    -1st connectivity permission is the most dangerous, very difficult to trace, never allow it unless you are 100% sure. (use a hex editor on their COD files after download)
    -2nd sending a hidden email then immediately deleting it using code. (check your email/server logs)
    -3rd sending SMS (by nature it is hidden from sms inbox, but it will show up in your bills)

    i just touch the surface but hope this helps

    Interesting... do you have anymore experience with this?

    Any sample hex you can show us with malicious activity? I would have thought the app testing process by RIM would be more thorough. Is this a disaster waiting to happen? Sure sounds like it.

    Sent from my BlackBerry 9900 using Tapatalk
    06-14-12 03:47 PM
  13. Sultan Al Sooz's Avatar
    Interesting... do you have anymore experience with this?

    Any sample hex you can show us with malicious activity? I would have thought the app testing process by RIM would be more thorough. Is this a disaster waiting to happen? Sure sounds like it.

    Sent from my BlackBerry 9900 using Tapatalk
    there is no disaster here, just download any hex editor and use bbsak to get the .cod files from your phone. then check for any "http" strings. its very simple once you know it

    i cant accuse any app, i also believe that RIM analytics uses similar technique as well, yet users are not knowledgeable about it.

    bottom line, security is everyone's responsibility, and there is no such thing as 100% secure, however RIM puts more security options for you than any other Mobile OS, but you can still break your own mobile security if you are not careful
    06-15-12 04:43 AM
  14. howarmat's Avatar
    yes this can happen as Jarrod Co. pretty much does stuff like this already with their apps
    06-15-12 05:08 AM
LINK TO POST COPIED TO CLIPBOARD