[app_Developer]

You're welcome to develop for the platform natively yourself. However, your argument about third-party developers is only applicable if the developer installs some malware or runs the app's connection through their own servers. While this is a frequent problem for Android, it has never ever been an issue for BB10 and likely wouldn't be possible for native apps given QNX.

What??? How does QNX protect the user from a 3rd party app developer seeing her keystrokes? Or her bank balance?

If I make an app for you to access IG then my code can see your stuff. That's a vulnerability. Explain to me how QNX solves that? QNX is not some magic security dust that fixes all the things.

You are welcome to your perspective on Android apps. Unless you actively block anything below TLS 1.3 those apps and BB10 use the exact same level of TLS. As far as monitoring for signs of alteration, you couldn't do that in BB10 because it's not possible to hack native apps in the way you describe, therefore it's not an issue.

We can and do block TLS below the versions of iOS and Android that we support. You can do that when you know your apps are the only ones you're supporting. You can also control exactly which ciphers you want to use and you don't have to coordinate that with anyone but your own infrastructure.

Users can and do download hacked apps from dodgy app stores and dodgy developers. BB10 users who are desperate for apps, because they can't have the genuine official apps, do it all the time. (See Nemory)

Random developers would only have access to your data if you provided such access via API. It's possible to secure or otherwise limit such access if your back-end infrastructure supports it.

What?? If I enter a key on your app, your code can see my keys. it's not that difficult to understand this. If your app is showing me my bank balance, then your code has access to my bank balance. This is basic programming knowledge.

As for third-party native apps being developed, you are welcome to use or not use those apps as you desire. I suspect, however, that you are perfectly wiling to provide access to your infrastructure to users who provide their keystrokes, account information, and all of that to Google at a bare minimum. (If you yourself utilize Google services, you also would be willing to provide your keystrokes, account information, and all of that to them.)

no, that's not how apps work. When you tap on our app to check when your car service is due, Google has no way of seeing that.

if you used a 3rd party app to check when your service is due, that 3rd party can see that. Because the 3rd party app would be retrieving that data from us.

[TrumpetTiger]

What??? How does QNX protect the user from a 3rd party app developer seeing her keystrokes? Or her bank balance?

If I make an app for you to access IG then my code can see your stuff. That's a vulnerability. Explain to me how QNX solves that? QNX is not some magic security dust that fixes all the things.



We can and do block TLS below the versions of iOS and Android that we support. You can do that when you know your apps are the only ones you're supporting. You can also control exactly which ciphers you want to use and you don't have to coordinate that with anyone but your own infrastructure.

Users can and do download hacked apps from dodgy app stores and dodgy developers. BB10 users who are desperate for apps, because they can't have the genuine official apps, do it all the time. (See Nemory)



What?? If I enter a key on your app, your code can see my keys. it's not that difficult to understand this. If your app is showing me my bank balance, then your code has access to my bank balance. This is basic programming knowledge.



no, that's not how apps work. When you tap on our app to check when your car service is due, Google has no way of seeing that.

if you used a 3rd party app to check when your service is due, that 3rd party can see that. Because the 3rd party app would be retrieving that data from us.

QNX actively prevents the sort of permissions acquisition that would be required to allow a native BB10 app to actively transmit data back to a third-party server, thus preventing third-party developers from having any method of accessing the keystrokes or bank balance.

Your third-party app for IG hypothetical only applies if your app transmits data back to some central location and/or provides a direct connection to your infrastructure.

As for TLS, since iOS and Android support 1.2, and BB10 also supports 1.2, would only need to block BB10 if you actively wanted BB10 users not to use your platform. That is your decision of course, but is a bias against a platform and user base, not for any security-related reason.

Users can and do download dodgy Android apps, but it's not possible to have dodgy BB10 native apps. (Nemory argues his are, but then again...that's Nemory.)

My code may be able to see your keys, but I can't unless my app actively transmits it back to me.

As far as how apps work, Google could likely actively access your app through code in Android if it so desired. It maintains an active connection to the device, which has an ative connection to your infrastructure. This then allows for the possiblity of Google using its active connection to connect to your infrastructure.

3rd party apps, on the other hand, would only have this ability if they maintained an active connection to their developer's infrastructure, which cannot be done due to the lack of ability to gain the necessary native permissions in QNX.

[app_Developer]

QNX actively prevents the sort of permissions acquisition that would be required to allow a native BB10 app to actively transmit data back to a third-party server, thus preventing third-party developers from having any method of accessing the keystrokes or bank balance.

Totally false. I can write an app on BB10 and send stuff wherever I want if the user has given me network access. It's my app. If I'm an "IG app" the user will certainly give me network access.

What you have said is totally false. If the app goes to our server and gets a balance, how on earth does the app (Which JUST got the balance) not know the balance that is just got??

Is this like app amnesia??

Your third-party app for IG hypothetical only applies if your app transmits data back to some central location and/or provides a direct connection to your infrastructure.

Very easily done.

As for TLS, since iOS and Android support 1.2, and BB10 also supports 1.2, would only need to block BB10 if you actively wanted BB10 users not to use your platform. That is your decision of course, but is a bias against a platform and user base, not for any security-related reason.

Users can and do download dodgy Android apps, but it's not possible to have dodgy BB10 native apps. (Nemory argues his are, but then again...that's Nemory.)

My code may be able to see your keys, but I can't unless my app actively transmits it back to me.

As far as how apps work, Google could likely actively access your app through code in Android if it so desired. It maintains an active connection to the device, which has an ative connection to your infrastructure. This then allows for the possiblity of Google using its active connection to connect to your infrastructure.

3rd party apps, on the other hand, would only have this ability if they maintained an active connection to their developer's infrastructure, which cannot be done due to the lack of ability to gain the necessary native permissions in QNX.

Again, if a user gives an app permission to access the net, that app can access anything on the net. There is nothing more granular than that in the BB10 permissions.

Again, with all due respect, you should perhaps spend some time writing some simple apps just so you can see for yourself what your code can and cant see and do. It would be enlightening.

As for the OP's question. The answer is most apps that people want on a phone are controlled by the company's who own those apps and those services. That's how it is in 2019.

[TrumpetTiger]

Totally false. I can write an app on BB10 and send stuff wherever I want if the user has given me network access. It's my app. If I'm an "IG app" the user will certainly give me network access.

What you have said is totally false. If the app goes to our server and gets a balance, how on earth does the app (Which JUST got the balance) not know the balance that is just got??

Is this like app amnesia??



Very easily done.



Again, if a user gives an app permission to access the net, that app can access anything on the net. There is nothing more granular than that in the BB10 permissions.

Again, with all due respect, you should perhaps spend some time writing some simple apps just so you can see for yourself what your code can and cant see and do. It would be enlightening.

As for the OP's question. The answer is most apps that people want on a phone are controlled by the company's who own those apps and those services. That's how it is in 2019.

Again, the app itself would know the balance. But the developer would not unless the developer has purposefully told the app to send all of its data to infrastructure the developer controls.

As for QNX allowing that, it's absolutely true that it doesn't permit the necessary native permissions. Android does permit them, which is why it's so easy to deploy malware to the platform.

You are correct in that an app can access the Internet if given the apprpriate permissions. But Internet access does not equal the ability to reach into a device, grab data, and send it to a third-party server. It's the reaching into the device to retrieve data part that BB10 prevents.

I appreciate the "with all due respect" comment. However, I'm confident based on current experience that my statements are accurate.

I've already answered the OP's question, but again: while it's certainly easier if a company develops a native app themselves for a platform, it's not necessarily impossible to provide that functionality by third-party app.

[Invictus0]

As for QNX allowing that, it's absolutely true that it doesn't permit the necessary native permissions. Android does permit them, which is why it's so easy to deploy malware to the platform.

You just need the Internet permission for this which BB10 (like Android) provides by default with no way to disable without a VPN. And it's totally doable on BB10, check out this article.

Web Security Analysis of 12 BlackBerry 10 Applications – File Archive Haven

[berradicted_fr]

We can make a group, and support devices like passport and q10, with applications that are cross-plataform.

They don't have to be dead already, the hardware still preary good

There is still some light here on github;

https://github.com/berryamin/playbook-dev-tools

We are 3 contributors updating command line tools for Term48 ; (original project by Mordak, Unix SDL based terminal with Audio capabilities. Video not tested but improbable)

Only hack for "Unix Tinkerers .. but pretty cool !"

ALREADY WORKING:
- rsync, xz, gnu coreutils
- git
- taskwarrior (no ssl support yet)
- play wav using libnixtla
- vim
- perl5 .. (but no valid commit to git repo ..)
- sqlite3

ALREADY PLANNED:
- docker build image

WISH LIST:
- cmake
- weechat universal chat client
- play mp3, flac
- updated ssl library
- command line telegram client

What else ?

New contributors always warmly welcome !

Best Regards

[Troy Tiscareno]

You're welcome to develop for the platform natively yourself. However, your argument about third-party developers is only applicable if the developer installs some malware or runs the app's connection through their own servers. While this is a frequent problem for Android, it has never ever been an issue for BB10 and likely wouldn't be possible for native apps given QNX.

Are you kidding? As just one example, a number of Nemory's BB10 apps did exactly this (ran people's SnapChat, Instagram, Facebook, etc.) logins through his own server - he could see everything anyone was doing in his apps. He was doing this because there were no public APIs and he was sending fake information to get users logged in - and was eventually caught and blocked. But BB10/QNX did exactly zero to prevent this.

[elfabio80]

Are you kidding? As just one example, a number of Nemory's BB10 apps did exactly this (ran people's SnapChat, Instagram, Facebook, etc.) logins through his own server - he could see everything anyone was doing in his apps. He was doing this because there were no public APIs and he was sending fake information to get users logged in - and was eventually caught and blocked. But BB10/QNX did exactly zero to prevent this.

And it was BB10.... Immagine Android... :ADDD

[TrumpetTiger]

You just need the Internet permission for this which BB10 (like Android) provides by default with no way to disable without a VPN. And it's totally doable on BB10, check out this article.

If no such code is put into the app, as was done with the majority of the third-party apps mentioned (including Blaq, a third-party app for Twitter), then no data is stolen or leveraged. The vast majority of BB10 developers are good and decent people who do not do such things, but even in Nemory's case his malicious activity was limited to data specifically entered in his apps for which they had obtained permission.

You should always consider the source of your apps, but to allege that all third-party developers are malicious and all major platforms/companies are secure is simply wrong.
Web Security Analysis of 12 BlackBerry 10 Applications – File Archive Haven

Nemory's apps steal data. Color me shocked.

However, of course a developer can put in malicious code to an app and it can steal data to which it has been given explicit permissions. What QNX and thus BB10 blocks is the ability to leverage permissions for greater access. Android does no such thing.

[TrumpetTiger]

Are you kidding? As just one example, a number of Nemory's BB10 apps did exactly this (ran people's SnapChat, Instagram, Facebook, etc.) logins through his own server - he could see everything anyone was doing in his apps. He was doing this because there were no public APIs and he was sending fake information to get users logged in - and was eventually caught and blocked. But BB10/QNX did exactly zero to prevent this.

BB10/QNX prevented further leveraging by Nemory of permissions to get in and install further malicious software. His apps only took data that was entered by users or for which users gave exclusive permission. He is also the only example of a BB10 developer that has done such a thing, which should be no surprise to anyone familiar with his fraudulent tactics.

[Troy Tiscareno]

He is also the only example of a BB10 developer that has done such a thing, which should be no surprise to anyone familiar with his fraudulent tactics.

He's the only one you know about, but any developer who makes an app for someone else's service could easily do the same. And this is why companies don't want third-party apps accessing their services, and why they've closed APIs and increased security and encryption.

[anon(10512033)]

To add another issue into the mix, I've always wondered how much longer signing keys would remain available and functional for signing apps.

It seems that when I put together launchers and web wrappers for BB OS7 and BB10, the signing process might have involved making contact with BlackBerry's servers (my memory is fuzzy on that one -- correct me if I'm wrong). I don't know if they would still work if BlackBerry shut down the servers. Does anyone know the answer to that question?

I also can't remember if you can run unsigned apps in dev mode in BB10. It's been a while.

[Dunt Dunt Dunt]

You are correct in that an app can access the Internet if given the apprpriate permissions. But Internet access does not equal the ability to reach into a device, grab data, and send it to a third-party server. It's the reaching into the device to retrieve data part that BB10 prevents. .

You are correct... as long as the users doesn't allow Shared Files access. But then your going to find it hard to run many apps without that Shared File permission. Especially social apps...

BB10 was great in that they were the first to really allow users to control permissions for Native Apps, but bottom line is apps need some things turned on.

Most all apps are prevented from writing into the "file system" on the device, so their data has to be stored in shared data locations. Now many apps like banking will store this data in encrypted files (or not at all) so while the data could be taken, it couldn't be read (unless brute forced). But most other apps store data in unencrypted databases...

Contacts is a separate database... but one again most social apps, and many other will need access too this to even run.

I'm not sure what data you think BB10 can magically hide?

[anon(10512033)]

WISH LIST:
- cmake
- weechat universal chat client
- play mp3, flac
- updated ssl library
- command line telegram client

What else ?

This could be enough to make me put the Passport back in service.

You mentioned mp3 and flac. My go to in the terminal is mplayer. It plays many formats and has the added benefit of playing streams. It's the swiss army knife of UNIX audio if you ask me!

I also use lynx a lot for web and gopher browsing, so I'd love to see it.

The other terminal app that I use a lot is ssh (for SDF.org and my own servers). Is that already integrated in Term48?

[Dunt Dunt Dunt]

This could be enough to make me put the Passport back in service.

You mentioned mp3 and flac. My go to in the terminal is mplayer. It plays many formats and has the added benefit of playing streams. It's the swiss army knife of UNIX audio if you ask me!

I also use lynx a lot for web and gopher browsing, so I'd love to see it.

The other terminal app that I use a lot is ssh (for SDF.org and my own servers). Is that already integrated in Term48?

Except I don't see much new activity there.... Is it a different fork?

Back when Mordak started all this for the PlayBook, debug tokens were required. I don't see that requirement in berryamins instructions, so this might have somehow gone away for BB10?

There is a fork for RANIO... which is a blast from the past https://github.com/ranio/bb10-native-tools

[anon(10512033)]

Except I don't see much new activity there.... Is it a different fork?

Back when Mordak started all this for the PlayBook, debug tokens were required. I don't see that requirement in berryamins instructions, so this might have somehow gone away for BB10?

There is a fork for RANIO... which is a blast from the past https://github.com/ranio/bb10-native-tools

Good point. I didn't check to see if there were recent commits. Perhaps they are compiling applications elsewhere?

[TrumpetTiger]

To add another issue into the mix, I've always wondered how much longer signing keys would remain available and functional for signing apps.

It seems that when I put together launchers and web wrappers for BB OS7 and BB10, the signing process might have involved making contact with BlackBerry's servers (my memory is fuzzy on that one -- correct me if I'm wrong). I don't know if they would still work if BlackBerry shut down the servers. Does anyone know the answer to that question?

I also can't remember if you can run unsigned apps in dev mode in BB10. It's been a while.

You only need access to BBL's servers to generate the key. Once you have it it is valid until expiration (two years I believe).

I'm unsure on unsigned apps but I believe they will work in dev mode.

[TrumpetTiger]

He's the only one you know about, but any developer who makes an app for someone else's service could easily do the same. And this is why companies don't want third-party apps accessing their services, and why they've closed APIs and increased security and encryption.

Companies have done what they have done due to the nature of Android and iOS malware. As for data access, third-party developers could get usernames and passwords, but if you have a robust enough back-end such access would be limited to those users' data specifically. If your back-end allows for the leveraging of a basic user privilege to gain administrative access to your servers and thus data, you have larger problems than APIs.

[TrumpetTiger]

You are correct... as long as the users doesn't allow Shared Files access. But then your going to find it hard to run many apps without that Shared File permission. Especially social apps...

BB10 was great in that they were the first to really allow users to control permissions for Native Apps, but bottom line is apps need some things turned on.

Most all apps are prevented from writing into the "file system" on the device, so their data has to be stored in shared data locations. Now many apps like banking will store this data in encrypted files (or not at all) so while the data could be taken, it couldn't be read (unless brute forced). But most other apps store data in unencrypted databases...

Contacts is a separate database... but one again most social apps, and many other will need access too this to even run.

I'm not sure what data you think BB10 can magically hide?

Shared files are limited to user data, and many social apps can have shared files permission limited.

It is the actual root file system data to which I'm referring--in other words, BB10 native apps can only allow access to specific data to which they are granted that access. Other OSes have many examples of leveraging access to deploy malicious software which gets into the device itself. BB10 native apps prevent this.

[Dunt Dunt Dunt]

Shared files are limited to user data, and many social apps can have shared files permission limited.

It is the actual root file system data to which I'm referring--in other words, BB10 native apps can only allow access to specific data to which they are granted that access. Other OSes have many examples of leveraging access to deploy malicious software which gets into the device itself. BB10 native apps prevent this.

But isn't your user data the whole point?
Shared files permission limited? As I said only if the App employed some protection, if it doesn't... what can a user do?

What good is it if someone can't break into your barn... if all the cows are out in the field?

[anon(10603236)]

Create what?

Apps... no Android apps aren't all open source, they belong to the developers. Those apps that use services like Snap, Twitter, Facebook... those services for security reasons are tightly controlled by those companies. Even if you found a way to hack their app, they'd close the access and block you.

You want a SNAP App, only SNAP is able to create one that will connect to their servers. Same for most all apps that need to connect to a "service".

I meant rework the OS.

My Mood ring is missing and I don't know how I feel about this!!
I did mention... I personally don't know which way is up so give me the short explanation

[app_Developer]

But isn't your user data the whole point?

For those of who have customers whom we serve this way, that is exactly the whole point. Their information and the details of their usage we would like to keep between us and them, with nobody in between.

[Chuck Finley69]

For those of who have customers whom we serve this way, that is exactly the whole point. Their information and the details of their usage we would like to keep between us and them, with nobody in between.

As non-tech person, this seems obvious from my POV since I'm concerned enough with proprietary large corporations. I don't need additional third parties muddying the waters even more.

[TrumpetTiger]

But isn't your user data the whole point?
Shared files permission limited? As I said only if the App employed some protection, if it doesn't... what can a user do?

What good is it if someone can't break into your barn... if all the cows are out in the field?

If the user chooses to grant Shared Files permission, then the app has the ability to access those files.

To take your analogy, if someone wants to hide among your cows when they're out in the field and use that to burn down your barn but your barn only permits cows through its doors and actively blocks anything else, your barn is saved.

[conite]

If the user chooses to grant Shared Files permission, then the app has the ability to access those files.

But the app wouldn't even function without file system access.