11-08-15 12:22 PM
38 12
tools
  1. Branta's Avatar
    [warn] Please discuss the topic of the thread, smartphone products and software, or even services provided. DO NOT discuss or make personal comments about other members posting in the thread.[/warn]
    Laura Knotek and DaDaDogg like this.
    11-07-15 05:25 PM
  2. Branta's Avatar
    This is a fan site. If you have legitimate questions about what BlackBerry has done, pose them on a security forum. I'm sure one exists.
    Not only is CrackBerry a fan site, it is the largest online discussion area for all aspects of BlackBerry, whether fans, experienced users, beginners, or prospective users. As such the topic of the thread is legitimate for this forum.
    Laura Knotek, zocster and clie610 like this.
    11-07-15 05:31 PM
  3. sayf777's Avatar
    Followed a discussion earlier on on xda, mumbo jumbo as I couldn't really follow but the guy who gave the long explanation said its not looking good in terms of being able to root due to what we know as the root of trust if iirc?

    Posted via the CrackBerry App for Android
    11-07-15 06:09 PM
  4. sayf777's Avatar
    Just go to the priv section and the thread "is root possible", page 3

    Edit: I am mistaken I think that long explanation is for android 6.0 along with the chain of trust(statement used there for nexus).

    Posted via the CrackBerry App for Android
    11-07-15 06:14 PM
  5. tickerguy's Avatar
    The biggest issue for most users is not whether a device is remote-root-exploitable directly. If it is, you're in deep trouble, but those are rare events.

    There are two general classes of problem -- malicious applications and remote-exploitable stupidity on the part of the software writers. The first is one that's akin to a crook asking if he can come into your house, and you say yes -- then wonder why you got robbed. Well? The big issue from a privacy standpoint is that most apps ask for permission but never tell you why, or what they're going to do with it. The "big guys" like Facebook and many games will set up a persistent process and start sending tracking data (including location) even when you're not in the app. That's outrageous but Google (and Apple) have not only allowed it they've been real quiet about how often it happens (e.g. that data is used.) DTEK gives you some of that information which is good. Its up to you if the tradeoff is worth it; remember that Facebook can be accessed via the browser, and if you do that it only gets location data while you're using it. You choose. M will let you shut off permissions individually which is good, but whether people will is another matter. I can do it now on my Passport for Android apps through third-party software -- and do.

    The second aspect of it is vulnerabilities in system libraries. These are especially bad because you can go to a web page or get a text or mms message that is specifically crafted to exploit it, and bingo -- the attacker has now got a piece of code on your phone. That code snippet is usually small, but if he can manage to craft a way to tell the phone to grab a much bigger hunk of code from somewhere (e.g. the internet) using that you're screwed because what he now has is a way to get back into the device any time he wants. If that code manages to load persistently (e.g. store itself on the device) then the real fun begins because he now has all the access that app had, which means (typically) he can grab any file on the device and frequently can access things like the camera, location, contacts and sometimes messages. If he can figure out what sort of device it is then if he has an exploit that allows privilege escalation he can send that down and now you have a remote-root exploit that allows literal grabbing and destruction or modification of anything.

    This latter risk is the one that BlackBerry can do something about before M ships, and I assume likely has. Most of this is not kernel-level though -- it's in the system libraries.

    Note that this last month's update from Google addressed a number of these system library problems.
    11-07-15 06:34 PM
  6. cgk's Avatar
    Thanks for that - i wonder if the Google zero (i think that is the name?)team are going to take a run at the priv?
    11-08-15 05:12 AM
  7. tickerguy's Avatar
    Of course.

    But remember that BB10 has had people after it for roughly two years with zero known successes. And while there are a lot more Androids out there the BB10 users tend to be higher-value targets -- think Merkel, for one. It's "fun" to get the mass market folks but if you can "score" someone important, oh boy......
    11-08-15 06:54 AM
  8. DaDaDogg's Avatar
    Merkel got hacked on her political Party Phone, which was a Nokia and not the ultra secure Secusmart Z10.
    11-08-15 07:44 AM
  9. treo_knight's Avatar
    The biggest issue for most users is not whether a device is remote-root-exploitable directly. If it is, you're in deep trouble, but those are rare events.
    You choose. M will let you shut off permissions individually which is good, but whether people will is another matter. I can do it now on my Passport for Android apps through third-party software -- and do.
    tickerguy: Thank you for a very detailed yet easily unserstandable answer for someone who likes his devices and values his privacy but does not understand the nuts and bolts that go into putting it all together for us users.

    cgk: I completely support your line of questioning and am so happy to see the thread being moderated with thought and perspective. As members of a BB fansite we don't want to be seen as blind followers. This is an intelligent discussion seeking more information/clarification on the security/privacy aspects of a handset made by a company we expect to deliver what its brand usp stands for. Attempts at questioning or understanding aspects of the technology used cannot be thwarted by self styled troll hunting Inquisition Inspectors.

    BTW, cgk you have been around for a while. Right? I don't comment on this forum very often but have been around for years (treocentral, palm, webos and now cb) and that forum name of yours rings a bell from years gone by.

    Posted via CB10
    11-08-15 11:35 AM
  10. clie610's Avatar
    I'm with OP's on his concern about kernel in relation to the security issue and disagree that kernel is 'just a tiny little part' of other subjects on the whole security concern.
    Here's the quote from android central explaining about what kernel are we talking about (you can google the link if you want to know the rest of of the article):

    "Android devices use the Linux kernel, but it's not the exact same kernel other Linux-based operating systems use. There's a lot of Android specific code built in, and Google's Android kernel maintainers have their work cut out for them. OEMs have to contribute as well, because they need to develop hardware drivers for the parts they're using for the kernel version they're using. This is why it takes a while for independent Android developers and hackers to port new versions to older devices and get everything working. Drivers written to work with the Gingerbread kernel on a phone won't necessarily work with the Ice Cream Sandwich kernel. And that's important, because one of the kernel's main functions is to control the hardware. It's a whole lot of source code, with more options while building it than you can imagine, but in the end it's just the intermediary between the hardware and the software".

    If this gate (kernel) not maintained or designed well...then what do we expect on our concern about security?
    11-08-15 11:38 AM
  11. cgk's Avatar
    BTW, cgk you have been around for a while. Right? I don't comment on this forum very often but have been around for years (treocentral, palm, webos and now cb) and that forum name of yours rings a bell from years gone by.

    Posted via CB10
    Good catch - yes my first smartphone was a treo way back when...
    11-08-15 11:40 AM
  12. tickerguy's Avatar
    I'm with OP's on his concern about kernel in relation to the security issue and disagree that kernel is 'just a tiny little part' of other subjects on the whole security concern.
    Here's the quote from android central explaining about what kernel are we talking about (you can google the link if you want to know the rest of of the article):

    "Android devices use the Linux kernel, but it's not the exact same kernel other Linux-based operating systems use. There's a lot of Android specific code built in, and Google's Android kernel maintainers have their work cut out for them. OEMs have to contribute as well, because they need to develop hardware drivers for the parts they're using for the kernel version they're using. This is why it takes a while for independent Android developers and hackers to port new versions to older devices and get everything working. Drivers written to work with the Gingerbread kernel on a phone won't necessarily work with the Ice Cream Sandwich kernel. And that's important, because one of the kernel's main functions is to control the hardware. It's a whole lot of source code, with more options while building it than you can imagine, but in the end it's just the intermediary between the hardware and the software".

    If this gate (kernel) not maintained or designed well...then what do we expect on our concern about security?
    Actually, driver code is pretty simple and relatively hard to screw up. It is also not usually where the problems come from in the real world.

    When I ported AOSP to the Motorola Triumph I had to re-write drivers for both the camera and GPS chip, neither of which were in the AOSP build. It didn't take very long and it's really not all that complex.

    (Yes, I'm a kernel developer, although most of what I've done is on FreeBSD rather than Linux.)
    11-08-15 11:58 AM
  13. treo_knight's Avatar
    Good catch - yes my first smartphone was a treo way back when...
    beat you.......I started with the Visor :-)

    Posted via CB10
    11-08-15 12:22 PM
38 12

Similar Threads

  1. transfer from android device to priv
    By nappies in forum BlackBerry Priv
    Replies: 4
    Last Post: 11-07-15, 10:02 AM
  2. Factory Reset or Security Wipe Priv?
    By CrackBerry Question in forum BlackBerry Priv
    Replies: 1
    Last Post: 11-07-15, 08:27 AM
  3. Photos taken using the Priv camera!
    By harshik in forum BlackBerry Priv
    Replies: 1
    Last Post: 11-07-15, 05:58 AM
  4. Replies: 0
    Last Post: 11-07-15, 05:38 AM
  5. Replies: 0
    Last Post: 11-07-15, 05:24 AM
LINK TO POST COPIED TO CLIPBOARD