01-14-19 12:13 AM
61 123
tools
  1. Matt J's Avatar
    @Bla1ze should do an article on the truth behind BBM privacy and security and put all this to rest.
    01-04-19 03:25 PM
  2. Bla1ze's Avatar
    @Bla1ze should do an article on the truth behind BBM privacy and security and put all this to rest.
    It won't put anything to rest though. There's plenty of already existing articles highlighting the issues and concerns with all the various messaging apps. It'll just end up like BB10 article lol. Some will agree with me, and some will say I should be ashamed of myself as a BlackBerry fan for writing such drivel.

    I like to think BBM does the speaking for itself. Just look at the, arguably, dead weight added into the app these days with no way to remove it or opt out of it if you don't need it. eg: AliPay, etc. Look at all the connections it makes..

    http://
    http://139.224.138.243/gateway/ident...ace/initialize
    http://139.224.94.200/gateway/identi...ace/initialize
    http://aphome.id.dev.alipay.net
    http://aphome.id.devbranch1.alipay.net
    http://aphome.id.devbranch2.alipay.net
    http://aphome.id.sit.alipay.net
    http://cn-hangzhou-mas-log.cloud.ali...w/logUpload.do
    http://dana.id
    http://h5test.inc.alipay.net/case/in...3DNO%26pd%3DNO
    http://h5test.inc.alipay.net/perf/h5performance.html
    http://iclientgw.d9767.alipay.net/igw.htm
    http://iclientgw.stable.alipay.net/igw.htm
    http://iclientgw.test.alipay.net/igw.htm
    http://mdap-1-64.test.alipay.net
    http://mdap.alipaylog.com
    http://mobilegw.aaa.alipay.net/mgw.htm
    http://mobilegw.stable.alipay.net/mgw.htm
    http://mobilegw.test.alipay.net/mgw.htm
    http://openapi-1-64.test.alipay.net/gateway.do
    http://openapi.stable.alipay.net/gateway.do
    http://patriot.cs.pp.cn/api/resource.app.detect
    http://schemas.android.com/apk/res-auto
    http://schemas.android.com/apk/res/android
    http://wapcenter.stable.alipay.net/api/app
    http://wapcenter.test.alipay.net/api/app
    https://
    https://a.alipayobjects.com/bridgeapi/1.0/jsready.js
    https://a.m.dana.id/app/android/bbm
    https://a.m.dana.id/app/common/bbm/discover/config.json
    https://a.m.dana.id/app/common/promo...egistered.json
    https://a.m.dana.id/app/common/promo...egistered.json
    https://a.m.dana.id/integration/dev/...er/config.json
    https://a.m.dana.id/integration/dev/...egistered.json
    https://a.m.dana.id/integration/dev/...egistered.json
    https://a.m.dana.id/integration/pre/...er/config.json
    https://a.m.dana.id/integration/sand...er/config.json
    https://a.m.dana.id/integration/sand...ironments.json
    https://a.m.dana.id/integration/sand...egistered.json
    https://a.m.dana.id/integration/sand...egistered.json
    https://a.m.dana.id/integration/sit/...er/config.json
    https://a.m.dana.id/integration/sit/...egistered.json
    https://a.m.dana.id/integration/sit/...egistered.json
    https://a.m.dana.id/promo/cdp/BBMSDK/intropopup.txt
    https://a.m.dana.id/promo/cdp/BBMSDK/qr_merchant.txt
    https://account.bbmessaging.com/api/oauth2/v1/
    https://alipay.com/h5container/h5_page_error.html
    https://alipay.com/h5container/redirect_link.html
    https://alipay.com/h5container/security_link.html
    https://alipay.com/h5container/un_safe.html
    https://alipay.com/h5container/white_link.html
    https://aphome-dev.saas.dana.id
    https://aphome-test.saas.dana.id
    https://aphome-test1-dana.alipaydev.com
    https://aphome-test2-dana.alipaydev.com
    https://aphome.alipaydev.com
    https://appx
    https://appx/af-appx.min.js
    https://asset.bbmessaging.com
    https://authorize/
    https://bbmcall01.smartfren.com/ocs-...oauth/callback
    https://bbmcall01.smartfren.com/ocs/oauth/callback
    https://bbmid-webview.bbmessaging.com/delete_account
    https://bugme.anyproxy.io:5680
    https://cn-hangzhou-mgs-gw.cloud.alipay.com/mgw.htm
    https://d.alipay.com
    https://ds.alipay.com
    https://ds.alipay.com/?scheme=
    https://ds.alipay.com/error/redirectLink.htm
    https://ds.alipay.com/error/redirectLink.htm?url=
    https://ds.alipay.com/error/securityLink.htm
    https://ds.alipay.com/error/securityLink.htm?url=
    https://ds.alipay.com/fd-in15xm06/index.html
    https://github.com/grpc/grpc-java/issues/1704
    https://github.com/grpc/grpc-java/issues/1767
    https://github.com/grpc/grpc-java/issues/1775
    https://github.com/grpc/grpc-java/issues/1869
    https://github.com/grpc/grpc-java/issues/2563
    https://github.com/grpc/grpc-java/issues/2592
    https://github.com/grpc/grpc-java/issues/2861
    https://github.com/grpc/grpc-java/issues/3605
    https://glympse.com/
    https://gw-dana.ebuckler.com/imgw.htm
    https://hpmweb.alipay.com/bugme/domScript
    https://hpmweb.alipay.com/report/android
    https://hpmweb.alipay.com/report/android/batch
    https://hpmweb.alipay.com/report/upload/android
    https://iclientgw-sea.alipay.com/imgw.htm
    https://iclientgwpre.alipay.com/igw.htm
    https://ifcsupergw.danna.id/fcsuperg...k/callback.htm
    https://m.dana.id
    https://m.dana.id/
    https://mdap.alipay.com
    https://mgs-gw.saas.dana.id/mgw.htm
    https://mobileapi.ebuckler.com/igw.htm
    https://mobilegw.alipay.com/mgw.htm
    https://mobilegwpre.alipay.com/mgw.htm
    https://nebula.alipay.com/api/app
    https://nebula.pre.alipay.com/api/app
    https://openapi.alipay.com/gateway.do
    https://openapi.prefromoffice.alipay.net/gateway.do
    https://plenty.analisis.io
    https://plus.google.com/
    https://pre.m.dana.id
    https://render.alipay.com/p/f/fd-j8l9yjja/index.html
    https://render.alipay.com/p/s/h5container/index
    https://render.alipay.com/p/s/h5misc...rce_error?url=
    https://render.alipay.com/p/s/i
    https://render.alipay.com/p/s/tinyap...errorCode=1001
    https://resource/
    https://sandbox.m.dana.id
    https://smart.link/5bcda7e72cfd6?inviteid
    https://www.bbm.com/upgrade/?feature=group-audio
    https://www.bbm.com/upgrade/?feature=group-image
    https://www.bbm.com/upgrade/?feature=group-video
    https://www.vidio.com
    https://www.vidio.com/videos/
    I might still do something with it, mainly because I don't think people are fully aware of the differences between BBM on BB10 and BBM on Android and iOS. When things changed over to Emtek, I don't think people cuaght what that fully meant. Which is understandble, it wasn't REALLY made clear.
    CmdrStraker and chetmanley like this.
    01-04-19 03:29 PM
  3. Matt J's Avatar
    It'll just end up like BB10 article lol.
    That's a good thing! That BB10 article probably increased website traffic 500%.... !!! If more people knew how insecure BBM was, they might actually decide to upgrade from their BB10 devices so they could actually install something more secure like Signal or WhatsApp.

    A friend of mine that is still clinging on to his BlackBerry Classic is pretty much stuck with BBM and SMS/MMS.... he can't even upgrade to anything secure. If he knew BBM was a security nightmare, he just might get a KEY2.
    01-04-19 03:34 PM
  4. Chuck Finley69's Avatar
    I think BBM is terrible across all platforms. Everything goes through EMTEK now, except BBM Enterprise.

    I honestly think that BBM should not be included on BlackBerry devices anymore.
    BBM for BB10 is through BB and that’s why BBID can’t be transferred back from Emtek to BB10 hardware. What’s the big deal including on BBAndroid phones? If people don’t want to use, don’t log into account or create BBID for Emtek use. BBM for Emtek licensing agreement most likely requires this so it’s revenue for BB to support BBAndroid development. In 2019, overwhelming majority of consumers are choosing the conveniences of Android instead of worrying about the openness of Android participation.
    01-04-19 03:34 PM
  5. Matt J's Avatar
    BBM is a little scary. A while back, random messages were showing up in my chat and then immediately disappearing. The person I was chatting with noticed the same thing.
    01-06-19 05:33 PM
  6. conite's Avatar
    That's a good thing! That BB10 article probably increased website traffic 500%.... !!! If more people knew how insecure BBM was, they might actually decide to upgrade from their BB10 devices so they could actually install something more secure like Signal or WhatsApp.

    A friend of mine that is still clinging on to his BlackBerry Classic is pretty much stuck with BBM and SMS/MMS.... he can't even upgrade to anything secure. If he knew BBM was a security nightmare, he just might get a KEY2.
    Telegram works well on BB10.
    01-06-19 10:29 PM
  7. chetmanley's Avatar
    So does Threema (just no voice)
    01-06-19 10:31 PM
  8. Matt J's Avatar
    I emailed BlackBerry Limited directly regarding BBM security, since EMTEK provided little guidance. Apparently all messages use at least TLS encryption. I wonder what exactly is the "BlackBerry Infrastructure"....? This is the response I received:

    Thank you for contacting BBM Support for BB10/BBOS.

    You can visit the following page for some information regarding how BBM protects messages.

    https://help.blackberry.com/en/bbm-s...549323096.html

    I hope you can find the information found on the page adequate as this is the best information I can provide regarding your concern. Further specific details regarding how security works is known only to our engineers and developers and not readily available even to us your BBM support team, or the public.

    Thank you again for contacting us.


    How secure is BBM?-2019-01-08_0823.png
    Jake2826 likes this.
    01-08-19 08:24 AM
  9. chetmanley's Avatar
    I emailed BlackBerry Limited directly regarding BBM security, since EMTEK provided little guidance. Apparently all messages use at least TLS encryption. I wonder what exactly is the "BlackBerry Infrastructure"....? This is the response I received:
    On BB10 and BBM Enterprise, the BB Infrastructure refers to the servers located at the NOC in Canada.

    For BBM Consumer on Android, the servers are cloud based in Asia and are leased by Emtek.

    As the BBM security note describes, consumer BBM is only TLS encrypted between the device and the NOC/Cloud. Once it hits the NOC or Cloud it is not encrypted.

    On BBOS and BB10 devices the "global encryption key" provided an extra level of protection during transit, including through the NOC. Except BB has this key and was able to decrypt messages at the request of law enforcement.

    So consumer BBM is only secure from MITM attacks or eavesdropping en route because it uses standard TLS. But once it hits the BB NOC or the Emtek Cloud, it can be read by BB or anyone else with access to that server.

    This is where BBM Enterprise comes in which provides a second encryption layer (or a 3rd in the case of BB0S/BB10 Devices on top of the global encryption key).

    This extra layer of encryption protects the message throughout the entire transit, including through the server, to the recipient.
    01-08-19 07:57 PM
  10. Matt J's Avatar
    On BB10 and BBM Enterprise, the BB Infrastructure refers to the servers located at the NOC in Canada.

    For BBM Consumer on Android, the servers are cloud based in Asia and are leased by Emtek.

    As the BBM security note describes, consumer BBM is only TLS encrypted between the device and the NOC/Cloud. Once it hits the NOC or Cloud it is not encrypted.

    On BBOS and BB10 devices the "global encryption key" provided an extra level of protection during transit, including through the NOC. Except BB has this key and was able to decrypt messages at the request of law enforcement.

    So consumer BBM is only secure from MITM attacks or eavesdropping en route because it uses standard TLS. But once it hits the BB NOC or the Emtek Cloud, it can be read by BB or anyone else with access to that server.

    This is where BBM Enterprise comes in which provides a second encryption layer (or a 3rd in the case of BB0S/BB10 Devices on top of the global encryption key).

    This extra layer of encryption protects the message throughout the entire transit, including through the server, to the recipient.
    Thanks for the technical explanation!
    01-09-19 07:19 AM
  11. pthfndr's Avatar
    TLS + BlackBerry encryption (3DES), different combination in different cases, but unsecure because of common key for all devices .... https://help.blackberry.com/en/bbm-s...560098144.html
    01-14-19 12:13 AM
61 123

Similar Threads

  1. Which forum is No. 1 in the CB10?
    By Frank Wu2 in forum BlackBerry Passport
    Replies: 27
    Last Post: 10-19-18, 02:21 PM
  2. Why is the battery on my KEY2 draining so fast?
    By kyamil010 in forum Ask a Question
    Replies: 2
    Last Post: 10-12-18, 05:10 AM
  3. How to unlock device from stock camera app?
    By Grim_Sleeper in forum BlackBerry KEY2
    Replies: 1
    Last Post: 10-11-18, 02:35 PM
  4. This Arduino programming and eBook bundle is only $90
    By CrackBerry News in forum CrackBerry.com News Discussion
    Replies: 0
    Last Post: 10-11-18, 11:40 AM
  5. Replies: 1
    Last Post: 10-11-18, 10:37 AM
LINK TO POST COPIED TO CLIPBOARD