[WES51]

I read some comments in another thread that the latest iPhones are supposed to be more secure than BB10 and BB7.

Is that true and does that mean that BB10+BB7 have become rather vulnerable OR are BB10+BB7 still considered adequatley secure.

[Golfdriver97]

Well....sooner or later, it will be. An unsupported OS is insecure.

[Invictus0]

I think BB10 still has certain certifications that other devices don't but iOS is actively developed so any lead will eventually evaporate (if it hasn't already).

[thurask]

BBOS 7 hasn't been updated since like 2013, any bugs and security holes after that point are features.

[eshropshire]

I read some comments in another thread that the latest iPhones are supposed to be more secure than BB10 and BB7.

Is that true and does that mean that BB10+BB7 have become rather vulnerable OR are BB10+BB7 still considered adequatley secure.

iOS has very good security and has many US Government security certifications. The FBI and a lot of the DOD is standardized on iOS devices. Also, Samsung phones with KNOX has US Government security certifications. Considering all of the security vulnerabilities in the last 12 months, none of which have been patched by BlackBerry, I would guess these would invalidate any certifications once held by BB10. I assume any device vulnerable KRACK alone would invalidate certifications.

[thurask]

iOS has very good security and has many US Government security certifications. The FBI and a lot of the DOD is standardized on iOS devices. Also, Samsung phones with KNOX has US Government security certifications. Considering all of the security vulnerabilities in the last 12 months, none of which have been patched by BlackBerry, I would guess these would invalidate any certifications once held by BB10. I assume any device vulnerable KRACK alone would invalidate certifications.

Both of those platforms not only have armies of researchers analyzing them for vulnerabilities, but companies behind them that actively patch them when they're found. BB10 and BBOS have neither.

[Sue-zz]

There are a lot of discussions about this elsewhere in the forums, but at the moment BB10 phones are still in the UK Goverment's 'approved' list for handsets for security-cleared contractors, as long as they are BES managed.

The UK approvals body, steered by GCHQ, is NCSC - National Cyber Security Centre. Android 6+ and iPhones are recognised, with caveats.

There's an 2016 alert for Quadrooter vulnerabilities on the BlackBerry Priv, and eight other Android handsets, for instance, so handsets that don't receive security OS updates or download apps from third-party APK servers are more vulnerable.

The US Gold standard is NIAP certification at higher levels of clearance, which entails MDM management. The BB10 OS has it on some handsets, IoS 11 NIAP certification was in March 2018, with MDM/Wifi caveats.

Privacy is dependent on who you trust with your data. IE: An Outlook app on BB10 ships data off to Wat erloo, Ontario, then to Microsoft servers. Microsoft picks this up with an instant security alert. The question then becomes 'Can I trust BlackBerry and Microsoft with my data?' Well, you have to trust someone.

Apps with permissions on any platform allow app developers access to permitted data unless they are firewalled off. Those developers might be 'security-certified' companies, or Boris in a back-bedroom in the Ukraine.

Most users have no idea where their data is going: many Chinese Android handsets ship off daily data to Shenzen and China Telecom, for instance. BB10 handsets ship [encrypted] logs off to Waterloo, (turn off under Settings/Security/Blackberry software logging and Streaming)

The death of BB10 handsets will push concerned users towards secure Android or IoS phones. Take your pick. If it's Android, try the NetGuard firewall app (Play Store) and enable 'logging'.


NCSC link.

NIAP Link.

[WES51]

Apps with permissions on any platform allow app developers access to permitted data unless they are firewalled off. Those developers might be 'security-certified' companies, or Boris in a back-bedroom in the Ukraine.

I was always wondering about that.

Actually I was wondering if another malicious person can use and exploit such app permission. I assume the answer is 'yes', becasue I assume in a way almost everything is possible, but is that something that is a realistic threat I mean any enrty level hacker can do or more just a theoretical threat so only a very skilled person can do with a lot of time and effort?

Also would someone be somehow able to get my password out of my eMail application that way? Or is that considered relatively secure.

[bb10adopter111]

BB10, Samsung Knox, and iOS are all proven platforms with appropriate certifications and deployments when it comes to security for the OS. (it's likely that BlackBerry Android is on a par with Samsung, but we don't have the same record of certifications to validate that hypothesis.)

Apps are another issue entirely. IOS apps are screened much better than Android, but enterprises that care about security take a "whitelist" approach to apps and only allow ones that have passed rigorous security reviews.

If you're going to download and use apps without careful consideration and review, the OS is the least of your concerns.

Posted with my trusty Z10

[Invictus0]

Actually I was wondering if another malicious person can use and exploit such app permission.

Possibly without it as well,

https://forums.crackberry.com/showth...1#post13165056

[Blackberry Keytwo]

Well, I know that the Canadian government still uses blackberry.

Posted via CB10

[Sue-zz]

Also would someone be somehow able to get my password out of my eMail application that way? Or is that considered relatively secure.

There was a report in 2013 about the BB10 email setup sending passwords in clear text in certain circumstances:

Shortly after the user’s credentials are sent to the RIM server, it will connect back to your configured mail server and authenticate with your IMAP and/or POP credentials. If your mail server is not configured with SSL/TLS, then the credentials will be sent from RIM to your mail server in cleartext.

Note the 'If'. On my 10.3.3 Leap, Outlook auto-configured through the set-up app sets up SSL, though it all goes through Waterloo first.

There are still a lot of cheap-ski email providers with no SSL/TLS.

There's some interesting stuff about chip-off procedures around now. I haven't seen Cellebrite et al claiming they can get into BB10, but they did claim BBOS7 BB's were 'de-cryptable' with chip-off techiques.

It would have to be a determined third-party who could afford Cellebrite's fees though (and have possesion of the handset.)

[anon(10218918)]

Well, I know that the Canadian government still uses blackberry.

Posted via CB10

The German, too.

[bb10adopter111]

There was a report in 2013 about the BB10 email setup sending passwords in clear text in certain circumstances:

Shortly after the user’s credentials are sent to the RIM server, it will connect back to your configured mail server and authenticate with your IMAP and/or POP credentials. If your mail server is not configured with SSL/TLS, then the credentials will be sent from RIM to your mail server in cleartext.

Note the 'If'. On my 10.3.3 Leap, Outlook auto-configured through the set-up app sets up SSL, though it all goes through Waterloo first.

There are still a lot of cheap-ski email providers with no SSL/TLS.

There's some interesting stuff about chip-off procedures around now. I haven't seen Cellebrite et al claiming they can get into BB10, but they did claim BBOS7 BB's were 'de-cryptable' with chip-off techiques.

It would have to be a determined third-party who could afford Cellebrite's fees though (and have possesion of the handset.)

I think this illustrates an important point about BlackBerry security. No phone can create security out of thin air. The underlying system it connects to must also be secure. This is why security is usually the domain of enterprises. Many users aren't willing to secure their systems in the first place.

No one who cares about security would use an email server with ridiculously outdated security. The fact that so many still exist shows how little many people know or care.
Posted with my trusty Z10

[WES51]

There was a report in 2013 about the BB10 email setup sending passwords in clear text in certain circumstances:

Shortly after the user’s credentials are sent to the RIM server, it will connect back to your configured mail server and authenticate with your IMAP and/or POP credentials. If your mail server is not configured with SSL/TLS, then the credentials will be sent from RIM to your mail server in cleartext.

Huh, I simply did not think something like this could even exit these days.
Thanks for the warning and setting it straight!
I have gMail, so I hope this kind of issue is not one that I have to worry about (although there may be other kind of issues).

No one who cares about security would use an email server with ridiculously outdated security. The fact that so many still exist shows how little many people know or care.

It totally makes sense. But I think some people may not know either.
I have to admit for this part this was the case with me too.

[bb10adopter111]

Huh, I simply did not think something like this could even exit these days.
Thanks for the warning and setting it straight!
I have gMail, so I hope this kind of issue is not one that I have to worry about (although there may be other kind of issues).
It totally makes sense. But I think some people may not know either.
I have to admit for this part this was the case with me too.

I agree. Many individual users just want free email and don't consider their security or privacy. But if they don't educate themselves, no one will digit for them.

Posted with my trusty Z10

[Slash82]

I read some comments in another thread that the latest iPhones are supposed to be more secure than BB10 and BB7.

Is that true and does that mean that BB10+BB7 have become rather vulnerable OR are BB10+BB7 still considered adequatley secure.

It comes to the question what you consider as "secure".
That's a big term.

There is no "100% secure system" to start with.
OS10 and OS7 have that "advantage" (in that case) their market share is so low that hackers have almost "0 interest" to find any security holes.
Sure, BlackBerry's OS were made with security at "core feature" from ground up - but there might be any security holes just not found.

Android is different with a market share of +75% and that open source idea makes it double worth it for hackers to attack that platform.

iOS is just right in the middle, their system is more "closed", the AppStore is more "secure" because Apple checks every app for any bad behavior before the release them to the app market.
Also, Apple pushes any security updates first hand to the devices if needed.

So, I'd say OS10 still is little ahead because of it's OS10 built up - but not sure if it still is more secure, because since 2015 no one was actively working on it anymore.
All BlackBerry does is react to any found "security holes" - which won't give a picture of the real world - no one care about BlackBerry's OS anymore. No active "research".

But you should know, that the biggest "security vulnerability" itself is the user.
If you install dubious apps from unknown sources or surf on internet pages like that, use weak passwords or things like that - the most secure device isn't secure.
But from normal day-to-day use I'd say OS10 and iOS are head to head with iOS overtaking BlackBerry 10/7.