[unical]

NSA and allies planned to hijack the Google Play Store to install spyware on smartphones NSA and allies planned to hijack the Google Play Store to install spyware on smartphones | Android Central
Don't know why I've to read it at Android Central when Google Play store content is available to BlackBerry users as well.. Somehow CB does not post much news lately..
Posted via CB10

[pkcable]

Could have been covered by CB, but certainly MUCH more appropriate for Android Central. And they ARE our sister site after all.

[unical]

Yes, but not everyone goes to check whats going on there and I see plenty of posts sharing between iMore and Android Central but not CB :P

Posted via CB10

[BBPandy]

Article says that 3 years ago they planned to infect the play store. Who's to say they haven't implemented those plans since?

BTW I agree, this should have also been posted on CB not just on our "sister site"

Not as many articles being posted on CB as on the other sites, probably due to reader levels.

Posted via CB10

[Cobalt232]

What a nice story. But intercepting the package during download makes no sense.

Each package is signed with an individual developer signature. If it would be modified during download, it would have to be repacked with the same signature. If not, Play Store would immediately notice this as soon as the package is installed on the device.

So they would also have to replace the Play Store itself on every device to make this happen.

On the other hand, you never know what experts are working for the NSA... maybe everything is infected anyway, even Blackberry OS.

[serbanescu]

Yeah, like they really need to work behind Google's back ...

[Cozz4ever]

What a nice story. But intercepting the package during download makes no sense.

Each package is signed with an individual developer signature. If it would be modified during download, it would have to be repacked with the same signature. If not, Play Store would immediately notice this as soon as the package is installed on the device.

So they would also have to replace the Play Store itself on every device to make this happen.

On the other hand, you never know what experts are working for the NSA... maybe everything is infected anyway, even Blackberry OS.

You can modify any Google app while tricking the server authorization keys. Blackberry uses sha keys for the code itself causing an impossible hack. Google keys aren't code specific. A worse case scenario is the server always pushing for an update or never push an update.

Posted via CB10

[birdman_38]

Don't know why I've to read it at Android Central when Google Play store content is available to BlackBerry users as well.. Somehow CB does not post much news lately..

Maybe Bla1ze didn't want to get the crazed fanboys and privacy freaks all riled up.

[lnichols]

And the NSA couldn't have sent minions over to all the BlackBerry port-o-thons or tried doing the same thing with BlackBerry and Apple app stores? We know the regular BBM and BIS used common keys that could be compromised, and App World is in the same NOC infrastructure as BIS... without BES your BlackBerry is running on a shared infrastructure that is just as secure as others.

Posted with my Z30

[Bravurag]

NSA and allies planned to hijack the Google Play Store to install spyware on smartphones NSA and allies planned to hijack the Google Play Store to install spyware on smartphones | Android Central
Don't know why I've to read it at Android Central when Google Play store content is available to BlackBerry users as well.. Somehow CB does not post much news lately..
Posted via CB10

NSA need to hijack Google play store?? Waoo it is a news to me, I think Google is already owned by NSA!

 Diplomatic Passport 

[Cozz4ever]

And the NSA couldn't have sent minions over to all the BlackBerry port-o-thons or tried doing the same thing with BlackBerry and Apple app stores? We know the regular BBM and BIS used common keys that could be compromised, and App World is in the same NOC infrastructure as BIS... without BES your BlackBerry is running on a shared infrastructure that is just as secure as others.

Posted with my Z30

For what I understand, the apps were being modified. If that's the case then it's impossible for a blackberry app to be modified and still load after

Posted via CB10

[lnichols]

For what I understand, the apps were being modified. If that's the case then it's impossible for a blackberry app to be modified and still load after

Posted via CB10

So I can't side load an app onto my device or install an APK right off the Web? Some nefarious person couldn't be releasing a "leak" with some bar file in it that isn't the one that BlackBerry had in the original leak? With all the side loading and stuff BB10 users are doing now for apps, a lot of things could be happening.

Posted with my Z30

[Cozz4ever]

So I can't side load an app onto my device or install an APK right off the Web? Some nefarious person couldn't be releasing a "leak" with some bar file in it that isn't the one that BlackBerry had in the original leak? With all the side loading and stuff BB10 users are doing now for apps, a lot of things could be happening.

Posted with my Z30

Yes you can. But what's happening here is not side loading anything but going to the main and trusted store for apps. They're modifying the app as the user downloads it. That won't be possible with a blackberry 10 app.

Posted via CB10

[Bla1ze]

Maybe Bla1ze didn't want to get the crazed fanboys and privacy freaks all riled up.

Aside from that...

• BlackBerry 10 didn't even exist at the time. It happened between 2011-2012, meaning it would have only affected a dead OS.. PlayBook OS and if you're still running apps from 2011-2012 on a PlayBook, you have much larger issues. PS: PlayBook never even had Android player until EARLY 2012, it was introduced with the 2.0 update.
• The Google Play Store isn't even officially supported. Yes, you can install it and have some stuff work NOW but it's still not a mass audience thing. Heck, when this happened it was still called the Android Market lulz.
• The original report doesn't even mention BlackBerry.
• The documents don't even mention BlackBerry.
• The testing of the apps to help prove the data leakage don't even mention BlackBerry.
• The new Google Play measures in place make it all rather pointless outside of defining even further the NSA's reach.
• Honestly, people downloading random APK files from random shady sites scares me more than any of this no longer really relevant NSA information and barely anyone is freaking out about that.
• Android apps are sandboxed on BlackBerry 10 (again, non-existent at the time) and react differently when installed and there's 0 proof in ANY of the information given to indicate any of that was bypassed by NSA at the time the testing was taking place and even then, it would all be based on PlayBook OS as noted earlier as that was the only place Android apps were even supported by BlackBerry at that time.

So, tell me again the relevance here for BlackBerry? Because I'm missing it lol. It would literally be forcing a conversation that BlackBerry has little need to even be mentioned in, plus, people would just be sour I'm bringing BlackBerry into a conversation of very little relevance.

[vrud]

If not, Play Store would immediately notice this as soon as the package is installed on the device.

How does the play store know what is authentic and what was resigned? Wouldn't it need to communicate with servers and the request be changed by the man in the middle attack?

Posted via CB10

[Smitty13]

What a nice story. But intercepting the package during download makes no sense.

Each package is signed with an individual developer signature. If it would be modified during download, it would have to be repacked with the same signature. If not, Play Store would immediately notice this as soon as the package is installed on the device.

So they would also have to replace the Play Store itself on every device to make this happen.

On the other hand, you never know what experts are working for the NSA... maybe everything is infected anyway, even Blackberry OS.

The .apk packages are signed by the developer's key and when you download an app for the first time it gets the developer's public key at the same time (this is called trust-on-first-use security model), and any updates or redownloads are verified against that key. You are correct in bringing this up.

This security model however does not prevent the NSA from MITM (Man-In-The-Middle) attacking first use downloads. All that would be required is the proper developer's key is replaced by an NSA implemented key and you now have a malware infested app; no need to "replace the Play Store". Anecdotally (sorry, no solid source on this as of yet) people have claimed even these fraudulent apps would verify correctly when trying to call home to the Play Store. If I hear anymore on this or proof of concept, I'll surely post it.

Essentially, this security model is very weak given that an NSA target can be compromised if they install an infected app for the first time or uninstall the reinstall the app.

[medic22003]

There would be no hijacking. Google and the government are birds of a feather. Google might as well be another spy agency.

Posted via CB10

[THBW]

So I can't side load an app onto my device or install an APK right off the Web? Some nefarious person couldn't be releasing a "leak" with some bar file in it that isn't the one that BlackBerry had in the original leak? With all the side loading and stuff BB10 users are doing now for apps, a lot of things could be happening.

Posted with my Z30

Ah yes, when ones argument falls to pieces, distract them with the old side lead argument. Nice try.


Posted via CB10

[gimmi786]

What the Heck!!!??? That was 3 years ago.... imagine what they are up to Right now???

Posted via CB10

[birdman_38]

Just take a deep breath. It is a phone company.

See, this is BlackBerry's problem... the perception that they're a "phone company". They're not.

[grover5]

See, this is BlackBerry's problem... the perception that they're a "phone company". They're not.

Poor choice of words. No need to take it further than that.

Posted via the CrackBerry App for Android

[birdman_38]

TH was the last Blackberry CEO that actually tried to make BB a success in the mobile handset market, once he left it was game over for BB10.

Heins also had free reign plus a multi billion dollar pool of resources to attempt to make BB10 a success. Chen relies on much less than that.

[lnichols]

Heins also had free reign plus a multi billion dollar pool of resources to attempt to make BB10 a success. Chen relies on much less than that.

He had the same amount of cash available as Chen has had. Heins did most of the personnel cuts before Chen got there. In fact Heins may have had a worse financial situation because he had to make sure that they had the money to implement the CORE program that was the personnel reduction. Heins was also handed the Z10 which the hardware was ready for a summer 2012 launch, and the software wasn't ready for even the January 2013 launch. Passport was developed under Heins. Chen has two phones that are his: Classic and Leap.

I have no love for Heins, but he was handed a bad deck of cards. Chen has done nothing yet that I feel is good for the customer base, he is purely focused on the share holders IMHO.

Posted with my Z30

[Ecm]

This thread had no relevance to BlackBerry to begin with and has gone further off the rails from there. Time to call it quits.