[zar1964]

After reading this on Cnet, I'm glad I have a Blackberry....

When good Android apps go bad -- a security lesson | Security & Privacy - CNET News

[morlock_man]

Reminds me of the H-series antihack performed by DirecTV back in 2000.

DirecTV's Secret War On Hackers - Slashdot

[howarmat]

pretty sneaky little trick

[madman0141]

My God man doesn't ipad run this...impossible!!!! This is just another lie ipad is the best....OK....OK...sorry I couldn't keep a straight face.

[westcoastit]

My God man doesn't ipad run this...impossible!!!! This is just another lie ipad is the best....OK....OK...sorry I couldn't keep a straight face.

What? No, iPads don't have anything to do with Google's Play Android marketplace or Google's Bouncer system.

[SnoozerBold]

Reminds me of the H-series antihack performed by DirecTV back in 2000.

DirecTV's Secret War On Hackers - Slashdot

Ahhh the good old days. I miss doing that stuff. It was more fun than watching the actual tv.

[Knightcrawler]

Someone should post this article on the BGR story about why bb10 should switch to android lol.

[Knightcrawler]

Reminds me of the H-series antihack performed by DirecTV back in 2000.

DirecTV's Secret War On Hackers - Slashdot

This was the absolute best part of that article:

To add a little pizzazz to the operation, DirecTV personally "signed" the anti-hacker attack. The first 8 computer bytes of all hacked cards were rewritten to read "GAME OVER".

hahah pure class.

[Aguilucho]

I feel bad for android users who use their phone to make payments or have sensitive information on their phone. I ask my self this question, when are consumers going to take security very seriously? I always do. That is why I chose blackberry and Ill be waiting on line for BB10 phone. BLACKBERRY, THE BEST IN SECURITY.

[fanatical]

What ? Another security flaw in Android ? WOW I never would have guessed.. Something tells me this won't be the last either.

But really, as long as Google is still able to manipulate their users to generate more ad revenue, it's all good....

Who cares about security anyway!! Android users can get their free ad\virus laden apps, and Google can keep collecting their pennies.... alls good..... Right ???

[ssbtech]

Why wouldn't the same trick be possible on the BlackBerry platform?

[DjDante]

Why wouldn't the same trick be possible on the BlackBerry platform?

Good question...
What area of the phone are apps allowed access to? I believe all. So it may be possible.

[Branta]

At a theoretical level this kind of attack could impact any software, on any platform. In the hands of an intelligent user the relatively granular permissions settings should put BlackBerry amongst the more resistant systems, but in the hands of the average "just ignore the message and click OK" user... game over!

As always the greatest vulnerability is the human element, the seat-keyboard interface which fails to consider the risks involved with software from an unknown developer.
There is no such thing as a "free lunch" and the developer will usually seek to recover the cost of development one way or another. It may be in-app advertising, it may be direct charges to the user, or in a few unscrupulous cases it may be by data-mining the device and misusing or selling the user's data.

I am amazed that we still see relatively trivial (declared functionality) applications which will only run with "Allow All" security settings which are far in excess of any rational requirement - and users are still surprised when they get scammed after explicitly approving global permissions without a second glance. They wouldn't grant such freedom on a PC so why do they do it on a smartphone?

[morlock_man]

The current Blackberry platform?

It's possible.

The QNX platform?

Here's a quote from their own website:

Q: What does the QNX Neutrino RTOS do to ensure security?
A: The QNX Neutrino RTOS is an exceptionally secure operating system by design. Its microkernel architecture along with a high availability framework, adaptive partitioning, and Common Criteria certification are all the right ingredients for building a secure product. See the whitepaper on building secure, fault-tolerant systems.

Q: What about viruses and other malware?
A: Viruses are desktop computing phenomenon that are unusual in embedded devices. While the QNX Neutrino RTOS does have desktop components, there are currently no documented cases of a virus specifically designed for it. This, along with the fact the RTOS supports a fully POSIX-compliant user-privilege model, robust design fundamentals, and fault tolerance, makes a virus attack on it unlikely. There are no existing virus or malware scanners for the QNX Neutrino RTOS and QNX Software Systems does not anticipate a need for these types of products.

Q: We’re planning to enable the user to download arbitrary JAVA apps from untrusted sources. What can we do to prevent these apps from harming the system?
A: The best solution for dealing with virtual machines, such as a Java runtime, is to isolate the virtual machine (VM) process into its own adaptive partition. This way, the VM can get access to as many CPU cycles as needed but never more that its budget when the CPU is fully loaded. If, for some reason, an application goes into an infinite loop or tries to hog all of the available CPU, it will be throttled back to the partition’s budget. Using a secure partition in this way ensures downloadable Java applications can never interfere with the rest of the system.

It's interesting that the untrusted Java app solution seems very similar to the current Android solution.

I wonder if Android malware would function on the Playbook as intended at all.

[raino]

Why wouldn't the same trick be possible on the BlackBerry platform?

If the trick you refer to is apps asking for unnecessary permissions/overstepping their functionality, It DOES happen on the BlackBerry platform, although not with the nefarious end goal of malware dropping. I have at least 4 apps right now asking for unnecessary (i.e. not needed to run) permissions at every reboot. At the very least, one app tries to get me to write a review, and others like Jaredco straight up spam your email account.

So, as branta said, the human element is a big factor. I spent a good 20-30 minutes modifying permissions for ALL my third party apps, and I was really surprised at how many apps had a free reign on my phone. But who takes the time to go back and look at permissions?

[bbmme]

That's scary, even though I'm not an important person. I still care about my security eh

[bk1022]

If the trick you refer to is apps asking for unnecessary permissions/overstepping their functionality, It DOES happen on the BlackBerry platform, although not with the nefarious end goal of malware dropping. I have at least 4 apps right now asking for unnecessary (i.e. not needed to run) permissions at every reboot. At the very least, one app tries to get me to write a review, and others like Jaredco straight up spam your email account.

So, as branta said, the human element is a big factor. I spent a good 20-30 minutes modifying permissions for ALL my third party apps, and I was really surprised at how many apps had a free reign on my phone. But who takes the time to go back and look at permissions?

Maybe app submitters should have to pay RIM to vet the permissions they are asking for. As well, the end client should see the explanation provided to RIM... That would be wonderful.

[raino]

Maybe app submitters should have to pay RIM to vet the permissions they are asking for. As well, the end client should see the explanation provided to RIM... That would be wonderful.

I'd be happy with a one line explanation as to why the app needs a specific permission it asks for. An average user does not (and cannot be expected to) know what "organizer data", "security timer reset" permissions are, and a blind approve-all is obviously not the way to go.

[Branta]

I'd be happy with a one line explanation as to why the app needs a specific permission it asks for. An average user does not (and cannot be expected to) know what "organizer data", "security timer reset" permissions are, and a blind approve-all is obviously not the way to go.

Most of the "Allow All" apps running on BlackBerry are due to a programmer too ignorant or too lazy to configure only the essential permissions. In most cases the app never needs, never even bothers to check permissions and the app will still work if the user forces more acceptable settings.

A minority will be deliberately set with malicious intent - like the notorious JaredCo apps which raid the user's personal data to send spam. In these cases the app either checks and demands wider permission before it will even load, or the undesirable functions may fail with or without an error message. Unfortunately the average user is conditioned to granting whatever the app demands. After all... I wouldn't be stupid enough to install malware... I paid for it and I want it to work...

[Branta]

The current Blackberry platform?

It's possible.

The QNX platform?

Here's a quote from their own website:



It's interesting that the untrusted Java app solution seems very similar to the current Android solution.

I wonder if Android malware would function on the Playbook as intended at all.

The QNX quote suggests it may be difficult for a true virus to impact the core OS - and it should certainly be difficult to achieve without human intervention. However these mechanisms would do absolutely nothing to prevent the user actively installing a trojan style malicious application, and granting all necessary permissions for undesirable activity.

As always when security is considered, if the human (malicious or stupid) has uncontrolled physical access to the hardware it is almost impossible to ensure continued security.

[mikeo007]

Maybe app submitters should have to pay RIM to vet the permissions they are asking for. As well, the end client should see the explanation provided to RIM... That would be wonderful.

They used to do something like this by charing for the code signing keys. To access any functions that needed access rights, you needed to purchase and sign your code with keys from RIM. This drove away quite a few devs, so te keys are (for now) free.

[morlock_man]

The QNX quote suggests it may be difficult for a true virus to impact the core OS - and it should certainly be difficult to achieve without human intervention. However these mechanisms would do absolutely nothing to prevent the user actively installing a trojan style malicious application, and granting all necessary permissions for undesirable activity.

As always when security is considered, if the human (malicious or stupid) has uncontrolled physical access to the hardware it is almost impossible to ensure continued security.

The QNX processes are more transparent to the kernel than those of a monolithic kernel. One would hope that RIM has the common sense to have some sort of watchdog process that knows how to identify common traits of malware-infested apps.

[raino]

The QNX processes are more transparent to the kernel than those of a monolithic kernel. One would hope that RIM has the common sense to have some sort of watchdog process that knows how to identify common traits of malware-infested apps.

TBH, I've never heard of a malware problem on BBs. Only issue, at least for me, has been apps that seek more than necessary permissions, and then go on to abuse them.

I don't really see this permission problem being addressed by any OS. It's more of a developer education and accountability issue. When an app is submitted, I'm sure RIM asks for price, description, screenshots etc--they should just add another question about what permissions are asked for, and why (in terms understandable to the end user.)