02-10-14 02:40 AM
57 123
tools
  1. dicks-webos's Avatar
    A news today came out that 10.2.1.537 has a bug where when the policy is set for apps to not allow access to the address data, any Android app can still access it.

    BlackBerry said they know about it and will be issuing an update...

    In German: Peinliches Loch in BlackBerrys Geschftsdaten-Tresor | heise online
    Rjinswand likes this.
    02-05-14 01:16 AM
  2. Elite1's Avatar
    Interesting. Have a link to BBRY's response?

    I guess this only affects BES users.
    02-05-14 02:30 AM
  3. Rjinswand's Avatar
    Interesting. Have a link to BBRY's response?

    I guess this only affects BES users.
    There's a quote from BlackBerry in the article:
    "We have investigated an issue in the Android player involving specific app permissions, and we have addressed it in our latest software builds. We will work with our carrier partners to help ensure the update is available to customers."

    Yes, this is only relevant to BES users. It basically states that there is a bug in one BES policy which manages the app access to contact info on the mobile.
    One can choose between allowing all apps access to contact data (name and phone number) stored in the business part, allow only native apps to it or none at all. Setting to the second option grants Android app access, too, atm. But they fixed it and wait for the carriers to make the update available.
    Last edited by Rjinswand; 02-05-14 at 03:17 PM.
    Superfly_FR, serbanescu and vrud like this.
    02-05-14 03:02 AM
  4. lnichols's Avatar
    Awesome, so glad it went through stringent carrier testing.

    Posted via CB10
    southlander, jpvj and axllebeer like this.
    02-05-14 06:58 AM
  5. grahamf's Avatar
    Awesome, so glad it went through stringent carrier testing.

    Posted via CB10
    Yeah, you would think they would check the combination of locked down access to contacts with completely open access to officially unsupported applications.

    or does this include Android apps in BBW?
    02-05-14 09:36 AM
  6. Gerii's Avatar
    According to the report it includes all Android apps.
    However two comments point out that it only happens when this setting is set to only allow BlackBerry apps to access contacts. It doesn't seem to happen if it is set to none according to them.

    Posted via CB10
    vrud likes this.
    02-05-14 03:09 PM
  7. webbert's Avatar
    Posted via CB10
    02-05-14 03:15 PM
  8. ssbtech's Avatar
    I'm confused about this. I didn't think you had any control over what content Android apps accessed? You either accepted all the required permissions or didn't use the app.
    02-05-14 05:50 PM
  9. Rjinswand's Avatar
    You get more options when using BES. Or more likely: Your BES administrator gets more options. In this case, more options for managing access to the business part, which is not present at non-BES connected devices.

    If you are a consumer without BES this is of no relevance to you at all and you're right: We can only accept all permissions an Android app asks for or none at all, which is kinda annoying.
    02-06-14 01:14 AM
  10. chasdrury's Avatar
    I can't recreate this leak in my BES environment - can anyone else?
    02-06-14 04:15 AM
  11. Prem WatsApp's Avatar
    You get more options when using BES. Or more likely: Your BES administrator gets more options. In this case, more options for managing access to the business part, which is not present at non-BES connected devices.

    If you are a consumer without BES this is of no relevance to you at all and you're right: We can only accept all permissions an Android app asks for or none at all, which is kinda annoying.
    This will get fixed. Permissions whack-a-mole is no fun.

    iPhone for me? Scr... ahem Q that! (posted from the latter)
    02-06-14 04:21 AM
  12. Superfly_FR's Avatar
    What we're looking at is how fast the correction will be ready and available among all BES10 installations.
    ... 3 ... 2 ... 1 ...
    Wondering if they have to patch devices and/or BES10 policy rules and if they have to update via carrier OTA or if it'll be pushed by BES servers. Let's see security in action. If < 3 working days, this may turn a flaw into demonstration of strength. Be it !!!

    (P.S: still wondering why direct android install was not marketed ?)
    Last edited by Superfly_FR; 02-06-14 at 06:30 AM.
    02-06-14 06:07 AM
  13. Sith_Apprentice's Avatar
    I can't recreate this leak in my BES environment - can anyone else?
    Yes I can. Use the Go Launcher Ex app and it works no matter what the settings in your IT policy, work space locked or unlocked, etc. This means android apps have access to work perimeter. In BES 10.2 you can disallow installation from non BlackBerry sources, so I am going to set that and see if I can effectively block third party APK installation. I also need to test to see if this will remove any installed apps currently, but I doubt it seriously. This doesnt obviously help anything in BB World. Next step would be to turn on advanced data at rest encryption, and see if that prevents the app from reading contacts. Also not sure if this would have any success.
    Superfly_FR likes this.
    02-06-14 06:33 AM
  14. Sith_Apprentice's Avatar
    Yes I can. Use the Go Launcher Ex app and it works no matter what the settings in your IT policy, work space locked or unlocked, etc. This means android apps have access to work perimeter. In BES 10.2 you can disallow installation from non BlackBerry sources, so I am going to set that and see if I can effectively block third party APK installation. I also need to test to see if this will remove any installed apps currently, but I doubt it seriously. This doesnt obviously help anything in BB World. Next step would be to turn on advanced data at rest encryption, and see if that prevents the app from reading contacts. Also not sure if this would have any success.
    Test 1 (Blocking third party installation) - Does not remove previously installed applications, nor does it block anything already in App World.
    Test 2 (Advanced Data at Rest Protection) - Only with Work Space locked is this applied. Does not help, Contacts are still in the launcher app (even though they are supposed to be separately encrypted)
    Test 3 (Personal Apps access to Work Contacts) - Set to None. No result
    Test 4 (Chaning Work Space password to something other than Device password) - Does not work
    Superfly_FR and jpvj like this.
    02-06-14 06:50 AM
  15. Gerii's Avatar
    Are you sure the launcher hasn't cached anything from your previous tests?

    Posted via CB10
    morganplus8 likes this.
    02-06-14 07:10 AM
  16. Superfly_FR's Avatar
    Test 1 (Blocking third party installation) - Does not remove previously installed applications, nor does it block anything already in App World.
    Test 2 (Advanced Data at Rest Protection) - Only with Work Space locked is this applied. Does not help, Contacts are still in the launcher app (even though they are supposed to be separately encrypted)
    Test 3 (Personal Apps access to Work Contacts) - Set to None. No result
    Sith, from you experience, do you think the update is server/device/both side ?
    If server and device, can BES push it ?
    thx
    02-06-14 07:21 AM
  17. FOR RIM's Avatar
    Blackberry said this about this bug“We have Investigated at issue in the Android app player Involving specific permissions, and we have it in our Addressed latest software build We will work with our carrier partners to help Ensure the update is available to customers.”
    02-06-14 07:25 AM
  18. Sith_Apprentice's Avatar
    Are you sure the launcher hasn't cached anything from your previous tests?

    Posted via CB10
    I create a test contact each time
    02-06-14 07:27 AM
  19. Sith_Apprentice's Avatar
    Sith, from you experience, do you think the update is server/device/both side ?
    If server and device, can BES push it ?
    thx
    My guess, and purely a guess, is that the Android runtime, being a signed BB app, is considered part of the OS and has access it shouldnt. This would have to be changed, if it isnt a fundamental part of the android runtime.
    02-06-14 07:29 AM
  20. Sith_Apprentice's Avatar
    One thing I did not do is remove the app, reboot, and reinstall the app to see if the changes (blocked the install turned back OFF) have any effect. If you remove and reinstall the app, with no reboot, the app data is most definitely cached somewhere on the device. (doesn't explain the test contacts that I created). So I am going to clear that cache if possible, reinstall, with work space locked, and see what happens.
    02-06-14 07:33 AM
  21. Sith_Apprentice's Avatar
    Blackberry said this about this bug“We have Investigated at issue in the Android app player Involving specific permissions, and we have it in our Addressed latest software build We will work with our carrier partners to help Ensure the update is available to customers.”
    This is not a bug, this is a full blown vulnerability. Android apps, at no time, are supposed to have access to the work space. Work space does not even have an android runtime (from what BB has said). If an app can access simple contacts, who is to say it doesnt touch the work environment, or VPN connections, or messages, or encryption keys, etc etc etc etc.

    This is enough to block rollouts for many agencies, and should concern any company with BES10.
    93Aero likes this.
    02-06-14 07:36 AM
  22. Jimberry Storm's Avatar
    Awesome, so glad it went through stringent carrier testing.

    Posted via CB10
    Yes and now it has to do the same apparently useless test
    02-06-14 07:48 AM
  23. Superfly_FR's Avatar
    My guess, and purely a guess, is that the Android runtime, being a signed BB app, is considered part of the OS and has access it shouldnt. This would have to be changed, if it isnt a fundamental part of the android runtime.
    I smell a more basic opened door ... 100% guessing too.
    02-06-14 07:49 AM
  24. Superfly_FR's Avatar
    Yes and now it has to do the same apparently useless test
    Carriers don't test this.
    02-06-14 07:49 AM
  25. imcurved's Avatar
    When it comes to BES issue, you bet it'll be quickly addressed

    ? CB10 ?
    02-06-14 07:54 AM
57 123

Similar Threads

  1. Default music player Bluetooth problem after update
    By Alvin Loh in forum BlackBerry 10 OS
    Replies: 2
    Last Post: 02-07-14, 06:14 PM
  2. Camera app for BlackBerry Playbook
    By Osofem in forum BlackBerry PlayBook
    Replies: 3
    Last Post: 02-07-14, 05:37 AM
  3. Problems with 10.2.1
    By aaronpan in forum BlackBerry 10 OS
    Replies: 6
    Last Post: 02-05-14, 09:11 AM
  4. Backup/Restore sideloaded apps including data
    By gibo713 in forum BB10 Android App Sideloading
    Replies: 1
    Last Post: 02-05-14, 02:03 AM
  5. Blackberry 10 Future After 10.2.1 Update
    By niks_5in in forum BlackBerry 10 OS
    Replies: 1
    Last Post: 02-05-14, 01:28 AM
LINK TO POST COPIED TO CLIPBOARD