02-10-14 03:40 AM
57 123
tools
  1. Sith_Apprentice's Avatar
    Ok, bit of an update.


    Application Go Launcher Ex was installed, with work space locked, personal and work sides different encrypted, work side with advanced DAR, work space different password, and turning off installation from other sources (as the app was already installed). NO work contacts were picked up by the Application.

    I closed the app, unlocked the work space, and launched the app again. No contacts were pulled from the work side.

    Deleted the app, reinstalled from the APK on the device (turned back on third party install toggle. (no reboot)

    Opened the app with Work Space unlocked, no contacts were pulled into the app.


    The weird part, it was syncing my contacts with the work side prior, when the password were the same, advanced DAR was not set, and personal side was not encrypted. Here is my recommendation for IT policy:

    Rule Value Description
    Wireless Service Provider Billing Disallow Specify whether a BlackBerry device user can purchase applications from the More...
    Mobile Hotspot Mode and Tethering Specify whether to allow Mobile Hotspot mode, tethering using Bluetooth More...
    Roaming Specify whether a BlackBerry device can use data services over the wireless More...
    Hotspot WPA2-Personal Security Type Yes Specify whether a BlackBerry device must use the WPA2-Personal security type to More...
    Transfer Work Files Using Bluetooth OPP Specify whether a BlackBerry device can send work files and objects such as More...
    Transfer Work Contacts Using Bluetooth PBAP or HFP Specify whether a BlackBerry device can send work contacts to another Bluetooth More...
    Transfer Work Messages Using Bluetooth MAP Specify whether a BlackBerry device can send messages from the work space (for More...
    Location Services Specify whether a BlackBerry device can provide its geographic location to apps More...
    Wi-Fi Specify whether a BlackBerry device can make Wi-Fi connections. If you set this More...
    NFC Specify whether a BlackBerry device can use NFC. If you set this rule to More...
    Camera Specify whether a BlackBerry device can use the camera. If you set this rule to More...
    HDMI Specify whether a BlackBerry device can use the HDMI port. If you set this rule More...
    Bluetooth Specify whether a BlackBerry device can use Bluetooth technology. If you set More...
    Enforce Minimum Bluetooth Passkey Length Specify whether a BlackBerry device can connect to another Bluetooth enabled More...
    Enforce Bluetooth Secure Simple Pairing Numeric Comparison Specify whether a BlackBerry device must use the numeric comparison mode if the More...
    Bluetooth AVRCP Specify whether a BlackBerry device can use the Bluetooth AVRCP. A device can More...
    Bluetooth A2DP Specify whether a BlackBerry device can use the Bluetooth A2DP. A device can More...
    Bluetooth PAN Profile Specify whether a BlackBerry device can use the Bluetooth PAN profile. A device More...
    Bluetooth File Transfer Using OBEX Specify whether a BlackBerry device can exchange files with other supported More...
    Bluetooth Contacts Transfer Using PBAP Specify whether a BlackBerry device can exchange Contacts data with other More...
    Bluetooth Discoverable Mode Specify whether a BlackBerry device can use Bluetooth Discoverable mode. A More...
    Bluetooth SPP Specify whether a BlackBerry device can use the Bluetooth SPP. If you set this More...
    Bluetooth HFP Specify whether a BlackBerry device can use the Bluetooth HFP. A device can use More...
    Bluetooth Pairing Specify whether a BlackBerry device can connect to another Bluetooth enabled More...
    Bluetooth MAP Specify whether a BlackBerry device can use the Bluetooth MAP. A device can use More...
    Minimum Bluetooth Encryption Key Length Specify the minimum encryption key length that a BlackBerry device uses to More...
    Transfer Work Messages Using Bluetooth MAP Without Prompt Specify whether a user can transfer work messages to a Bluetooth enabled device More...
    Transfer Work Data Using NFC Specify whether a BlackBerry device can send work data to another NFC-enabled More...
    Password Required for Work Space Yes Specify whether a device using BlackBerry Balance technology requires a More...
    Apply Work Space Password to Full Device No (default) Specify whether a BlackBerry device applies the work space password to the full More...
    Minimum Password Length 8 Specify the minimum length of the work space password. If you do not set a More...
    Minimum Password Complexity At least 1 uppercase letter, 1 lowercase letter, 1 number, and 1 special character Specify the minimum complexity of the work space password on the BlackBerry More...
    Security Timeout 15 minutes Specify the maximum number of minutes of BlackBerry device user inactivity that More...
    Maximum Password Attempts 10 Specify the number of times that a BlackBerry device user can enter an More...
    Maximum Password History 3 Specify the maximum number of previous passwords that a BlackBerry device More...
    Maximum Password Age 90 Specify the maximum number of days that can elapse before a BlackBerry device More...
    Wipe the Work Space Without Network Connectivity Specify the time in hours that must elapse without a BlackBerry device More...
    Personal Space Data Encryption Yes Specify whether data encryption is turned on for the personal space of a More...
    Network Access Control for Work Apps Specify whether work apps on a BlackBerry device must connect to your More...
    Two-Factor Encryption Key Generation Specify whether a BlackBerry PlayBook tablet bases the encryption key on the More...
    Restrict Development Mode Yes Specify whether development mode is restricted for BlackBerry device users. More...
    Work Domains Company.com Specify a list of domain names that a BlackBerry device identifies as work More...
    Work Network Usage for Personal Apps Specify whether personal apps on a BlackBerry device can use your More...
    Share Work Data During BBM Video Screen Sharing Specify whether a BlackBerry device user can share work data on a device using More...
    Personal Apps Access to Work Contacts None Specify whether personal apps can access required data for work contacts on a More...
    Media Card Encryption Specify whether a BlackBerry device must encrypt all data on the media card More...
    WebGL Specify whether a BlackBerry PlayBook tablet can use WebGL in the browser. If More...
    Backup and Restore Work Space Disallow Specify whether a BlackBerry device user can back up and restore the apps and More...
    Voice Control Specify whether a BlackBerry device user can use the voice control commands on More...
    Voice Dictation in Work Apps Specify whether a BlackBerry device user can use voice dictation in work apps. More...
    Work App Access to Shared Files or Content in the Personal Space Disallow Specify whether work apps on a BlackBerry device can access shared files or More...
    Media Card Specify whether a BlackBerry device can access the media card. If you set this More...
    Computer Access to Device Disallow Specify whether a computer can access content on a BlackBerry device using a More...
    Smart Card Password Caching Required Specify whether a BlackBerry device can cache the smart card password. If you More...
    Smart Password Entry Specify whether a BlackBerry device can use smart password entry with More...
    Lock on Smart Card Removal Specify whether a BlackBerry device locks when a user removes the smart card More...
    Maximum Bluetooth Range Specify the maximum power range that a BlackBerry Smart Card Reader uses to More...
    PIN Entry Mode Numeric (default) Specify the PIN entry mode that is required when a BlackBerry Smart Card Reader More...
    BlackBerry Bridge Specifies whether a BlackBerry 10 smartphone can use a BlackBerry PlayBook More...
    Application Security Timer Reset Disallow Specify whether apps can reset the security timer on a BlackBerry device to More...
    Voice Dictation Specify whether a BlackBerry device user can use voice dictation on a device. More...
    Wipe the Device Without Network Connectivity Specify the time in hours that must elapse without a BlackBerry device More...
    Backup and Restore Device Specify whether a BlackBerry device user can back up and restore the apps and More...
    Assign Two-Factor Authentication for Work Specify whether a BlackBerry device user can use two-factor authentication only More...
    Two-Factor Authentication Only for Work Space Specify whether a BlackBerry device user can use two-factor authentication only More...
    Advanced Data at Rest Protection Yes Specify whether the work space on a BlackBerry device must use advanced data at More...
    Advanced Data at Rest Protection Timeout Specify the number of minutes after the work space locks that the BlackBerry More...
    Two-Factor Authentication for Advanced Data at Rest Protection Specify whether two-factor authentication must be used to protect the More...
    Development Mode Access to Work Space Disallow (default) Specify whether development mode can be used to allow software development More...
    SMS/MMS Signature Specify the signature (for example, a web address or a short disclaimer) that More...
    Lock Screen Preview of Work Content Specify whether a BlackBerry device displays a preview of work content on the More...
    IRM-Protected Email Messages Specify if a BlackBerry device user can read IRM-protected messages. If you set More...
    Owner Information Specify the owner information or a disclaimer message that a BlackBerry device More...
    Unified View for Work and Personal Accounts and Messages Specify whether the BlackBerry Hub displays work and personal accounts and More...
    BBM Video Access to Work Network Specify whether the BBM Video feature on a BlackBerry device can use your More...
    joyn Disallow Specify whether a BlackBerry device can use the joyn app to send Rich More...
    SMS/MMS Specify whether a BlackBerry device can send SMS text messages and MMS More...
    PIN Messages Specify whether a BlackBerry device can send and receive PIN messages. If you More...
    BBM Specify whether the BBM app is available on a BlackBerry device. If you set More...
    User-Created VPN Profiles Specify whether a BlackBerry device user can create VPN profiles on a device. More...
    Media Sharing Disallow Specify whether a BlackBerry device can share music, pictures, and videos over More...
    YouTube for BlackBerry Devices Specify whether a BlackBerry device can use the YouTube for BlackBerry devices More...
    Other Email Messaging Services Specify whether a BlackBerry device can use email messaging services other than More...
    BBM Video/BBM Voice Specify whether a BlackBerry device can use the BBM Video and BBM Voice More...
    Wireless Software Updates Specify whether a BlackBerry device can download BlackBerry Device Software More...
    BlackBerry Protect Specify whether a BlackBerry device can use BlackBerry Protect. If you set this More...
    Hotspot Browser Specify whether a BlackBerry device can use the BlackBerry Browser to connect More...
    Cloud Storage Access from Work Space Disallow Specify whether the cloud storage apps developed by BlackBerry are available in More...
    BlackBerry Maps Specify whether a BlackBerry device can use the BlackBerry Maps app. If you set More...
    Find More Contact Details Specify whether a BlackBerry device user can use the Find More Contact Details
    Open Links in Work Email Messages in the Personal Browser Specify whether BlackBerry device users can use the browser in the personal More...
    Wireless Service Provider Apps Disallow Specify whether a BlackBerry device user can use apps that the wireless service More...
    Non-Email Accounts Specify whether a BlackBerry device user can add third-party accounts for More...
    External Email Address Indicator Specify whether a BlackBerry device displays a warning indicator in work email More...
    Miracast Specify whether a BlackBerry device can send streaming video over a Wi-Fi More...
    Forward or Add Recipients to Private Messages Specify whether a BlackBerry device user can forward, or add new recipients More...
    External Email Address Warning Message Specify whether a BlackBerry device displays a warning message when a user More...
    External Email Domain Allowed List Specify a list of external email domains that BlackBerry device users can send More...
    External Email Domain Restricted List Specify a list of email domains that BlackBerry device users are not allowed to More...
    Install Apps From Other Sources Disallow Specify whether a BlackBerry device user can install apps in the personal space More..
    02-06-14 08:55 AM
  2. Sith_Apprentice's Avatar
    The above policy is at a MINIMUM, you should always look to be MORE secure. I apologize for how ugly the copy and paste was lol
    Supa_Fly1 likes this.
    02-06-14 08:55 AM
  3. chasdrury's Avatar
    Yes I can. Use the Go Launcher Ex app and it works no matter what the settings in your IT policy, work space locked or unlocked, etc. This means android apps have access to work perimeter. In BES 10.2 you can disallow installation from non BlackBerry sources, so I am going to set that and see if I can effectively block third party APK installation. I also need to test to see if this will remove any installed apps currently, but I doubt it seriously. This doesnt obviously help anything in BB World. Next step would be to turn on advanced data at rest encryption, and see if that prevents the app from reading contacts. Also not sure if this would have any success.
    Thanks sith - I can't find go launcher ex in app world - what is it?

    Posted via CB10
    Sith_Apprentice likes this.
    02-06-14 08:55 AM
  4. Gerii's Avatar
    I smell a more basic opened door ... 100% guessing too.
    According to the heise report they introduced this because otherwise you couldn't see the callers name and photo when the work space was locked.

    If it doesn't work when the policy is set to none, it could be that the Android runtime is considered as a native BlackBerry app.

    @chasdrury: It's sideloaded.

    Posted via CB10
    02-06-14 09:02 AM
  5. Sith_Apprentice's Avatar
    Thanks sith - I can't find go launcher ex in app world - what is it?

    Posted via CB10
    This was a sideload. My point about blocking third party apps was since this DOES work, if the developer submitted it to app world, it would come from a "trusted" source and thus not be blocked.
    Superfly_FR and Supa_Fly1 like this.
    02-06-14 09:06 AM
  6. lnichols's Avatar
    This is not a bug, this is a full blown vulnerability. Android apps, at no time, are supposed to have access to the work space. Work space does not even have an android runtime (from what BB has said). If an app can access simple contacts, who is to say it doesnt touch the work environment, or VPN connections, or messages, or encryption keys, etc etc etc etc.

    This is enough to block rollouts for many agencies, and should concern any company with BES10.
    Man BlackBerry is just sloppy and dysfunctional. They worked so hard to get 10.2.1 out this month on all carriers but didn't test it enough to find a major vulnerability that affects the base that they have decided to focus on. At a time that they need quick corporate and government adoption they create a pretty big security hole and barrier for deployment.

    Posted via CB10
    02-06-14 09:31 AM
  7. Sith_Apprentice's Avatar
    Man BlackBerry is just sloppy and dysfunctional. They worked so hard to get 10.2.1 out this month on all carriers but didn't test it enough to find a major vulnerability that affects the base that they have decided to focus on. At a time that they need quick corporate and government adoption they create a pretty big security hole and barrier for deployment.

    Posted via CB10
    Even NSA has difficulty securing Android, as does Samsung (look at their problems with Android apps being able to intercept/divert KNOX communications)
    02-06-14 09:48 AM
  8. Pete The Penguin's Avatar
    BlackBerry is now aware of the security flaw and has issued the following official statement: "We have investigated an issue in the Android app player involving specific permissions, and we have it in our addressed latest software build.
    We will work with our carrier partners to help ensure the update is available to customers."

    http://n4bb.com/blackberry-10-2-1-an...aw-discovered/

    Looks like BlackBerry are going to be at the mercy of the carriers to roll-out a fix for this security vulnerability.
    02-06-14 10:14 AM
  9. Sith_Apprentice's Avatar
    BlackBerry is now aware of the security flaw and has issued the following official statement: "We have investigated an issue in the Android app player involving specific permissions, and we have it in our addressed latest software build.
    We will work with our carrier partners to help ensure the update is available to customers."

    BlackBerry 10.2.1 Android Runtime BES Security Flaw Discovered - N4BB

    Looks like BlackBerry are going to be at the mercy of the carriers to roll-out a fix for this security vulnerability.
    Carriers do fairly well when it is a vulnerability thing. I would say within 30-45 days for a fix to start rolling out. Undeniably though, many carriers will lag behind for months. It is how it is though
    Pete The Penguin likes this.
    02-06-14 10:17 AM
  10. Baber Sultan's Avatar
    Agreed with Sith on this one, and Android app being able to access the Workspace in anyway is totally unacceptable!
    Pete The Penguin likes this.
    02-06-14 01:01 PM
  11. Anilu7's Avatar
    Carriers do fairly well when it is a vulnerability thing. I would say within 30-45 days for a fix to start rolling out. Undeniably though, many carriers will lag behind for months. It is how it is though
    That's bl00dy ridiculous! BlackBerry should be able to roll out its own vulnerability fixes as soon as they're handled by BlackBerry, not wait a month for the carriers. This is too important.
    Pete The Penguin likes this.
    02-06-14 02:37 PM
  12. Sith_Apprentice's Avatar
    That's bl00dy ridiculous! BlackBerry should be able to roll out its own vulnerability fixes as soon as they're handled by BlackBerry, not wait a month for the carriers. This is too important.
    No different than Android security updates unfortunately. My biggest question is how deep does this go. There is supposed to be a fundamental separation between the two work sides, and the Android apps are not supposed to be aware of the work side, AT ALL.
    02-06-14 07:18 PM
  13. Sith_Apprentice's Avatar
    Ok I updated the table above to make it easier to read.
    02-06-14 07:26 PM
  14. mikeo007's Avatar
    Carriers do fairly well when it is a vulnerability thing. I would say within 30-45 days for a fix to start rolling out. Undeniably though, many carriers will lag behind for months. It is how it is though
    Shouldn't they just be able to push out a fix to the android player .bar through BB world like they have in the past?
    02-06-14 07:27 PM
  15. Sith_Apprentice's Avatar
    Shouldn't they just be able to push out a fix to the android player .bar through BB world like they have in the past?
    It may be more involved than that. This is what I am worried about. From everything I have been told, this has to go through the carriers as a security update. IF it is only the android player, then yes, you are correct. I have a feeling it is core OS though.


    How devices are designed to prevent BlackBerry Runtime for Android apps from accessing work data and apps
    BlackBerry Balance devices running BlackBerry 10(including regulated BlackBerry Balance devices) classify Android
    apps as personal apps and as such, they can be installed only in the personal space on devices. You cannot deploy or
    approve Android apps for installation in the work space. Android apps can access only personal data that is located in the
    personal space. Android apps do not have access to the work apps or work data that are located in the work space.


    http://docs.blackberry.com/en/admin/...verview_en.pdf
    02-06-14 07:36 PM
  16. johnnyuk's Avatar
    What I'm a little surprised about is that the Android VM has been there from the start (in an earlier incarnation/version) and so have Android apps available in BlackBerry World that run in the VM, such as Skype.

    So why has this vulnerability only just been discovered now or is it a BB10.2.1.1925 specific vulnerability?

    I'll test this out myself when I have time but I don't recall Skype having access to my Work space Contacts when I used it on BB10.2 and earlier. I haven't used it since updating to 10.2.1.1925.

    Posted via CB10 on Z30 STA100-2 / 10.2.1.1925 on O2 UK - Activated on BES10.2
    02-06-14 08:12 PM
  17. Sith_Apprentice's Avatar
    What I'm a little surprised about is that the Android VM has been there from the start (in an earlier incarnation/version) and so have Android apps available in BlackBerry World that run in the VM, such as Skype.

    So why has this vulnerability only just been discovered now or is it a BB10.2.1.1925 specific vulnerability?

    I'll test this out myself when I have time but I don't recall Skype having access to my Work space Contacts when I used it on BB10.2 and earlier. I haven't used it since updating to 10.2.1.1925.

    Posted via CB10 on Z30 STA100-2 / 10.2.1.1925 on O2 UK - Activated on BES10.2
    Use the Go Launcher EX app. Side load it.
    02-06-14 08:14 PM
  18. johnnyuk's Avatar
    On the flip side it does give some insight in to whether what I'd like to see happen for Android apps / Work space is possible in some way (allowing vetted Android apps access to data on the Work space).

    http://forums.crackberry.com/showthread.php?t=874094

    Posted via CB10 on Z30 STA100-2 / 10.2.1.1925 on O2 UK - Activated on BES10.2
    02-06-14 08:18 PM
  19. johnnyuk's Avatar
    Use the Go Launcher EX app. Side load it.
    So it's not every app that uses the VM that gets access to Work Contact. Or maybe not ones that have been checked out by BlackBerry by virtue of them being submitted to and approved for BlackBerry World.

    Posted via CB10 on Z30 STA100-2 / 10.2.1.1925 on O2 UK - Activated on BES10.2
    02-06-14 08:20 PM
  20. Sith_Apprentice's Avatar
    That isnt the point. The point is the Android VM isnt supposed to be aware of the separately ENCRYPTED work container AT ALL, ever, any app at all.
    eldrover, JeepBB and techvisor like this.
    02-06-14 08:23 PM
  21. Sith_Apprentice's Avatar
    On the flip side it does give some insight in to whether what I'd like to see happen for Android apps / Work space is possible in some way (allowing vetted Android apps access to data on the Work space).

    Time for vetted Android apps to be allowed in Work Space - BlackBerry Forums at CrackBerry.com

    Posted via CB10 on Z30 STA100-2 / 10.2.1.1925 on O2 UK - Activated on BES10.2
    This should be a different activation type. You should NOT offer this out of the box, it has waaay too many vulnerabilities possible.
    02-06-14 08:24 PM
  22. johnnyuk's Avatar
    This should be a different activation type. You should NOT offer this out of the box, it has waaay too many vulnerabilities possible.
    Yes it would have to be tightly controlled I agree.

    Posted via CB10 on Z30 STA100-2 / 10.2.1.1925 on O2 UK - Activated on BES10.2
    02-06-14 09:05 PM
  23. jpvj's Avatar
    This is not a bug, this is a full blown vulnerability. Android apps, at no time, are supposed to have access to the work space. Work space does not even have an android runtime (from what BB has said). If an app can access simple contacts, who is to say it doesnt touch the work environment, or VPN connections, or messages, or encryption keys, etc etc etc etc.

    This is enough to block rollouts for many agencies, and should concern any company with BES10.
    A vulnerability is always a bug, but a bug can be other things than a vulnerability.
    Calling it a bug is not incorrect - just not very specific.

    I assume som ACL checking is failing on the API to read the contacts.

    From What content is in my work space and my personal space? - How To - BlackBerry Z10 Smartphone - 10.0.0 you can see the list of apps, that may show data from both work and personal:

    • BlackBerry Hub
    • BlackBerry Remember
    • Bluetooth
    • Calendar
    • Contacts
    • NFC
    • Search


    I wonder where the Android apps "plug-in". I *guess* it could be an API from the Contacts app...
    Has anybody tried other types of data like Calendar?
    02-06-14 11:05 PM
  24. silversmith75's Avatar
    Figures it would be android. It's vice a virus

    Posted via CB10
    John Pawling likes this.
    02-06-14 11:13 PM
  25. Donkeyfumbler's Avatar
    Can someone here clarify a couple of things for me if possible?

    We are running BES 10.1 currently, which only allows for two activation types - 'Corporate', where the personal and work sides are seperated (AKA Balance) and 'Regulated', where there is no personal side at all.

    As I understand it, BES 10.2 adds a third activation type (and renames things just to confuse people) so that you can still have a phone with the work/personal split, but IT policies have more control over the personal side than the old 'Corporate' activation type. It is only this new activation type that has the 'Install Apps from other sources' policy setting, so as such we are unable to use it with our current phones all activated on the old 'Corporate/Balance' plan with BES 10.1.

    If we did update to BES 10.2 am I right in assuming that we would not be able to push the new activation type to our existing devices without manually de-activating them from the old plan and then re-activating them on the new one, at which point we could change this IT policy setting regarding installs from other sources? Does this setting prevent all APK installs regardless of where they come from (Snap, Amazon, Web links, copied to SD card etc.)? Also, is it right that it won't touch Android apps already installed on the phone?

    Thanks in advance.
    02-07-14 04:12 AM
57 123

Similar Threads

  1. Default music player Bluetooth problem after update
    By Alvin Loh in forum BlackBerry 10 OS
    Replies: 2
    Last Post: 02-07-14, 07:14 PM
  2. Camera app for BlackBerry Playbook
    By Osofem in forum BlackBerry PlayBook
    Replies: 3
    Last Post: 02-07-14, 06:37 AM
  3. Problems with 10.2.1
    By aaronpan in forum BlackBerry 10 OS
    Replies: 6
    Last Post: 02-05-14, 10:11 AM
  4. Backup/Restore sideloaded apps including data
    By gibo713 in forum BB10 Android App Sideloading
    Replies: 1
    Last Post: 02-05-14, 03:03 AM
  5. Blackberry 10 Future After 10.2.1 Update
    By niks_5in in forum BlackBerry 10 OS
    Replies: 1
    Last Post: 02-05-14, 02:28 AM
LINK TO POST COPIED TO CLIPBOARD