Dailydave mailing list archives
Re: Detailed study of security framework of BlackBerry
From: Sheran Gunasekera <sheran () zensay com>
Date: Wed, 13 Jan 2010 11:18:20 +0700
On Tue, Jan 12, 2010 at 9:12 AM, Mayank Aggarwal <aggarwam () ece osu edu>wrote: [...]
This research exposes the weakened security posture of BlackBerry device that operate under the BlackBerry Internet Service environment.
I would try to avoid referencing the entire BlackBerry Internet Service environment as having a weakened security posture. The actual problem here is not in the hardware or software but in the wetware. The device and underlying framework do what they are supposed to. The user is responsible for making the bad choices. [...]
Through this research, SMobile concludes that there are certain instances of attacks that may be successful in bypassing the security framework of BlackBerry and poses a significant threat to privacy and confidentiality of the user.
Again, this is not a problem with the BlackBerry framework. It is only due to the fact that a user will allow access to permissions or ignore an application's constant prompts for permission requests. One approach would be to flood the user with false requests for permission. Then, given how useful your decoy app is, a user will either continue to use the app or discard it altogether. If he continues to use it, then you can give him the one option of "Grant me these permissions and I will leave you alone". He will most likely pick that option because he doesn't want his usage to be disrupted and because he is conditioned to always say "Yes" to security prompts. -- Sheran Gunasekera Director of Research & Development, ZenConsult Pte. Ltd. email: sheran () zenconsult net Follow me on twitter: @chopstick_ <http://twitter.com/chopstick_>
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Detailed study of security framework of BlackBerry Mayank Aggarwal (Jan 12)
- Re: Detailed study of security framework of BlackBerry Sheran Gunasekera (Jan 13)
- <Possible follow-ups>
- Re: Detailed study of security framework of BlackBerry Mayank Aggarwal (Jan 13)