Re: Detailed study of security framework of BlackBerry

[Sheran Gunasekera <sheran () zensay com>]

On Tue, Jan 12, 2010 at 9:12 AM, Mayank Aggarwal <aggarwam () ece osu edu>wrote:
[...]

> This research exposes the weakened security posture of BlackBerry device
> that operate under the BlackBerry Internet Service environment.


I would try to avoid referencing the entire BlackBerry Internet Service
environment as having a weakened security posture.  The actual problem here
is not in the hardware or software but in the wetware.  The device and
underlying framework do what they are supposed to.  The user is responsible
for making the bad choices.

[...]


> Through this research, SMobile concludes that there are certain instances
> of attacks that may be successful in bypassing the security framework of
> BlackBerry and poses a significant threat to privacy and confidentiality of
> the user.


Again, this is not a problem with the BlackBerry framework.  It is only due
to the fact that a user will allow access to permissions or ignore an
application's constant prompts for permission requests.  One approach would
be to flood the user with false requests for permission.  Then, given how
useful your decoy app is, a user will either continue to use the app or
discard it altogether.  If he continues to use it, then you can give him the
one option of "Grant me these permissions and I will leave you alone".  He
will most likely pick that option because he doesn't want his usage to be
disrupted and because he is conditioned to always say "Yes" to security
prompts.

-- 
Sheran Gunasekera
Director of Research & Development,
ZenConsult Pte. Ltd.
email: sheran () zenconsult net

Follow me on twitter: @chopstick_ <http://twitter.com/chopstick_>

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave