Re: Detailed study of security framework of BlackBerry

[Mayank Aggarwal <aggarwam () ece osu edu>]

Hi Sheran, 

I appreciate your comments. Below is my response to your comments. :) 
------------------------------------------------------------------------------------------------------------------------------------
 
This research exposes the weakened security posture of BlackBerry device that operate under the BlackBerry Internet 
Service environment. 

Sheran-I would try to avoid referencing the entire BlackBerry Internet Service environment as having a weakened 
security posture. The actual problem here is not in the hardware or software but in the wetware. The device and 
underlying framework do what they are supposed to. The user is responsible for making the bad choices. 

Mayank-I said BIS because the user device is not monitored by an administrator as it happens in the case of BES. In BIS 
environment, the user's privacy protection is entirely based on user's discretion. However, we both know that most of 
the attacks that takes place or are successful, primarily due to the end user's incapability to use the device 
securely. Moreover, most of the people are not aware that the application they are downloading can be malicious. :) 
If I had to install and run the POC applications on BES environment that it is highly probable that these attacks may 
not be successful for many reasons. 

------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 

Through this research, SMobile concludes that there are certain instances of attacks that may be successful in 
bypassing the security framework of BlackBerry and poses a significant threat to privacy and confidentiality of the 
user. 

Sheran- Again, this is not a problem with the BlackBerry framework. It is only due to the fact that a user will allow 
access to permissions or ignore an application's constant prompts for permission requests. One approach would be to 
flood the user with false requests for permission. Then, given how useful your decoy app is, a user will either 
continue to use the app or discard it altogether. If he continues to use it, then you can give him the one option of 
"Grant me these permissions and I will leave you alone". He will most likely pick that option because he doesn't want 
his usage to be disrupted and because he is conditioned to always say "Yes" to security prompts. 

Mayank-Whenever user downloads a third party apps, it has to allow certain set of permissions, so this alone do not 
solve the purpose. I am not sure if you read the whole paper but I did mention that most of the permission pop ups do 
not make sense to the end user. As you said either user can be flooded with multiple permission requests and the user 
may give up and set all the permissions to allow, or the application can open the pop up window once and ask user to 
allow all the permissions. How many people out there you think understand what these permissions implies. Well if this 
all is the purpose of BlackBerry Security Framework then I guess it really falls short of its committment. And I do not 
blame BlackBerry for it, it is just that either user needs to be more aware about their own security or they need to 
trust third party vendor for their security. 

Well I guess for this reason alone you made your POC public, and then released application to detect and delete it. I 
guess our approach is little different in bringing user awareness, but the goal is same. :) 

You can write to me if you have any further comments. 
------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 

Thanks, 
Mayank Aggarwal 
Global Threat Center Research Engineer 
SMobile Systems 
614-754-4513 
maggarwal () smobilesystems com 


----- Original Message ----- 
From: "Sheran Gunasekera" <sheran () zensay com> 
To: "Mayank Aggarwal" <aggarwam () ece osu edu> 
Cc: Dailydave () lists immunitysec com 
Sent: Tuesday, January 12, 2010 11:18:20 PM GMT -05:00 US/Canada Eastern 
Subject: Re: [Dailydave] Detailed study of security framework of BlackBerry 

On Tue, Jan 12, 2010 at 9:12 AM, Mayank Aggarwal < aggarwam () ece osu edu > wrote: 


[...] 

This research exposes the weakened security posture of BlackBerry device that operate under the BlackBerry Internet 
Service environment. 


I would try to avoid referencing the entire BlackBerry Internet Service environment as having a weakened security 
posture. The actual problem here is not in the hardware or software but in the wetware. The device and underlying 
framework do what they are supposed to. The user is responsible for making the bad choices. 

[...] 


Through this research, SMobile concludes that there are certain instances of attacks that may be successful in 
bypassing the security framework of BlackBerry and poses a significant threat to privacy and confidentiality of the 
user. 


Again, this is not a problem with the BlackBerry framework. It is only due to the fact that a user will allow access to 
permissions or ignore an application's constant prompts for permission requests. One approach would be to flood the 
user with false requests for permission. Then, given how useful your decoy app is, a user will either continue to use 
the app or discard it altogether. If he continues to use it, then you can give him the one option of "Grant me these 
permissions and I will leave you alone". He will most likely pick that option because he doesn't want his usage to be 
disrupted and because he is conditioned to always say "Yes" to security prompts. 

-- 
Sheran Gunasekera 
Director of Research & Development, 
ZenConsult Pte. Ltd. 
email: sheran () zenconsult net 

Follow me on twitter: @chopstick_ 

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave