Dailydave mailing list archives
Re: Detailed study of security framework of BlackBerry
From: Mayank Aggarwal <aggarwam () ece osu edu>
Date: Wed, 13 Jan 2010 10:26:58 -0500 (EST)
Hi Sheran, I appreciate your comments. Below is my response to your comments. :) ------------------------------------------------------------------------------------------------------------------------------------ This research exposes the weakened security posture of BlackBerry device that operate under the BlackBerry Internet Service environment. Sheran-I would try to avoid referencing the entire BlackBerry Internet Service environment as having a weakened security posture. The actual problem here is not in the hardware or software but in the wetware. The device and underlying framework do what they are supposed to. The user is responsible for making the bad choices. Mayank-I said BIS because the user device is not monitored by an administrator as it happens in the case of BES. In BIS environment, the user's privacy protection is entirely based on user's discretion. However, we both know that most of the attacks that takes place or are successful, primarily due to the end user's incapability to use the device securely. Moreover, most of the people are not aware that the application they are downloading can be malicious. :) If I had to install and run the POC applications on BES environment that it is highly probable that these attacks may not be successful for many reasons. ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Through this research, SMobile concludes that there are certain instances of attacks that may be successful in bypassing the security framework of BlackBerry and poses a significant threat to privacy and confidentiality of the user. Sheran- Again, this is not a problem with the BlackBerry framework. It is only due to the fact that a user will allow access to permissions or ignore an application's constant prompts for permission requests. One approach would be to flood the user with false requests for permission. Then, given how useful your decoy app is, a user will either continue to use the app or discard it altogether. If he continues to use it, then you can give him the one option of "Grant me these permissions and I will leave you alone". He will most likely pick that option because he doesn't want his usage to be disrupted and because he is conditioned to always say "Yes" to security prompts. Mayank-Whenever user downloads a third party apps, it has to allow certain set of permissions, so this alone do not solve the purpose. I am not sure if you read the whole paper but I did mention that most of the permission pop ups do not make sense to the end user. As you said either user can be flooded with multiple permission requests and the user may give up and set all the permissions to allow, or the application can open the pop up window once and ask user to allow all the permissions. How many people out there you think understand what these permissions implies. Well if this all is the purpose of BlackBerry Security Framework then I guess it really falls short of its committment. And I do not blame BlackBerry for it, it is just that either user needs to be more aware about their own security or they need to trust third party vendor for their security. Well I guess for this reason alone you made your POC public, and then released application to detect and delete it. I guess our approach is little different in bringing user awareness, but the goal is same. :) You can write to me if you have any further comments. ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Thanks, Mayank Aggarwal Global Threat Center Research Engineer SMobile Systems 614-754-4513 maggarwal () smobilesystems com ----- Original Message ----- From: "Sheran Gunasekera" <sheran () zensay com> To: "Mayank Aggarwal" <aggarwam () ece osu edu> Cc: Dailydave () lists immunitysec com Sent: Tuesday, January 12, 2010 11:18:20 PM GMT -05:00 US/Canada Eastern Subject: Re: [Dailydave] Detailed study of security framework of BlackBerry On Tue, Jan 12, 2010 at 9:12 AM, Mayank Aggarwal < aggarwam () ece osu edu > wrote: [...] This research exposes the weakened security posture of BlackBerry device that operate under the BlackBerry Internet Service environment. I would try to avoid referencing the entire BlackBerry Internet Service environment as having a weakened security posture. The actual problem here is not in the hardware or software but in the wetware. The device and underlying framework do what they are supposed to. The user is responsible for making the bad choices. [...] Through this research, SMobile concludes that there are certain instances of attacks that may be successful in bypassing the security framework of BlackBerry and poses a significant threat to privacy and confidentiality of the user. Again, this is not a problem with the BlackBerry framework. It is only due to the fact that a user will allow access to permissions or ignore an application's constant prompts for permission requests. One approach would be to flood the user with false requests for permission. Then, given how useful your decoy app is, a user will either continue to use the app or discard it altogether. If he continues to use it, then you can give him the one option of "Grant me these permissions and I will leave you alone". He will most likely pick that option because he doesn't want his usage to be disrupted and because he is conditioned to always say "Yes" to security prompts. -- Sheran Gunasekera Director of Research & Development, ZenConsult Pte. Ltd. email: sheran () zenconsult net Follow me on twitter: @chopstick_
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Detailed study of security framework of BlackBerry Mayank Aggarwal (Jan 12)
- Re: Detailed study of security framework of BlackBerry Sheran Gunasekera (Jan 13)
- <Possible follow-ups>
- Re: Detailed study of security framework of BlackBerry Mayank Aggarwal (Jan 13)