Is Your BlackBerry Your Best Friend And Your Spy? Security Study And Your BlackBerry

February 7, 2010 | By | 7 Comments

I ran across this very interesting article that also has a video that demonstrates how a hacker can send messages to your BlackBerry and what information they can access off your BlackBerry with only a pc and the right program, and has tips to protect your BlackBerry. SMobile Systems Global Threat Center also released a study on the Proof-Of-Concept Malicious Applications. You really should check this out…

Chris Eng from VERACODE posted this excellent article “Is Your BlackBerry App Sying On You?”  which elaborates on a demonstration done by Tyler Shields. Who is Tyler Shields? He is Senior Security researcher for VERACODE. Prior to that position he was also the Personal Security Consultant for on the Symantec Advisory Services team. Tyler had given a presentation at ShmooCon 2010 on the threats of mobile spyware and the relation to data privacy. As more consumers use smartphones, it’s very important to know that these threats exist  and one should be aware of them.

The point of the demonstration was to show how BlackBerry applications can access and leak your sensitive information using only RIM-provided API’s, with no tricks or exploits of any kind. There were no assumptions made as to how the app can be installed on the phone and they didn’t try to pass a spy app on  the BlackBerry App World. Although as stated in prior posts, many consumers tend to trust App stores which may lead to a false sense of security. Even BlackBerry App World has the statement in it’s EULA that they are not responsible for any viruses or spyware downloaded through their store. In other words, it’s possible as we’ve found with other platform app stores that spyware can find it’s way in to the stores.

TXSBBSpy Demo from Veracode on Vimeo.

Please click on the PDF Slideshow: BlackBerry Mobile Spyware- The Monkey Steals The Berries

Tyler has a video demonstrating the proof-of-concept spyware. What’s even more frightening is watching how it’s used to dump messages and contacts, intercept text messages, eavesdrop on conversation, report on phone usage, and monitor the whereabouts by using GPS. I’m going to set the link for the video which I encourage you to watch. Tyler uses his software via computer and using email to send commands to the BlackBerry and shows the information it sends and retrieves. He also brings up Google Earth showing how to track the phone.

I’m also going to include the slides showing some important information. Such as only 23% of smartphone use the security software installed on the device, and only 13% of organizations protect against viruses. The slides also go into detail of studies on various spyware including Etisalat (which was discovered by SMobile Systems), and the code signing process and API’s. He also lists IT and application policies, default 3rd party Application permissions, installation methods, types of files, and the codes and commands of the app they use.

They also have a list of how to protect yourself.If you look at the pdf slideshow, there are actually the 3rd party permissions and suggestions for setting the security permissions yourself. At least check your 3rd party permissions and dont allow full access unless you trust them. Be careful of the apps you download, as was advised from Kevin from SMobile Systems in our conference call.

So what tips do they have for you?  The excerpt from the article is as follows:

  • Users can change their default application permissions to be more restrictive. This way, if an application tries to use an API that accesses the user’s email or contact list, the OS will ask for permission. Avoid granting applications “trusted application” status, which grants untrusted applications additional privileges. Tyler’s slide deck shows the default and trusted permission sets in more detail.
  • Corporations using a BlackBerry Enterprise Server can configure their IT policies to restrict their users from installing third-party applications, or whitelist certain approved applications (but brace yourself for the backlash)
  • BlackBerry App World could introduce a rigorous security screening process that submitted applications must pass in order to be listed in the store.

The SMobile Global Threat Center released the study done on the BlackBerry platform today as well. I’m including the link to their PDF results which includes the history of BlackBerry vulnerabilities and threats (including trojans and spyware), code signing, the Proof-Of-Concept and conclusion. So what’s the Proof-Of-Concept? As explained on the SMobile Global Threat Center it is “research which exposes the weakened security posture of BlackBerry device that operate under the BlackBerry Internet Service environment. The proof of concept applications discussed in this research are developed to examine the response of BlackBerry inbuilt security framework.” I suggest reading the study so you can get an idea of what is at risk and how to protect you and your BlackBerry.

Download the SMobile Global Threat Center Study of BlackBerry Proof-Of-Concept Malicious Applications pdf here

So read the article, watch the video, and check out the slides and let me know what you think. And also, just because they used a BlackBerry doesn’t mean it only applies to a BlackBerry smartphone. There are many platforms that are also vulnerable. I’m not trying to discourage use of your BlackBerry because I would never give up mine, only to protect it and you by using your security options and using software designed to protect you from such malware like SMobile Security Shield. It’s important to know these things and protect yourself and your information. Please leave a comment and let me know what you think.

I have a statement by RIM that I am including here:

“Applications containing spyware cannot be installed on a BlackBerry smartphone without the user’s explicit consent unless of course someone gains physical possession of the user’s device along with knowledge of any enabled password. Although it is important for users of all types of computers and mobile devices to always exercise caution before downloading apps, it is also important to understand the context in which the risk of this spyware was described at the conference on Sunday and that the spyware app cannot simply install itself stealthily on to a user’s device. Further,, a user can review and confirm the list of installed apps on their device by looking in the “Options” area at any time.”

P.S.  Please don’t forget that SMobile Systems is still offering a 20% discount for our readers, just head over to their store and use the code: FEB1020 at the check out.

SMobile Systems Online Store

[via: VERACODE /SMobile Global Threat Center]

Filed in: BlackBerry, Security, Software | Tags: , , , , , , , , , , , ,

  • http://www.twitter.com/@douglasfamily4 Josh D.

    Wow. This can get scarey. I have never put thought into the security of my phone. This sheds alot of light on the subject. Going thru out the day checking sensitive emails and bank info. Keep the knowledge coming.

  • Susan

    Thx Josh, I think at some point I’ll post something about security settings for your phone and for third party apps. But when I saw this, I couldn’t resist sharing it.

  • http://www.twitter.com/@douglasfamily4 Josh D.

    Thank you Susan. You are opening the eyes of us users. I’m sure not many of us put thought into the security of our phones and how much we use them for personal info. I would love to read about how to better protect my data. Cant wait.

  • Summer

    Yes! A detailed list of Security settings & what they do for our phones would be wonderful! I never fully have understood what everything does when i go into options, security options.
    I have clicked help on the menu but that is only good if you know what these things are, guess what I’m Saying is that the help option doesn’t always fully explain what the settings Do.

    Great reading material-

  • Patrick

    yes. We all need to know that there are bad guys around us all the time. They sometimes use our own phones – in the name of spyware. A bug can be used to open up yr phone thereby compromising security of your data, texts, calls, etc. The truth will set u free – only if u know the TRUTH. From a position of knowing.
    Better upgrade yr phone to a SMARTPHONE, that will allow u to install antiviruses, antispyware, etc. Then keep alert..continuously on the look out for new programs already out there. We are in a Cat-nmouse game already, whether u know it or not.

  • http://cheapuggbootssale2011.info ugg sale

    not because you want to do too much exaggerated to cover up defects the so-called overkill,mens uggs what should be just right, but not too far.

  • http://coachoutletonline1111.info coach outlet store

    Considering that shipping only a sample of the autumn winter collection until the coach handbags, the new coach bag is manufactured from ocelot satin leather patent plate lined with a luxurious and elegant look.