I ran across this very interesting article that also has a video that demonstrates how a hacker can send messages to your BlackBerry and what information they can access off your BlackBerry with only a pc and the right program, and has tips to protect your BlackBerry. SMobile Systems Global Threat Center also released a study on the Proof-Of-Concept Malicious Applications. You really should check this out…
Chris Eng from VERACODE posted this excellent article “Is Your BlackBerry App Sying On You?” which elaborates on a demonstration done by Tyler Shields. Who is Tyler Shields? He is Senior Security researcher for VERACODE. Prior to that position he was also the Personal Security Consultant for on the Symantec Advisory Services team. Tyler had given a presentation at ShmooCon 2010 on the threats of mobile spyware and the relation to data privacy. As more consumers use smartphones, it’s very important to know that these threats exist and one should be aware of them.
The point of the demonstration was to show how BlackBerry applications can access and leak your sensitive information using only RIM-provided API’s, with no tricks or exploits of any kind. There were no assumptions made as to how the app can be installed on the phone and they didn’t try to pass a spy app on the BlackBerry App World. Although as stated in prior posts, many consumers tend to trust App stores which may lead to a false sense of security. Even BlackBerry App World has the statement in it’s EULA that they are not responsible for any viruses or spyware downloaded through their store. In other words, it’s possible as we’ve found with other platform app stores that spyware can find it’s way in to the stores.
Tyler has a video demonstrating the proof-of-concept spyware. What’s even more frightening is watching how it’s used to dump messages and contacts, intercept text messages, eavesdrop on conversation, report on phone usage, and monitor the whereabouts by using GPS. I’m going to set the link for the video which I encourage you to watch. Tyler uses his software via computer and using email to send commands to the BlackBerry and shows the information it sends and retrieves. He also brings up Google Earth showing how to track the phone.
I’m also going to include the slides showing some important information. Such as only 23% of smartphone use the security software installed on the device, and only 13% of organizations protect against viruses. The slides also go into detail of studies on various spyware including Etisalat (which was discovered by SMobile Systems), and the code signing process and API’s. He also lists IT and application policies, default 3rd party Application permissions, installation methods, types of files, and the codes and commands of the app they use.
They also have a list of how to protect yourself.If you look at the pdf slideshow, there are actually the 3rd party permissions and suggestions for setting the security permissions yourself. At least check your 3rd party permissions and dont allow full access unless you trust them. Be careful of the apps you download, as was advised from Kevin from SMobile Systems in our conference call.
So what tips do they have for you? The excerpt from the article is as follows:
- Users can change their default application permissions to be more restrictive. This way, if an application tries to use an API that accesses the user’s email or contact list, the OS will ask for permission. Avoid granting applications “trusted application” status, which grants untrusted applications additional privileges. Tyler’s slide deck shows the default and trusted permission sets in more detail.
- Corporations using a BlackBerry Enterprise Server can configure their IT policies to restrict their users from installing third-party applications, or whitelist certain approved applications (but brace yourself for the backlash)
- BlackBerry App World could introduce a rigorous security screening process that submitted applications must pass in order to be listed in the store.
The SMobile Global Threat Center released the study done on the BlackBerry platform today as well. I’m including the link to their PDF results which includes the history of BlackBerry vulnerabilities and threats (including trojans and spyware), code signing, the Proof-Of-Concept and conclusion. So what’s the Proof-Of-Concept? As explained on the SMobile Global Threat Center it is “research which exposes the weakened security posture of BlackBerry device that operate under the BlackBerry Internet Service environment. The proof of concept applications discussed in this research are developed to examine the response of BlackBerry inbuilt security framework.” I suggest reading the study so you can get an idea of what is at risk and how to protect you and your BlackBerry.
So read the article, watch the video, and check out the slides and let me know what you think. And also, just because they used a BlackBerry doesn’t mean it only applies to a BlackBerry smartphone. There are many platforms that are also vulnerable. I’m not trying to discourage use of your BlackBerry because I would never give up mine, only to protect it and you by using your security options and using software designed to protect you from such malware like SMobile Security Shield. It’s important to know these things and protect yourself and your information. Please leave a comment and let me know what you think.
I have a statement by RIM that I am including here:
“Applications containing spyware cannot be installed on a BlackBerry smartphone without the user’s explicit consent unless of course someone gains physical possession of the user’s device along with knowledge of any enabled password. Although it is important for users of all types of computers and mobile devices to always exercise caution before downloading apps, it is also important to understand the context in which the risk of this spyware was described at the conference on Sunday and that the spyware app cannot simply install itself stealthily on to a user’s device. Further,, a user can review and confirm the list of installed apps on their device by looking in the “Options” area at any time.”
P.S. Please don’t forget that SMobile Systems is still offering a 20% discount for our readers, just head over to their store and use the code: FEB1020 at the check out.