Monday, February 9, 2015

Response - Web Security Analysis Of 12 BlackBerry 10 Applications

First sorry for my very bad english and construction of this post.

I have no bad intentions to user data. I don’t and never store user passwords in any form online or offline. I do store cache for app use like images, logged in status, tokens, user ids (OFFLINE) because required and for better experience.

Snap2Chat in it’s very early stages, I used my own server http://kellyescape.com without SSL / no https. After like 2 weeks Knobtviker (Dev of Whine) advised/helped me to just sniff the API and use it directly and so I did. No more using 3rd party servers. (This time it is very risky).


I use Flurry and Smaato SDKs as advertised by BlackBerry that BlackBerry Developers can use. Unfortunately I didn’t know they send http and not https. And if BlackBerry doesn’t want us to use http, they shouldn’t advertised to us Smaato and Flurry SDKS.

Smaato advertised by BlackBerry:

The SDK provided by BlackBerry has a parameter that we can set an interval , the default is 10 and I set it to 10. so it’s every 10 seconds it connects to the Smaato Service. in Snap10 that's why there are a lot of requests because Snap10 uses tabs, and all those tabs request each every 10 seconds. I have not fixed that yet. But there's nothing bad it's doing there, it doesn't even increase revenue.

I just followed everything they provided, from the WebCast Meeting, The Smaato Guys, The Smaato Ad Sample BlackBerry Provided in GitHub. And I cannot modify the Compiled Libraries to forcely use HTTPS because it's their own and there's no way. (same with Flurry Analytics)

Flurry advertised by BlackBerry: 

http://kellyescape.com (NO SSL) - this is my own domain and it’s hosted on my own host. (this has been dead for like 6 months now) this was used for Snap2Chat and for FB Messenger for pulling Stiker Images, also used for my own web service the ShoutBox in Snap2Chat.

The ShoutBox I admit doesn’t use SSL or https and is very high risk of security. And that’s why I shut it down early. This screenshot by : http://www.filearchivehaven.com/2015/02/09/web-security-analysis-of-12-blackberry-10-applications/

I built ShoutBox so that Snap2Chat users can find more friends. It's a public chat room for all users.

this part of the code is for creating a user in ShoutBox service. Profiles need some information and I chose to give it a age, biography, name, gender, username.  This is the PLAIN TEXT they’re talking about. 

EXTENDED PROFILE isn’t part of SnapChat Service (Snap2Chat Hardcore Early Adopters knows what this is. used for the ShoutBox)



https://cloudfront.net - It’s owned by Amazon. It’s used for storing pictures by some services (not my own services). I am not exactly sure in what app he got this because none of my apps connect  (not used for sending user data)

http://parse.com (NO SSL) - it’s owned by Facebook. Also BlackBerry provided a Parse SDK. (used for pulling announcements, app status (not sending user data))

http://blogblog.com (NO SSL) - I am not familiar, but I think it’s related to smaato (not used for sending user data)

http://nemorystudios.blogspot.com (NO SSL) - this is my own blog for my apps. Not used for sending or receiving data. It’s used for viewing the blog. (not used for sending user data)

http://ih6.googleusercontent.com (NO SSL) - this is owned by Google.  (not used for sending user data)

http://chat.facebook.com (NO SSL) - it’s owned by Facebook. I used a Facebook Chat QT Library. (used for sending and receiving chat messages) login for Messenger app uses https SSL and Secure OAuth provided by Facebook

http://translate.google.com - it’s owned by Google. (not used for sending user data) I use this website for translating texts to any language in the Twittly App. login for Twittly app uses https SSL and Secure OAuth provided by Twitter

http://waterworldjax.com - my own host and domain - (used for twitter oAuth (does not store any username or password and not possible that’s why there’s oauth for more security, just loads up the twitter login page required by twitter that it should use)) Twitter requires a separate website link for OAuth. This is why I used this. Most twitter apps uses the same method.

Permissions used

Camera - To use Camera Hardware
Capture Screen - used for saving edited Snaps Painting and Caption
Contacts - used for finding friends from contacts
Device Identifying Information - used for optimizing the UI to get Display Height and Width check what exact device
Internet - Use the internet
Location - To use location service to get location of the user (for Dater, FB Messenger for sending location in chats)
Microphone- required for recording videos
Post Notifications - to post noficiations in the hub
Push - for Push Notifications
Run as Active Frame- to run in active frame
Shared Files - to allow the camera to save temporary images i the shared directory

I apologize for the security risks. And I will do patches for them. But I also suggest BlackBerry not to advertise the risky SDKs so that we devs don't use them.

Also it's not just my apps that uses Flurry and Smaato. BlackBerry advertised it to thousands of devs and for sure there are more than a thousand of apps uses the 2 risky services right now.

I am 100% True and Honest that I don't sell or whatever the user data that's being collected. I am just using the services provided by BlackBerry and I just knew they're risky.

IF EVER BLACKBERRY WANTS A 100% FULL PROOF I AM 100% OKAY TO PROVIDE SOURCE CODES AND ALL THE INFORMATION NEEDED. EVEN DECOMPILING ALL VERSIONS

I AM CONFIDENT THAT I AM NOT DOING ANY BAD THINGS AT ALL AND NEVER.

THANK YOU ALL


120 comments:

  1. I do not think most BlackBerry users nor the security firm that looked at your apps thinks that you are doing bad things. What was highlighted are possibilities that others could use. I appreciate all you do in developing for BlackBerry users and know that you will quickly respond to patch the issues revealed. You produce quality apps and I encourage you to keep up the good work.

    ReplyDelete
  2. Thanks for this Nemory. As a satisfied user of your apps I feel relief with your explanation and I trust that you take the security of our data seriously. I look forward to the release of the patches and hopefully BlackBerry will also do their job.

    A lot of criticism, some of it constructive but mostly destructive unfortunately, will come your way in the next few days for this - I urge you to just state the facts respectfully as you have done here and do not join the bandwagon of insults that it is likely to come.

    ReplyDelete
    Replies
    1. I appreciate it bro. Thank you much

      Delete
  3. I don't think you are an evil person, and I will still use your apps. You are sure to get lots of feedback over this, but I guess that's part of the game, right?! Responding as you have is a great gesture, and shows that you are willing to work with us :)

    ReplyDelete
    Replies
    1. Interesting topic for a blog. I have been searching the Internet for fun and came upon your website. Fabulous post. Thanks a ton for sharing your knowledge!
      Happy new year 2017
      new year wishes
      Happy new year Messages
      Happy new year 2017
      Happy new year Quotes
      Happy new year 2017 Wishes
      Happy new year 2017
      Happy new year 2017 Images

      Delete
  4. Nemory and anyone else who wants to listen,
    I read the report, then read Nemory's reply and studied the facts. Nemory uses existing SDK's in his apps and it's not his fault if something isn't up to a security researchers standards. He could write everything from scratch I suppose but that's insane.

    I have worked with security researchers in the consulting field before and know how they are. They take a minor issue and speculate on how it can be really really bad and kill us all when really IT'S NOT A BIG DEAL. These researchers like to talk about how things "Could happen" and offer no proof and no solutions.
    They hope you will pay then thousands of dollars for them to tell you their opinion. If there was a real problem someone would have actually taken advantage of it and compromised the app. These people are just blowing smoke and trying to make a buck!

    Personally I highly value my privacy and unnecessary connections suck, but Nemory explained what each of them is and how there is no ill intent and i'm ok with that. Talked to the guy before on BBM and he's straight up. No BS

    ReplyDelete
  5. App Maisters offer 360˚ Mobility solutions to Startups and Enterprises . We have developed Hundreds of Apps. We have team of expert BlackBerry App Developers.

    ReplyDelete
  6. Replies

    1. This is to inform you that ISL Live Streaming is going on in HD Quality . You way watch here.
      ISL Live Streaming
      ISL Live Stream
      ISL 2016 Live Streaming

      Delete
  7. 2015 RUDRAMADEVI SONGS

    http://www.infobyte.in/2015/03/rudrama-devi-2015-audio-songs/

    ReplyDelete
  8. http://www.techzict.com/2015/03/19/showbox-application-for-pc/

    ReplyDelete
  9. Its a nice blog.its really helpful for visitor......................

    Thanks
    Network security in Telangana

    ReplyDelete
  10. Replies
  11. This comment has been removed by the author.

    ReplyDelete
  12. Here You can Watch nice collection of New Year Messages 2016
    Happy New Year Wishes 2016
    Happy New Year Wishes

    ReplyDelete
  13. Great information shared about blackberry.
    blackberry store

    ReplyDelete
  14. class="title">TRADITIONAL HALLOWEEN COSTUMES<
    class="title">HALLOWEEN TRADITION<
    class="title">HALLOWEEN ARTICLE<
    class="title">HALLOWEEN EVE<
    class="title">HALLOWEEN CELEBRATE<
    class="title">TRADITIONAL HALLOWEEN COSTUME<
    class="title">HALLOWEEN CAT<
    class="title">CELEBRATIONS HALLOWEEN<
    class="title">HALLOWEEN PRANKS<
    class="title">HALLOWEEN PICTURE<
    class="title">CHILDREN HALLOWEEN COSTUME<
    class="title">HALLOWEEN TRIVIA<
    class="title">CHILDRENS HALLOWEEN COSTUME<
    class="title">HALLOWEEN POEMS<
    class="title">HALLOWEEN VIDEOS<
    class="title">HALLOWEEN PUMPKINS<
    class="title">HALLOWEEN COSTUMES MASKS<
    class="title">COUPLE HALLOWEEN COSTUMES<
    class="title">HALLOWEEN SCARY<
    class="title">HALLOWEEN GIFT<
    class="title">HALLOWEEN OCTOBER 31<
    class="title">FEMALE HALLOWEEN COSTUMES<
    class="title">SCARY HALLOWEEN PROPS<
    class="title">HALLOWEEN COSTUMES WIGS<
     

    ReplyDelete
  15. Hey Oliver!
    First things first.
    1. I think what you have accomplished is great for a one-man-band developer company.
    2. I agree that sometimes we have to rely on third party APIs when trying to get things done.
    3. I do recognize that app developing is a never ending spiral, that comprises many tasks and heavy workload in all app life-cycle stages.

    However, you may consider (and I recommend you to take actions about it)
    1. BY being one of the few still-standing developers for Blackberry, you will be observed by several reasons:
    1.a. you are by your own, accomplishing what other big buck companies has not.
    1.b. there are several stakeholders intentionally trying to harm Blackberry, and trying to influence others into that.
    1.c. you are monetizing some apps that are free for other platforms.
    1.d. there is not a clear process in Nemory to evaluate overall app quality, and also there is no visible process of bug-fix/support.
    2. Enlarge your company's footprint. At some point, specially by having published that many apps, you will need help and there is nothing wrong about it. It will only increase your company's reliability and eventually it will pay off.
    3. consider yourself to publish and maintain a proper NemoryStudios domain, with proper security and a proper communication strategy. There is nothing bad to be "garage-like" entrepreneurial /startup company; but also there is nothing wrong to have the basics of big corporations associated with your brand.

    Now, what I personally (strongly) request to you by being a customer of Nemory:
    1. Please make sure none of our customer data/metadata/behavior is being used for commercial purposes / profiling / advertising.
    1.a. if you are paying for an app, it is expected that the adds are removed. in-app-ads are annoying but understandable when using free versions. upgraded/plus/paid versions should never display apps. it is not a good practice to monetize from ads when customer has already paid for the app.
    1.b. please provide warranties to paid customers. If a paid customer receives the same support that a free user, then there is not much sense to pay for an app.
    2. Please enhance the app performance in terms of:
    2.a. Device Memory management. Please connect the proper dots to make the app stable, but also reliable. I have experienced app and device hangs because of Nemory Apps.
    2.b. Data usage. It is not only by the tech reports saying, but my user experience has confirmed that Nemory Apps request/sends more data that they "should" (benchmarked against other apps)
    2.c. Battery life management. Please, please review all of your code intensively, focusing on saving battery.
    3. Please contribute to Blackberry by honoring the same principles that has helped the customer base to rely on Blackberry. Please enforce the security of your apps, please avoid intellectual property rights infringement, please manage a better customer service, please improve!.

    Thanks.
    An unsatisfied (yet sympathetic) customer.

    ReplyDelete
  16. Very nice and interesting post. Beautifully structured and very close to facts. I found myself lucky to go through it. Hope to have more post in future like this. Do you want to check Summer Olympics 2016? Vist followings:
    2016 rio Olympics streaming
    Rio 2016 Olympic Tennis Schedule
    Rio 2016 Olympic Soccer Schedule
    Rio 2016 Olympics Table Tennis Schedule
    Rio 2016 Olympic Rugby Schedule

    ReplyDelete
  17. http://www.rioolympics2016live.net/rio-2016-olympic-schedule-events-pdf-chart-printable-download

    ReplyDelete
  18. We contemplated offering popcorn, App Security Analysis, and confection alongside our Mobile App Development in Los Angeles. Our specialization is Mobile App based arrangements. We give end-to-end arrangements from necessities advancement, framework engineering, plan, create, test, and usage.

    ReplyDelete
  19. Hello admin,
    I have read your post. I Totally agree with this post as according to an analysis in 2016, Blackberry OS is the safest Operating system of in mobile to use. It is non hack able phone. Well, i wanna share signs of pregnancy before missed period here. As you can see most ladies don't have any information of pregnancy signs. Women can see that beafore clearing about pregnancy, there are some strange changes om women's body.
    Thanks

    ReplyDelete
  20. This comment has been removed by the author.

    ReplyDelete
  21. Visit us now to view & share beautiful collection of Best Images of
    rose day 2017

    ReplyDelete
  22. Nice looking site.really appreciate for it and It is also useful for me.Thank you for sharing.
    Easter Quotes
    Happy Fathers Day quotes
    birthday wishes for husband
    Short Mothers Day Wishes

    ReplyDelete
  23. Hello admin,
    This is Ayesha Saleem. i have read htis article and i have seen that you have a great information regarding this blog.6w5d pregnant Well, i am searching for some pregnancy bloogs to get to know about the 6w5d pregnant.

    ReplyDelete
  24. courses after 12th science While most of the information on this page (e.g. course list, types) is relevant for any MBA in India and abroad, What to do after 12th the final article focuses on international GMAT MBA degrees. By definition, an MBA (here’s the full form of MBA) is an internationally accepted masters (post-graduate) level degree that what to do after 12th commerce with maths Whether you are looking at MBA courses in India or abroad, the choices can make the process overwhelming. Starting from the type of the program to shortlisting the best MBA courses, it takes lot of effort. List of career options in arts stream

    ReplyDelete
  25. When someone writes an piece of writing he keeps the thought of a user in his brain that how a user can understand it
    bridal blouse designs
    happy married life wishes
    sweet love quotes for husband

    ReplyDelete
  26. Exclusive Collection of Salwar Suit And Many More….
    We Have Some For You In Your Budget For more….
    Eid Mubarak Photo

    ReplyDelete
  27. Have Lovely and Beautiful Salwar Suit And Many More…
    We Have Some For You In Your Budget For more…
    Plz visit:- Kurties

    ReplyDelete
  28. Best Outfits For Young ladies,Womens and Girls
    We Have Some For You In Your Budget For more…
    Plz visit:- Online Shopping Clothes

    ReplyDelete
  29. Fancy designer wear our website and reasonable price More…
    We Have Some For You In Your Budget For more…
    Plz visit:- Designer Anarkali salwar kameez

    ReplyDelete
  30. Although you English and grammar was not perfect, you have presented the information on Web Security Analysis of 12 BlackBerry 10 Applications and I have understood how the security issues were handled. Since you have good and informative ides to share with your ideas, hire our professional writers who will help you to write quality and accurate articles by clicking on Dissertation Data Presentation.

    ReplyDelete