News & Rumors

New malware exploits USB, but isn't really that scary

Special Coverage

Hands-on with Secusmart voice encryption

News & Rumors

BlackBerry acquires mobile security company Secusmart

News & Rumors

Blackphone fires back: 'BlackBerry betrayed its customers and jettisoned its credibility'

News & Rumors

BlackBerry discusses Blackphone and why its consumer-grade privacy is inadequate for businesses

News & Rumors

UK government set to rush through emergency surveillance legislation

News & Rumors

UK officials follow US counterparts by banning electronics with no charge from boarding flights

Editorial

Using strong passwords and keeping your online self secure

News & Rumors

First smartphone 'kill switch' bill in the US passed by… Minnesota

News & Rumors

BlackBerry kicks off security-focused Be Mobile Conference

News & Rumors

Bitly alerts users of widespread account compromises, claims no accounts have been accessed

Enterprise

BlackBerry earns two Govie Awards for outstanding security

Enterprise

BlackBerry CEO says Good is not good enough when it comes to security

BlackBerry Apps

BlackBerry tightens up on app security with BlackBerry Guardian and Trend Micro

Enterprise

BlackBerry issues statement on Air Force switch: 'There is nothing more secure than a BlackBerry'

Editorial

Despite growing security concerns, President Barack Obama stills trusts his BlackBerry

BlackBerry Apps

Your WhatsApp conversations may not be as safe as you think

Enterprise

BlackBerry 10 Receives NATO Approval for Restricted Communications

BlackBerry OS

Report claims NSA can access data on BlackBerry, Android and iOS devices

Enterprise

BlackBerry joins Fido Alliance to support passwordless authentication

< >

BlackBerry 101 - Application permissions

BlackBerry 101
By Joseph Holder on 31 Dec 2010 11:05 am EST
0
loading...
22
loading...
57
loading...

Know thy permissions; Know thy BlackBerry.

Just about every time you install a new application on your BlackBerry, you're asked to set permissions. Long ago, Research In Motion decided that only the BlackBerry end user would be able to decide how apps would interact with the smartphone. Unlike some other device creators, there are no code signing or other workarounds to granting the permissions. Only the user or the BES administrator can choose to allow permissions.

Without certain permissions, your new app will not run on your BlackBerry. But what permissions should be granted? Should you give Trusted Application status to your newly installed program? Should I give it access to my personal data? These are important questions to ask.

Permissions - In three categories

There are three main categories of permissions: Connections, Interactions, and User Data. The Connections permissions deal with how the BlackBerry can communicate to the outside world. USB, Bluetooth, and Wi-fi permissions are all in the category. Interactions cover the permissions an app would need to access the "internals" of the smartphone. Media, recording, and that mysterious "Security Timer Reset" are all included in the category. Finally, the User Data permissions include permission to access email, sms (text) messages, contacts, calendars, and the files on your BlackBerry.

When you first run an application, you'll be prompted to set the permissions to allow the app to interact with your BlackBerry. All permissions have a default setting, but some apps will need more authority than that. You'll be asked whether to grant Trusted Application status and possibly to grant more permissions in a later screen. You should be aware of what you're allowing on your phone and only grant the permissions that you know the app will need.

When an application asks for permissions, it usually doesn't tell you exactly what is needed and/or why. Although there is simple code for explaining why a permission is needed, most developers do not use it. If you're unsure as to why an application needs permission, don't grant it. If it is needed later, the app should prompt you again. If not, you can still change the app's permissions.

OS Five

Permissions in OS Five 

OS6

OS 6 Permissions 

Permissions are set individually to each application. To change them, you'll need to edit permissions for your app. Many permissions can be set to Allow, Deny, or Prompt; though some cannot be set to Prompt. Setting a permission to Prompt just means the application will ask you if it's okay to use a resource (such as location data) if and when it needs to.

*Bolded options are the default BlackBerry options

Connections

  • USB: Allow/Deny access to use the USB port for data transfer
  • Bluetooth: Allow/Deny access to use Bluetooth communication
  • Phone: Allow/Deny/Prompt for the ability to make phone calls and access call logs
  • Location Data: Allow/Deny/Prompt for the ability to access GPS and cell-tower location information
  • Internet: Allow/Deny/Prompt for access to the internet through your wireless service provider (Verizon, Rogers, O2, etc.) 
  • Wi-Fi: Allow/Deny/Prompt for access to the internet through Wi-Fi

Interactions

  • Cross Applications Communications: Allow/Deny the app's ability to communicate with other applications on the device
  • Device Settings: Allow/Deny/Prompt for the ability to turn off the BlackBerry and to change other device settings, such as display options
  • Media: Allow/Deny/Prompt for access to media files, such as videos and music
  • Application Management: Allow/Deny the ability for the app to add or delete modules and get information like module names and version numbers
  • Themes: Allow/Deny the ability for the app to be a source of customized themes
  • Input Simulation: Allow/Deny the app to simulate actions like pressing a key
  • Browser Filtering: Allow/Deny the app to register a filter than can change, add, or delete internet data before it displays in the browser
  • Recording: Allow/Deny/Prompt the ability for the app to record audio and video data
  • Security Timer Reset: Allow/Deny the app to change the length of time that your phone stays unlocked after you stop using it
  • Display Information While Locked: Allow/Deny the app to display information while the phone is locked 

User Data 

  • Email: Allow/Deny the app to access email, SMS (text) messages, MMS ("texts" with video/pictures) messages, and PIN messages
  • Organizer data: Allow/Deny the app to access contacts, calendars, tasks, and memos
  • Files: Allow/Deny the app to access files stored on the device
  • Security Data: Allow/Deny the app to use keys and certificates in the key store

Trusted Application Status

Most apps will ask for Trusted Application status as soon as you first run it. Trusted Applications simply set a variety of permissions to allow, and makes it easier to start using applications that you trust. My recommendation is to avoid doing this. Only applications that you truly trust should be granted this option. Granting this status does nothing more than set some permissions. You can always change it later.

TA Status sets all permissions to Allow except:

  • Security Timer Reset and Recording are set to Prompt
  • Input Simulation, Browser Filtering, and Display Information While Locked are set to Deny

Permissions in OS6

While Research in Motion's goal with the BlackBerry OS6 permissions was to make things easier for the user, the end result is additional confusion. In OS Five and previous versions, the user was presented with all of the permissions and asked to set the ones he or she needed to make the application run. In OS6, the user is presented with and asked to enable a category of permissions.

For example, if the application needs to be able to access the Security Timer Reset (which simply allows the app and the BlackBerry to stay active for an extended period of time), the user is asked to grant all permissions in the "Interactions" category. The permissions screen asks the user to grant "Advanced Capabilities." Similarly, if the application needs to access files or the security key store, the user is asked to grant all permissions in the "User Data" category after asking for access to "Personal Information."

Recommendations

The following are my personal recommendations for what permissions to grant applications; this is what I use on my personal BlackBerry. With the App Specific recommendations, the vast majority of applications will work just fine. Some times when an app requests "Personal Information" it simply needs to access files on your BlackBerry.  Recently, I had a great deal of trouble getting Google Maps to work with my default settings - the ones listed here. It wasn't until I granted access to the key store (Security Data) and Files (allows app to access and create files on your BlackBerry) that Google Maps actually started to work. Though the app wasn't looking to get a hold of my email and contact information, it still prompted me to access "Personal Information."  

Though it takes longer to do, I seriously recommend not granting blanket permissions to an application. It is better to manually tweak the permissions settings and have the app fail a couple of times than to expose your personal information to a unscrupulous app developer. If these default and App Specific selections do not work for your application, consider what the app is to do. An application such as Xobni needs access to your email and organizer data. It can't do its job without it.  On the other hand, a flashlight application has no business knowing your email address.  If you still remain unsure as to why an app won't work with your desired permissions, contact the developer and find out why your personal information is needed to make the app work. 

CrackBerry Recommendation for Application Permissions

Permissions give you, the user, ultimate control over how applications will run on your device. Neither Research in Motion nor app developers will be able to decide that for you. Know your applications, and know your app developers. Keep your personal information safe, now that you know just what your new app is trying to do.

Thanks go out to Shao-soft; without their expertise, this article would have been considerably less informative.   

32 comments

BlaqueGoddis

Much needed info. Download different apps all the time. Wasn't quite sure what all of the permissions were for!

DrewDT

Thank you so much for this write up. Our Crackberry community sorely needed this.

rallen8979

This a great article for everyone. I have often wondered about the permissions. Now I have some understanding of them. Very informative and eye opening. Thanks!

red72

Thanks for the article. I had a vague idea as to what some of the permissions were for, but assummed that you just had to accept the permissions the apps wanted to use.

danny-

Such a nice article!

Marc_Paradise

Good write-up, but one correction:
"Although there is simple code for explaining why a permission is needed, most developers do not use it"

Unfortunately, it's not simple at all - when we explicitly request a permission, RIM gives us *no* way to give an explanation. The *only* time we can provide an explanation is if the app tries to do something that requires a permission, and that permission is set to Prompt. In all other circumstances, the system provides no way to provide an explanation when we request those permissions.

In my app (bbssh, free beta at http://dev.bbssh.org/bbssh/ :) /shameless-plug) , I do use the provided tools -- effective only if a permission is set to Prompt. because this means I don't have any way to guarantee that the user will see the explanations for permissions, I also had to code an additional check around each privileged call or group of calls, explicitly checking for the missing permission; if it's not present i prompt the user with an explanation, THEN show the standard BB permissions request. (Which won't let me give an explanation...)

It's definitely manageable, but it's also not what I'd call simple.

In general, I agree with you - you should always be as restrictive as possible; and if the app doesn't provide details as to why it needs permissions (though this is not simple to do), then don't allow it. However - having said that - if you deny permissions, be aware that some parts of a given app may not work correctly.

Your recommended defaults look good- though I would say that Email and Organizer should be permitted on an app-specific level IF and ONLY IF the app provides an explanation. The reason for this is that some apps have features that do legiitimately need this access. In my case, BBSSH uses "email" in order to let you use the "send feedback" feature -- while I don't access any email or private data, I can't tell the BlackBerry to open up a pre-addressed email unless BBSSH has that permission.

Similarly, BBSSH offers a URL, phone, and email address scraping feature -- when you launch it, it pulls a list of all email, phone, and web site address displayed in the terminal, and allows you to use them. For phone numbers, it lets you dial or add to address book; for email it lets you send an email or add to address book. The act of adding to address book requires "Organizer Data" permissions - even though all BBSSH does is create a new contact and prefill it; the data is only saved when the user approves it.

As you said, though - the flashlight app doesn't need organizer data, nor does the game you just downloaded... my point is only that there are legitimate exceptions to your guidelines. And your last recommendation is best - if you have any doubts or questions, contacting the developer should be your next step.

dgburns

Thank you for this! Nothing more frustrates me from a device security perspective than apps asking for "Trusted Application" status that have no business or real need for such permissive application permissions. In my mind, it's simply lazy programming. 99% of apps that ask for "Trusted Application" status have absolutely no business asking for it, but RIM makes it relatively easy to ask so developers take the easy way out and just ask for it rather than ask for the specific permissions they need. And it is only going to change if users stop just answering yes to apps that ask.

Marc_Paradise

This is actually not something the app does at all. Whenever you download a signed app, BB OS itself prompts to allow Trusted Application status - this is done by BB OS before the application is even launched.

newcollector

Whatcha know, Joe? Joe knows application permissions. Thanks

Ravir123

really useful information ;)

daprof588

This was truly informative. Like many other users I just usually say yes. At first I would go thru and try to individualize but as I installed more and more apps I guess I just got lazy. I think this article is for people like me. Stay diligent! You wouldn't allow just anybody to get your information in real life, so why do it in your digital life.

ench18

Good article. Learned allot about this.

SteveStrike

What do you guys set for Google Maps? If you don't have the permissions they want, the app will nag you each time you try to use it. Even though you can bypass the nag scree, it's still a hassle.

Joseph Holder

The App Specific settings work just fine for me. It doesn't need organizer or email access, but it does need files and possibly Security permissions.

belfastdispatcher

Went trough my apps and I found a few with location enabled even though they have nothing to do with that.

belfastdispatcher

Also found bbc iplayer app, which is really just a browser shortcut wouldn't work without access to user data, why would it even need that? I'm def gonna be more selective from now on.

mjth61

Great article, for those who are tech savy, but what about all the non-tech savy users out there, especially the ones that RIM needs to bring to the group to stay competive? I'm somewhere in between myself and I find this somewhat intimidating. I can understand why some apps would need access to personal information, but what personal information? I have a lot of information in my phone that is nobody's business but mine and if app developers want access to it maybe I should not have it one my phone, and therefore why do I need this phone?

jezreel

very nice. thank you so much !

Chacu

Thank you! I understand this a lot better now. BTW: HAPPY NEW YEAR!!!

f_d

I work in the IT security field and I'm a fair bit more paranoid than most, even regarding BlackBerry and I prefer "Prompt" as the default permission for the internet/wifi connections.. It can be annoying the first time through using an app, but I like to see exactly what sites are being accessed and if I choose, to block them.. Many apps work just fine even if you block their ability to "call home".. Additionally, I turn on "prompt" for phone and GPS data and "deny" for email, PIM and security data as defaults and only allow them if the app really needs them (there's no reason why a game app for instance, should need access to your phone, gps, email, calendar or security keys)..

I wish more of the categories were available with a "prompt" setting vs. just an allow/deny because I much prefer being able to see and control what an app does and make the decision to allow it or prevent it (an in many cases, I've decided that apps that demand too broad a permission set are not worth the potential security risk and deleted them: case in point, the "Docs to Go" suite that is bundled with BlackBerry devices simply will not run unless you grant it full permissions to just about everything, and until RIM bought the company and gave me some assurance about the app, I simple deleted the app rather than grant it the permissions)

For OS6, I think RIM messed up big time with the new permission request screen... Things wrong: descriptions of what it is asking for are totally vague and users don't get the opportunity to selectively allow/deny things: clicking just one check box may actually enable permissions for multiple different things. Second: You cannot ever "deny from now on" like the old screens: the new screen "always* pops up unless you check all the boxes and say "yes" to everything it asks, so even if you decide that you don't want to allow a certain set of functionality, and "save", the next time you run the app, up pops this screen asking for access again.. I want the ability to either completely disable this screen and go back to the OS5-only system, or to stop this screen from coming up again once I make a decision on the permissions.. Lastly, as I said earlier, I'm paranoid, so I want the defaults permissions to be "prompt" and with the new OS6 request screen, if you check the box, it gives "allow" vs. "prompt" permissions.. IMO this one aspect of OS6 has actually made the device *less* secure because most users will simply check off every box to get rid of the warning instead of really thinking about what the app might be doing and whether it's worth the risk of allowing (or having the ability to monitor what it's doing, eg as part of a corporate IT app-vetting process)..

I should also mention that the way to tell what lack of permission is causing an app to crash is to access the system log (alt-LGLG from home screen) and search for exception logs (usually bolded) and trace down to the end and see what permission the app was trying to use, and then you can make the decision whether to allow it or choose not to use the app..

mjth61

Well said. Thanks, my point ecactly. If this permission thing can not be simplified I will either not us apps that require permissions or go back to a dumb phone!

greatscoot

Great article. Just went in and changed permissions on many apps.

stevendsnyder

Sounds like a need for a new app that will help non tech savvy Blackberry users to identify security settings that are questionable. I think an App Security app would be a big hit after reading this story.

bosslady5314

I needed this never realized what I was doing.

dimm0k

Bookmarked! Definitely worthwhile read for all BB owners, thanks for this!

robchow

Great article.

If anyone is interested, I posted app setting for Poynt that I have been using. http://forums.crackberry.com/f35/3rd-party-app-permission-poynt-508808/

I will post other apps settings when I have time.

pbluv

Great article. I'd love to see a similar write-up for the Playbook.