...overblown. If one is dumb enough to allow sypyware trusted status then maybe they deserve what they get.

you can't blame RIM for something that comes down to user error. If you don't trust where the software is coming from, don't install it. Pretty simple.

Way easier than traditional hacking to get the information you want.

Its like any tech related system. If you use it as intended and don't check your brain and common sense at the door, there is no realistic chance of "spyware and its ilk appearing on your phone.

Here's your hat. ;)

but i think this is important to get some attention. phones are not immune to attacks, we spent good money and time to keep our computers secure but will click on any jar file that we can get our hands on because there is no awareness of what harm it can do.
it took N1H1 to get ppl to wash their hands but each flu season kills more ppl than N1H1 ever did.

this not really BB specific, i cringe at the thought that someone is running a JBed iphone on our network but do you think we can force a policy to forbid that. F-NO. But gawd forbid that you want to get a laptop without AV on the network, you are just about escorted out of the building.

this frustration is where i hope for these POC to become public and get attention.

at least on a bes i can see what attaches and prevent it but that should not give anyone a sense of security that just doesn;t exists.

This is so stupid

BUT ...typical as RIM is...nothing will ever be done about it. so suck it up people. the chance of this ever changing is like us ever getting an official blackberry google reader app. HAH.

This is why RIM requires code to be signed before accessing sensitive API's If an issue comes up RIM can just block everything with that signature, and the malware is stopped.

Anyone can buy keys.

People want security, but they also want apps that do everything. In order for use to develop these applications we need api's to access these api's. The more people complain the more RIM will pull these api's and not allow developers to do much of anything.

A simple way around this is to know how to use your phone, set permissions, remove applications etc before you go downloading a bunch of apps.

Also only allow permissions to api's that you know the app will need. For example if the app is a weather application you know it's going to need data and possibly gps. So go ahead and allow those, but it will not need to use things like email, phone etc. So I would go ahead and deny those for that application.

If you allow all permissions you're essentially telling the application you have full control to do anything you want on my device.

This was NOT an anti-blackberry presentation. In fact he stated in the talk (the video will be released soon) that Black Berry is the most secure mobile platform out there. The focus of the talk was *not* the fact he used Open API's to make spyware.. it was about the app store and it's model. How anyone with 20$ and an email can get a certificate to sign applications. How I can make a tic-tac-toe game that goes into the app store but is actually spyware.

The social engineering or tricking users into installing an app (that is signed by RIM!) is the focus here. The actual security of the phone is not in question he chose the Black berry due to it being the most secure. Doing this talk on Apple or Android would be stupid as everyone *knows* they're insecure.

The researcher and veracode worked with RIM and RIM supported this talk and research from the start.

It's not overblown, Crackberry and most people above have no idea what they're talking about and are judging and interpreting the research without having seen the talk or read it through. Sorry but it's true.

Anyways, it was a great talk.

If this is true, we could have open blackberries.

While oter peoples are thinking about stealing apps, I think this could force RIM to open their platform a little more and force them to make a bit more enjoyable for the social users.

There's nothing compromised here. They simply made a program that uses the API and if a person is stupid enough to install it, then the program is running correctly. It would be the same as SmrtGuard.

The person who installed it clicked "Allow" on the screen that gave the program access to this data. In fact if the BlackBerry did not allow the application to do this, I would call the BlackBerry flawed. It is operated as designed. What is the big deal here? SmrtGuard does the SAME thing. It remotely copies all your data off and stores it on their servers. So does this app.

The user is at fault, not the BlackBerry. BlackBerry has security features built in in their IT Policy to block people from doing such dumb things as well.

A virus is self replicating. At best this is a trojan horse. It is software that is supposed to do one thing that does another unintended action. The way the apps are distributed and signed though it would be easy to isolate and identify the cause of a spread. You need to work at this for it to be a problem including granting trusted status. This is old news that is not the threat people are making it to be.

RIM posted a great guide on malware a year or so ago and this is just a new spin on a known attack vertical.

Having to manage thousands of Blackberries this is why we block the installation of any applications and only remove it temporarily as needed or just package and push the app the user is requesting. RIM provides the ability to black list / white list apps and this is yet another item that would go into the block catagory.

Now it's not perfect but is a heck of alot more control then any other mobile management. I'd like RIM to manage known threats (be it malware or other) and push these to each BES which maybe something to occurs as mobile devices become and attractive target.

to quote from the above article..
"You wouldn't go installing some unknown application on your PC these days would you? Not likely."

um yeah, people do that everyday, all the time, i work on pc's and see it all the time.. and when asked.. "why did you install such and such program?" i usually get the "i dont know, i was told i needed to" (by the very same program itselfs pop ups... or my favorite "i didnt install that" when clearly their the only one in the house, let alone the only one using said computer...

never underestimate the depth of ignorance of computer users in general.

cheers

You mean that an application that I install on my phone can can add functions to it? Before you know it people everywhere are going to want apps on their phones so they can do more.

RIM will never "open their platform a little more and force them to make a bit more enjoyable for the social users". As it is the "social users" who are usually the more stupid people to start with. (going by the onslaught of retardedily dumb questions in forums) Besides, why would you want to make a secure phone less secure anyway? If you want something more user friendly get a sidekick or iphone...

I set permissions for each app before downloading based on what I expect that app to do.

Sometimes after I reboot it comes up and asks me for permissions I don't think it needs...guess what? I delete that app and it never runs on my device.

Read EULAs, there are several apps that come right out and tell you they are watching what you do- Skyfire is a good example. People are so used to clicking "OK" from being brain-washed by the endless unnecessary prompts from Windows that they don't pay attention. When I saw Skyfire's EULA I said to myself, "you can keep it."

Some of the barcode apps are just as bad. Pay attention, people!

As several posters have said, use common sense, know your device, and you should not find yourself in trouble.

Hack the Gibson!