BlackBerry working to fix reported Android Runtime and BES10 contact flaw on 10.2.1

By Bla1ze on 6 Feb 2014 07:09 pm EST
6
loading...
33
loading...
36
loading...

Now that BlackBerry 10.2.1 has hit public release there has been many consumers downloading and loving the latest release that allows them to install APK files directly. For those running BES10 though, there has been some concerns surrounding the release in part due to the findings of Frank Büttner from ABS Team GmbH. As posted on Heise, Büttner has discovered that some Android apps when installed on BlackBerry 10.2.1 have access to names and numbers of his contacts despite having a policy set in place that should not allow for this to happen.

Within a BES10 environment, you have the option to allow personal apps access to work contacts through a policy which offers three options All, Only BlackBerry Apps, or None. This rule specifies whether personal apps can access required data for work contacts on a BlackBerry device. If you set this rule to All, all personal apps can access required data for work contacts. If you set this rule to Only BlackBerry apps, some apps developed by BlackBerry (Phone, BBM, Text Messages, Smart Tags, visual voice mail, and voice dialing) can access required data for work contacts. If you set this rule to None, personal apps cannot access data for work contacts.

Problem is, the policy doesn't appear to be enforced on some Android apps such as Skype and Go Launcher EX no matter what it is set to and that's an issue. Especially when you consider the fact that BlackBerry does not allow Android apps in the secure environment for security reasons and only native BlackBerry apps are allowed to run from there.​ The situation gets even trickier when some folks can replicate it while others cannot.

Keeping in mind that this doesn't affect if you're not on BES, BlackBerry is already fully aware of the issue and has noted it will be addressed in a further upcoming update if it can't be addressed by some other method in the meantime. But of course with that comes the wait time for carrier approvals as well, so there's no direct timeframe that can be placed on it. If you're looking for some further discussion on it our own Sith Apprentice has been doing some testing of his own in the CrackBerry Forums and has some great further info on it.

We'll keep following the news surrounding it and update if necessary. As of right now, the BlackBerry Security Incident Response Team has not posted any advisories for it under their Vulnerability Disclosure Policy.

Topics: Enterprise

93 comments

BerryRipe

Sweet!

Keep The Faith  BlackBerry Q10 

Devil

What about the "HTML disabled by your IT Policy" error?

Posted via CB10

Supa_Fly1

not related ... create a new forum thread on it if not already existing.

BB Adict

Still waiting on TMO for the new OS release.

Addict for 10 years, but it may be time to get off this drug.

sk8er_tor

Android runtime can be updated separate from the OS. So people may not have to wait for an OS update. Maybe BES should have the ability to simply shut off Android runtime.

Puz_zled

That has been my assumption, up til now, that all this Droid runtime was a sop to consumers , but would be completely sanitized (or sanitize-able) in a BES deployment. Guess not?? Better slam that door shut BlackBerry!

Posted via CB10

w0qj

Err... I thought that Android Apps was running in "sandbox" mode in BB10...

Guess this exploit demo blows away this BB10 Android App "sandbox" myth?

attaturk

Security is BlackBerry's priority so they must fix this issue ASAP. BlackBerry can't afford any loopholes in security as this is one area where they are miles ahead of the competition and BlackBerry should do whatever it can to keep it that way

Posted via CB10

Sith_Apprentice

This is on the same level as the Android vulnerability that allowed apps to intercept encrypted Knox data. This is potentially a huge deal and since it potentially allows Android apps access to encrypted work side data (which is not supposed to be allowed at all), this could easily HALT (perhaps permanently) deployments of BB10 devices. I hope my work around proves to work (so far in my environment it is), but if it doesnt, BlackBerry needs one ASAP!

Supa_Fly1

"potentially" you mean effectively in the real world CAN and possibly will halt deployments! Especially with the DOD if they allow their users to implement Android apps for sideloading ~ can BES10 associated BB10 devices be restricted entirely from sideloading?!

Sith,

Have you communicated this directly to BlackBerry or to their BES10 team or in the forums in the Enterprise section?

Looking to see you expand this beyond your closed environment and collaborate with other BES10 Admins.

Sith_Apprentice

I have posted in the news and rumors thread about this looking for feedback from other BES admins. I have also been in contact with BlackBerry security.

Posted via CB10

BBZ10wannabe

I was thinking that if users were forced to use 10.2.0 and BES policies restrict putting the device into development mode then yes, sideloading can be restricted.. but I'm just guessing.

royster86

Yes, you can restrict Dev mode on enterprise devices. You can also use the policy "Install Apps From Other Sources", which stops you from installing apps in the personal work space. Since you can't natively install bar files, I'm assuming this is for Android APK installing.

Posted via CB10

Lostonline

Yet another reason to avoid Android software for the plague it is.

CDN BB

johnnyhead

Yes, totally agree on this

Sith_Apprentice

Dont blame this on Android. This is a BlackBerry issue.

Lostonline

I am not blaming Android.

I just do not trust their crap at all.

(think permissions)

CDN BB

Prem WatsApp

Scamdroid, Scamsung, Scroogle ....

Zzzzwiped from a Zedevice....

Prem WatsApp

Have you read their "privacy" policy?

iPhone for me? Scr... ahem Q that! (posted from the latter)

jay64

agred - likes not working today ?

Sith_Apprentice

The team is working on a fix and it should done soon. I dont expect this to be open very long, im guessing less than 45-60 days (pending carriers) until we start seeing the fix roll out. I will be posting a temporary work around soon. Best bet, lock down third party installs NOW and the IT policy will be up for admins to test out.

Sith_Apprentice

I have an IT policy put up there I would love others to test. It has been working for me for 10 hours or so now. The contacts have NOT been imported into the Android app. It has been running most of the day, but been relaunched several times.

Makaveli@Beta

Our bes policy has this set to none.

Thought it would be a security risk otherwise.

Seems like a wise choice now.

Posted via CB10

Sith_Apprentice

It has been said it doesnt matter (I have confirmed this in my environment too). Different work space/personal space passwords is best.

curea

Maybe I could you the flaw to export my personal contacts that got sucked into my work space when I migrated to bb10. On bbos, my personal and work contacts were mixed. I'd love to extract them without having to do it manually. If anyone has some ideas please let me know.

Posted via CB10

keefrto

I have noticed that you have no choice but to accept their access requests, I have skype, instagram etc download from 1mobile and unless I delete the apps, they have access to my shared files etc. What If I encrypt, will that help?

Posted via CB10

oystersourced

Wonderful..

I look forward to seeing an update soon, good job Vodafone UK.

Posted via CB10

HitchCB

The only way for BlackBerry to stay in the game is to spend time and money getting developers to build for BlackBerry 10 apps no apk no android half half working apps, built for BlackBerry apps is the way to go.

Posted via CB10 for the BB-Z30

The_Dark_Knight_Forever

+1

Posted with my T-Mobile USA BlackBerry Q10 via CB10.

oystersourced

To get the developers you need a user base and to get a user base you need apps.

It's not quite a vicious circle, but it's some sort of circle :P.

Posted via CB10

sk8er_tor

Microsoft has shown that you only need money.

oystersourced

A strong foothold in personal and business computing helps too ;).

Posted via CB10

Supa_Fly1

Aint no half-stepping about it.

Reduced and highly competitive pricing and BES10 inception/deals bundling BB10 devices = Z1 & Q5's ;)
Catered BES10 support licensing or support pricing for 12/5 or 24/7 support expertise!

BB Adict

We know that is a definite app gap between Blackberry and the iOS and Android platforms. This is probably what we get for wanting what everyone else has in terms of apps.

Addict for 10 years, but it may be time to get off this drug.

alan510

I know there are fewer apps - thus the app gap - on BlackBerry 10. But having been using Snap and Amazon since the update, I haven't found much that I want or need. Lots of hype but truth be told, I'm not seeing much to miss. I'm sure others may have different views, but that's my experience to date.

Gord Cluthe

Haha, that's been my experience too..

"Yay, look at all the apps.... that are useless and I don't want or need "

Posted via CB10

rbrar03

I have the Snap store and I am still looking what apps I am missing. I got the native ones mostly I use. Twitter, Facebook and Igrann.

Posted via CB10

habdza

Agreed, I am not using instagram or Netflix or other app which other users always complaint about, but what I missed most were the Bank apps and national apps as I am from small country in Europe. Now the gap was closed for me.

Posted by my Z10

Hidjk

"But having been using Snap and Amazon since the update, I haven't found much that I want or need. Lots of hype but truth be told, I'm not seeing much to miss."

I could not have said it better myself....

www.livingtruth.ca www.carm.org

Dominick079

This is one of the main reasons I don't install Android applications on my BlackBerry. I'm happy with the selection of applications in BlackBerry World. If I wanted Android applications I would of purchased a Android phone. But I like that they offer this ability for the people that want applications that aren't offered in BlackBerry World.

Sith_Apprentice

You DO have android apps built in, as part of the runtime. Basic OS structure etc. You are vulnerable because android exists on the device.

sk8er_tor

I read somewhere that the Android runtime doesn't actually start until you first use an Android app upon a reboot. But maybe I'm wrong.

Dominick079

Thanks for the info and I didn't know that. What are some of the examples of Android apps that are built in with runtime?

Posted Via AT&T BlackBerry Z10

Dukun

I too would appreciate some elaboration.

Dukun

And I got a bit by reading more comments.

Perfectibilist

Well at least now I know why Verizon hasn't released the update for my Q10. Still Verizon should at least explain the situation to their customers. I'm speculating of course, but what are we left to do when there is only silence from our carrier.

Posted via CB10

Sith_Apprentice

I have cleaned up the IT policy in that post and it is easier to read. Please test it out and report back. Over the next 1, 2, 3 days I would love BES admin feedback. Use the Go Launcher EX application as a sideload to test. This one seems to do well with testing the vulnerability.

BerryRipe

Agreed I try to download only Built For BlackBerry although I'm still on Q10SQN100-2/10.1.0.4699 but I don't plan on downloading any APK's once I install 10.2.1.

Keep The Faith  BlackBerry Q10 

Dylanmichael603

How about working with carriers to get The 10.2.1 update launched...?!

Posted via CB10

Lostonline

It rolled out globally.

You need to have a chat with you carrier and ask WTF!

Take you $ to one that isn't withholding.

CDN BB

Nigelbrown

An important flaw to fix, but you do accept this by installing apps outside of BlackBerry App World.

Glad to see this pro actively taken care of, as I do have a 10.2.1 device on Balance.

Posted via CB10

Sith_Apprentice

This affects Skype which is IN BlackBerry world. It is an issue with at LEAST the runtime, maybe the core OS. I really hope it isnt.

Lostonline

A good reason Android software should be CLEARLY identified in BBWorld.

Let us filter out the crapware, and support those who build for BlackBerry.

CDN BB

loth

Some Android apps dosnt work over data plan, only in wifi.

Rocking on my Z10

conite

Hopefully it's isolated to the runtime. They have updated that component through bbw before. Would be an easy deployment.

Posted via CB10

jcordova2819

Moral of the story: Don't install android apps. They're like dr jekyll and Mr hyde; unpredictable and totally unreliable.

Posted via CB10

blackberry artichoke

Support Native BlackBerry Apps

Posted via CB10

Berrydro

Still waiting for the os up date! Hurry up TMO usa

Posted via CB10

svein99

I hope BB also find time to update a few other bugs at the same time such as improper scaling of open remember items when phone is rotated to name just one.

Posted via CB10

Makaveli@Beta

I'm curious if some of the people commenting even have their phone on a bes server.

If your phone isn't on a bes this does not apply to you.

Posted via CB10

Bacon Munchers

This is a perfect example if why BlackBerry has not officially announced to the world that bb10 runs Android apps.
Seems to me that there is a 'feeling out' period that BlackBerry is exercising here; no doubt to get things right before the official APK advertising. Smart really, unlike the last CEO, who would have shot his mouth about how great the Android apps run, etc. This would have driven the stock down.
Instead, we are green today!

S_C_B

I'm running 10.2.1, and I'm very anxious to get this runtime fix.

FWIW, I bought a brand new unlocked white z10 last night from a guy on CL for $200. I even got to break the box seal. I'm a happy guy!

Posted via CB10

Lostonline

A little ironic, BB10's first security flaw has to deal with Android.

BlackBerry should never have started that whole porting nonsense.

Support those who develop BlackBerry software.

If we wanted Androids we wouldn't have got BlackBerrys.

CDN BB

Sith_Apprentice

This is not BB10's first security flaw. 10.0.9 and below were able to be jail broken also Flash vulnerability that was patched earlier. Probably others I don't remember off hand.

Posted via CB10

Lostonline

Wouldn't jailbreaking be an end-user choice? Not exactly a security flaw imo.

Now, having Android crap ignoring IT policy and gaining access to contacts it isn't supposed to have access to -that is a major security issue.

Over and above the usual excessive permissions typical of Android data mining...

CDN BB

Kaye_max008

I have realised I wasn't missing any app from android

Posted via CB10

Paul Callahan

Has anyone had experience with 'unlocked' phones? Will all or any carriers allow for these phones to be activated/used on their networks? I don't personally know anyone who has experience with this.. would be nice to know.. (I realize this is off topic). Thanks

~ still waiting for 10.2 update for my Q10 on Tmo

Posted via CB10

ttlub

I have been asking for a couple weeks now what the risks are when a android app is downloaded and never get any answers. This is why I guess, a lot of people want these android apps and they know how risky they are but don't want to talk about it. Well it's time to pay the piper. I got a Blackberry not a android.

Posted Via Z10 Smarterphone

ObadaAlZayed

Can anyone explain for me what is happening?
I'm not understanding anything!!
What is BES10?

Posted via CB10

Observation Junkie

You ain't funny any more, go and join some other site

Catapulted from my Z10.

Sith_Apprentice

That was uncalled for. Perhaps the user is being sincere.

Posted via CB10

Puz_zled

That's that user's shtick. On just about every thread he posts, exactly the same comment for the last month or two. Not a sincere request.

Posted via CB10

huungryshark

BlackBerry made a big mistake with android on their devices, I never had virus infections before , restart my phone because of lag etc, battery drain.. Any way to disable android ?

Posted via the Android CrackBerry App (Z10 10.2.1.1925 /1926)

Observation Junkie

100% agree, and crackberry has been pushing these like crazy. But I guess crackberry has to make their money too, being paid to push out these android apps.

Catapulted from my Z10.

Walter Arseneault

Don't fall into NSA Trap.
Free apps doesn't mean Freedom
Androïd's Apps means NSA Apps.
"Let me spy on you and I will give you Free Apps"
Even native BlackBerry apps like the Microsoft's Skype or Facebook, WhatsApp,....etc.
Since the Snowden Affair, we discover Microsoft, Apple, Google, and many others american firms works for the NSA...
With your smartphone, you have to be smart...
Don't use Skype. Promote BBM...
John Chen is smart. I hope, he is wise...

Sith_Apprentice

This belief will not help you. BlackBerry has publicly stated they will comply with lawful access orders from world Governments. It is best to assume your BlackBerry is no different than other devices when not on BES. Files ON the device may be more secure bit anything you send and receive is not.

Posted via CB10

Alphatrion99

They should make it easier to revert back to a previous OS like 10.2 just for this reason.

BlackBerry Z30  on the Rogers network

raymond7

What about fixing the battery life. The battery life of 10.2.0.429 is superior to this 10.2.1

carelessalawi

I have a problem in my camera when I use android apps

Posted via CB10

Prem WatsApp

I want pure QNX / Un*x / Linux goodness, not some scroogled mess built on top of it.
QNX+Cascades+BB10 apps, no bastardized solution.

For purists:
Nuke your Droids and re-flash with Ubuntu Phone OS. Did it with my Nexus 4. A real open-source Linux, not a googlified Android, a data slurping Linux bastard abomination.

See what phones / tablets work (lots!):
https://wiki.ubuntu.com/Touch/Devices

Do it:
https://wiki.ubuntu.com/Touch/Install

Have fun!

(No better solution atm, if you already have an Android, and want to totally unscroogle it. Wish I could flash BB10, guess I'm not the only one)

Zzzzwiped from a Zedevice....

Naeg1995

believe me this will be spread around the world very quickly ….
So many good news for blackberry around us , and almost everything was buried from media ….
Now only this bad one will be spread around in a few days from media …in a very awful way…...
Stay tuned and you will see….

p.s personaly i wipe cleaned my Q10 installed again official os 10.2.1 and never again droid apps ..
only native from now on ….f@#$ck android
Long live blackberry

huungryshark

Yeah F$#!!K Android!! Unsecure,slow, infected sh.it Apps !!

Posted via the Android CrackBerry App (Z10 10.2.1.1925 /1926)

drewysta

Story of the double edge sword!! I knew that something like this could happen!!

Posted via CB10

Killjoyhere

Has little consequence for me as I use very few android apps and I'm not on bes. I wish Skype would not use my phone gps though.

Posted via CB10

christoph77

That's good stuff to hear!

C0038297E Quote of the Day (BBM Channel)

christoph77

All updates are welcome!

C0038297E Quote of the Day (BBM Channel)

jplantinga

This is probably the reason Vodafone (NL) is still waiting with the 10.2.1 update.

huungryshark

Vodafone Germany rejected 10.2.1 update also. Anyway when BlackBerry Link plugged in there is update available.

When I want back to the old 10.2. without any android runtime, how can I do that? Only leak or?

Posted via the Android CrackBerry App (Z10 10.2.1.1925 /1926)

sianto

BlackBerry did the same thing as Google didn't they? The made all apps updateable through the appstore. So it isn't a big issue!

CB10 from the amazing Z10

spacely_420

please fix the Edit Order option in the music player tho..can't Save ..z30 , 10.2.1.537

durex1985

Super

Posted via CB10