Now that BlackBerry 10.2.1 has hit public release there has been many consumers downloading and loving the latest release that allows them to install APK files directly. For those running BES10 though, there has been some concerns surrounding the release in part due to the findings of Frank Büttner from ABS Team GmbH. As posted on Heise, Büttner has discovered that some Android apps when installed on BlackBerry 10.2.1 have access to names and numbers of his contacts despite having a policy set in place that should not allow for this to happen.
Within a BES10 environment, you have the option to allow personal apps access to work contacts through a policy which offers three options All, Only BlackBerry Apps, or None. This rule specifies whether personal apps can access required data for work contacts on a BlackBerry device. If you set this rule to All, all personal apps can access required data for work contacts. If you set this rule to Only BlackBerry apps, some apps developed by BlackBerry (Phone, BBM, Text Messages, Smart Tags, visual voice mail, and voice dialing) can access required data for work contacts. If you set this rule to None, personal apps cannot access data for work contacts.
Problem is, the policy doesn't appear to be enforced on some Android apps such as Skype and Go Launcher EX no matter what it is set to and that's an issue. Especially when you consider the fact that BlackBerry does not allow Android apps in the secure environment for security reasons and only native BlackBerry apps are allowed to run from there. The situation gets even trickier when some folks can replicate it while others cannot.
Keeping in mind that this doesn't affect if you're not on BES, BlackBerry is already fully aware of the issue and has noted it will be addressed in a further upcoming update if it can't be addressed by some other method in the meantime. But of course with that comes the wait time for carrier approvals as well, so there's no direct timeframe that can be placed on it. If you're looking for some further discussion on it our own Sith Apprentice has been doing some testing of his own in the CrackBerry Forums and has some great further info on it.
We'll keep following the news surrounding it and update if necessary. As of right now, the BlackBerry Security Incident Response Team has not posted any advisories for it under their Vulnerability Disclosure Policy.