As BlackBerry users, we've become accustomed to a certain level of comfort when it comes to installing apps and not worrying about what's going on behind the scenes security wise. The BlackBerry 10 OS allows us to adjust permissions on native apps on the fly, and if we see something happening we don't like, we can usually shut it down or disable it.
But at the same time, that comfort in security can often have bad results, as well as we're likely to think just a little bit less about what's going on deep within some of the apps we install. A new report coming from Lloyd Summers over at File Archive Haven is a stark reminder to not forget about these things.
File Archive Haven has put together a test of 12 applications in an effort to dig deeper into web security for those apps and while some popular apps came out unscathed, some weren't so lucky and showed plenty of room for improvement in the security area.
After testing, the listing broke the 12 apps down in order of risk with some of the popular favorites being at the top.
- Snap2Chat (no longer available) Risk: Compromised
- Snap10 Risk: Compromised
- Insta10 (only available through Beta Zone) Risk: High
- Twittly Risk: High
- Facebook Messenger Lite Risk: Low
- Igrann Risk: Low
- Blaq Risk: Low
- Four Square Risk: Low
- Hub Browser Risk: Clean
- Work Wide Risk: Clean
- BlackBullet Risk: Clean
- Meetup for BlackBerry 10 Risk: Clean
As you can see from the list, some popular apps got dinged pretty hard, and others made it through just fine with no worries. The apps of interest are obviously the 'Compromised' and 'High-Risk' apps, so here's what was said about those summarized.
Snap2Chat and Snap10: This application is an extremely high-risk application with potential remote execution scripts embedded per the developers statements online. In testing, it connected to Snapchat 2x for every ~340x internet connections it made meaning it has the potential to use up-to 300 times the bandwidth compared to the official Snapchat application. It connected to a dozen websites in addition to the Snapchat website, and requested a total of 10 permissions. The application submitted hundreds of hidden advertisement requests to Smaato but did not show them to the user. More importantly, it is submitting user data including name, gender, age etc. in plain text over the internet to a hidden Nemory Studios website.
Insta10 - Summary: Due to the unknown nature of the access to the Amazon AWS cloud server found while using Insta10, the series of hidden Smaato requests it made and the fact it bypassed important hooks for official Instagram API support, it is likely accounts could be banned using this application to connect to Instagram (which is also mentioned by users in the reviews as becoming an issue). Additionally, because web services have been created on KellyEscape.com, this is raised to a high-risk as it is likely it will follow the same framework as Snap10 for collecting personal data over unencrypted data channels.
Twittly - Summary: For the most part the application is submitting analytics and downloading unusual data from Google translate. It is also looping links through either a hacked website, or someone else's website, using PHP files stored on http://waterworldjax.com – this is a major security risk from hijacking. Because all the data is submitted over HTTP in plain text, it is high risk for someone to steal the information. The bounce URL is suspicious enough to move this from medium to high risk.
Notably, all the apps of concern come from Nemory Studios. With that being the case, Nemory has now responded to the concerns on his own blog and has broken down each point for folks such as yourself who might be reading the report and be concerned over any of the apps you're using. Perhaps, most importantly he has noted updates will be made to the apps when and where they're applicable to increase / improve security.
Additionally, the folks from File Archive Haven have noted the interest in obtaining the logs so as to better understand how all this information was compiled and as such have noted those logs and a follow-up article will be coming tomorrow. Needless to say, this isn't going to the be the last we'll hear of it and that's a good thing.
I fully encourage everyone to read the full article and read Nemory's replies as to the concerns as well and remember this situation when you install each and every app because everyone should be considering what permissions are being requested, what info is being requested and what you're giving up to have access to such services. Want to discuss it some more? If so, head to the CrackBerry Forums where there's plenty of discussion on the matter.