Monday, February 9, 2015

Response - Web Security Analysis Of 12 BlackBerry 10 Applications

First sorry for my very bad english and construction of this post.

I have no bad intentions to user data. I don’t and never store user passwords in any form online or offline. I do store cache for app use like images, logged in status, tokens, user ids (OFFLINE) because required and for better experience.

Snap2Chat in it’s very early stages, I used my own server http://kellyescape.com without SSL / no https. After like 2 weeks Knobtviker (Dev of Whine) advised/helped me to just sniff the API and use it directly and so I did. No more using 3rd party servers. (This time it is very risky).


I use Flurry and Smaato SDKs as advertised by BlackBerry that BlackBerry Developers can use. Unfortunately I didn’t know they send http and not https. And if BlackBerry doesn’t want us to use http, they shouldn’t advertised to us Smaato and Flurry SDKS.

Smaato advertised by BlackBerry:

The SDK provided by BlackBerry has a parameter that we can set an interval , the default is 10 and I set it to 10. so it’s every 10 seconds it connects to the Smaato Service. in Snap10 that's why there are a lot of requests because Snap10 uses tabs, and all those tabs request each every 10 seconds. I have not fixed that yet. But there's nothing bad it's doing there, it doesn't even increase revenue.

I just followed everything they provided, from the WebCast Meeting, The Smaato Guys, The Smaato Ad Sample BlackBerry Provided in GitHub. And I cannot modify the Compiled Libraries to forcely use HTTPS because it's their own and there's no way. (same with Flurry Analytics)

Flurry advertised by BlackBerry: 

http://kellyescape.com (NO SSL) - this is my own domain and it’s hosted on my own host. (this has been dead for like 6 months now) this was used for Snap2Chat and for FB Messenger for pulling Stiker Images, also used for my own web service the ShoutBox in Snap2Chat.

The ShoutBox I admit doesn’t use SSL or https and is very high risk of security. And that’s why I shut it down early. This screenshot by : http://www.filearchivehaven.com/2015/02/09/web-security-analysis-of-12-blackberry-10-applications/

I built ShoutBox so that Snap2Chat users can find more friends. It's a public chat room for all users.

this part of the code is for creating a user in ShoutBox service. Profiles need some information and I chose to give it a age, biography, name, gender, username.  This is the PLAIN TEXT they’re talking about. 

EXTENDED PROFILE isn’t part of SnapChat Service (Snap2Chat Hardcore Early Adopters knows what this is. used for the ShoutBox)



https://cloudfront.net - It’s owned by Amazon. It’s used for storing pictures by some services (not my own services). I am not exactly sure in what app he got this because none of my apps connect  (not used for sending user data)

http://parse.com (NO SSL) - it’s owned by Facebook. Also BlackBerry provided a Parse SDK. (used for pulling announcements, app status (not sending user data))

http://blogblog.com (NO SSL) - I am not familiar, but I think it’s related to smaato (not used for sending user data)

http://nemorystudios.blogspot.com (NO SSL) - this is my own blog for my apps. Not used for sending or receiving data. It’s used for viewing the blog. (not used for sending user data)

http://ih6.googleusercontent.com (NO SSL) - this is owned by Google.  (not used for sending user data)

http://chat.facebook.com (NO SSL) - it’s owned by Facebook. I used a Facebook Chat QT Library. (used for sending and receiving chat messages) login for Messenger app uses https SSL and Secure OAuth provided by Facebook

http://translate.google.com - it’s owned by Google. (not used for sending user data) I use this website for translating texts to any language in the Twittly App. login for Twittly app uses https SSL and Secure OAuth provided by Twitter

http://waterworldjax.com - my own host and domain - (used for twitter oAuth (does not store any username or password and not possible that’s why there’s oauth for more security, just loads up the twitter login page required by twitter that it should use)) Twitter requires a separate website link for OAuth. This is why I used this. Most twitter apps uses the same method.

Permissions used

Camera - To use Camera Hardware
Capture Screen - used for saving edited Snaps Painting and Caption
Contacts - used for finding friends from contacts
Device Identifying Information - used for optimizing the UI to get Display Height and Width check what exact device
Internet - Use the internet
Location - To use location service to get location of the user (for Dater, FB Messenger for sending location in chats)
Microphone- required for recording videos
Post Notifications - to post noficiations in the hub
Push - for Push Notifications
Run as Active Frame- to run in active frame
Shared Files - to allow the camera to save temporary images i the shared directory

I apologize for the security risks. And I will do patches for them. But I also suggest BlackBerry not to advertise the risky SDKs so that we devs don't use them.

Also it's not just my apps that uses Flurry and Smaato. BlackBerry advertised it to thousands of devs and for sure there are more than a thousand of apps uses the 2 risky services right now.

I am 100% True and Honest that I don't sell or whatever the user data that's being collected. I am just using the services provided by BlackBerry and I just knew they're risky.

IF EVER BLACKBERRY WANTS A 100% FULL PROOF I AM 100% OKAY TO PROVIDE SOURCE CODES AND ALL THE INFORMATION NEEDED. EVEN DECOMPILING ALL VERSIONS

I AM CONFIDENT THAT I AM NOT DOING ANY BAD THINGS AT ALL AND NEVER.

THANK YOU ALL