Monday, February 9, 2015

Response - Web Security Analysis Of 12 BlackBerry 10 Applications

First sorry for my very bad english and construction of this post.

I have no bad intentions to user data. I don’t and never store user passwords in any form online or offline. I do store cache for app use like images, logged in status, tokens, user ids (OFFLINE) because required and for better experience.

Snap2Chat in it’s very early stages, I used my own server without SSL / no https. After like 2 weeks Knobtviker (Dev of Whine) advised/helped me to just sniff the API and use it directly and so I did. No more using 3rd party servers. (This time it is very risky).

I use Flurry and Smaato SDKs as advertised by BlackBerry that BlackBerry Developers can use. Unfortunately I didn’t know they send http and not https. And if BlackBerry doesn’t want us to use http, they shouldn’t advertised to us Smaato and Flurry SDKS.

Smaato advertised by BlackBerry:

The SDK provided by BlackBerry has a parameter that we can set an interval , the default is 10 and I set it to 10. so it’s every 10 seconds it connects to the Smaato Service. in Snap10 that's why there are a lot of requests because Snap10 uses tabs, and all those tabs request each every 10 seconds. I have not fixed that yet. But there's nothing bad it's doing there, it doesn't even increase revenue.

I just followed everything they provided, from the WebCast Meeting, The Smaato Guys, The Smaato Ad Sample BlackBerry Provided in GitHub. And I cannot modify the Compiled Libraries to forcely use HTTPS because it's their own and there's no way. (same with Flurry Analytics)

Flurry advertised by BlackBerry: (NO SSL) - this is my own domain and it’s hosted on my own host. (this has been dead for like 6 months now) this was used for Snap2Chat and for FB Messenger for pulling Stiker Images, also used for my own web service the ShoutBox in Snap2Chat.

The ShoutBox I admit doesn’t use SSL or https and is very high risk of security. And that’s why I shut it down early. This screenshot by :

I built ShoutBox so that Snap2Chat users can find more friends. It's a public chat room for all users.

this part of the code is for creating a user in ShoutBox service. Profiles need some information and I chose to give it a age, biography, name, gender, username.  This is the PLAIN TEXT they’re talking about. 

EXTENDED PROFILE isn’t part of SnapChat Service (Snap2Chat Hardcore Early Adopters knows what this is. used for the ShoutBox) - It’s owned by Amazon. It’s used for storing pictures by some services (not my own services). I am not exactly sure in what app he got this because none of my apps connect  (not used for sending user data) (NO SSL) - it’s owned by Facebook. Also BlackBerry provided a Parse SDK. (used for pulling announcements, app status (not sending user data)) (NO SSL) - I am not familiar, but I think it’s related to smaato (not used for sending user data) (NO SSL) - this is my own blog for my apps. Not used for sending or receiving data. It’s used for viewing the blog. (not used for sending user data) (NO SSL) - this is owned by Google.  (not used for sending user data) (NO SSL) - it’s owned by Facebook. I used a Facebook Chat QT Library. (used for sending and receiving chat messages) login for Messenger app uses https SSL and Secure OAuth provided by Facebook - it’s owned by Google. (not used for sending user data) I use this website for translating texts to any language in the Twittly App. login for Twittly app uses https SSL and Secure OAuth provided by Twitter - my own host and domain - (used for twitter oAuth (does not store any username or password and not possible that’s why there’s oauth for more security, just loads up the twitter login page required by twitter that it should use)) Twitter requires a separate website link for OAuth. This is why I used this. Most twitter apps uses the same method.

Permissions used

Camera - To use Camera Hardware
Capture Screen - used for saving edited Snaps Painting and Caption
Contacts - used for finding friends from contacts
Device Identifying Information - used for optimizing the UI to get Display Height and Width check what exact device
Internet - Use the internet
Location - To use location service to get location of the user (for Dater, FB Messenger for sending location in chats)
Microphone- required for recording videos
Post Notifications - to post noficiations in the hub
Push - for Push Notifications
Run as Active Frame- to run in active frame
Shared Files - to allow the camera to save temporary images i the shared directory

I apologize for the security risks. And I will do patches for them. But I also suggest BlackBerry not to advertise the risky SDKs so that we devs don't use them.

Also it's not just my apps that uses Flurry and Smaato. BlackBerry advertised it to thousands of devs and for sure there are more than a thousand of apps uses the 2 risky services right now.

I am 100% True and Honest that I don't sell or whatever the user data that's being collected. I am just using the services provided by BlackBerry and I just knew they're risky.





  1. I do not think most BlackBerry users nor the security firm that looked at your apps thinks that you are doing bad things. What was highlighted are possibilities that others could use. I appreciate all you do in developing for BlackBerry users and know that you will quickly respond to patch the issues revealed. You produce quality apps and I encourage you to keep up the good work.

  2. Thanks for this Nemory. As a satisfied user of your apps I feel relief with your explanation and I trust that you take the security of our data seriously. I look forward to the release of the patches and hopefully BlackBerry will also do their job.

    A lot of criticism, some of it constructive but mostly destructive unfortunately, will come your way in the next few days for this - I urge you to just state the facts respectfully as you have done here and do not join the bandwagon of insults that it is likely to come.

    1. I appreciate it bro. Thank you much

  3. I don't think you are an evil person, and I will still use your apps. You are sure to get lots of feedback over this, but I guess that's part of the game, right?! Responding as you have is a great gesture, and shows that you are willing to work with us :)

    1. Interesting topic for a blog. I have been searching the Internet for fun and came upon your website. Fabulous post. Thanks a ton for sharing your knowledge!
      Happy new year 2017
      new year wishes
      Happy new year Messages
      Happy new year 2017
      Happy new year Quotes
      Happy new year 2017 Wishes
      Happy new year 2017
      Happy new year 2017 Images

  4. Nemory and anyone else who wants to listen,
    I read the report, then read Nemory's reply and studied the facts. Nemory uses existing SDK's in his apps and it's not his fault if something isn't up to a security researchers standards. He could write everything from scratch I suppose but that's insane.

    I have worked with security researchers in the consulting field before and know how they are. They take a minor issue and speculate on how it can be really really bad and kill us all when really IT'S NOT A BIG DEAL. These researchers like to talk about how things "Could happen" and offer no proof and no solutions.
    They hope you will pay then thousands of dollars for them to tell you their opinion. If there was a real problem someone would have actually taken advantage of it and compromised the app. These people are just blowing smoke and trying to make a buck!

    Personally I highly value my privacy and unnecessary connections suck, but Nemory explained what each of them is and how there is no ill intent and i'm ok with that. Talked to the guy before on BBM and he's straight up. No BS

  5. App Maisters offer 360˚ Mobility solutions to Startups and Enterprises . We have developed Hundreds of Apps. We have team of expert BlackBerry App Developers.

  6. Replies

    1. This is to inform you that ISL Live Streaming is going on in HD Quality . You way watch here.
      ISL Live Streaming
      ISL Live Stream
      ISL 2016 Live Streaming



  9. Its a nice blog.its really helpful for visitor......................

    Network security in Telangana

  10. Replies
  11. This comment has been removed by the author.

  12. Here You can Watch nice collection of New Year Messages 2016
    Happy New Year Wishes 2016
    Happy New Year Wishes

  13. Great information shared about blackberry.
    blackberry store

    class="title">HALLOWEEN TRADITION<
    class="title">HALLOWEEN ARTICLE<
    class="title">HALLOWEEN EVE<
    class="title">HALLOWEEN CELEBRATE<
    class="title">HALLOWEEN CAT<
    class="title">HALLOWEEN PRANKS<
    class="title">HALLOWEEN PICTURE<
    class="title">HALLOWEEN TRIVIA<
    class="title">HALLOWEEN POEMS<
    class="title">HALLOWEEN VIDEOS<
    class="title">HALLOWEEN PUMPKINS<
    class="title">HALLOWEEN SCARY<
    class="title">HALLOWEEN GIFT<
    class="title">HALLOWEEN OCTOBER 31<
    class="title">SCARY HALLOWEEN PROPS<
    class="title">HALLOWEEN COSTUMES WIGS<

  15. Hey Oliver!
    First things first.
    1. I think what you have accomplished is great for a one-man-band developer company.
    2. I agree that sometimes we have to rely on third party APIs when trying to get things done.
    3. I do recognize that app developing is a never ending spiral, that comprises many tasks and heavy workload in all app life-cycle stages.

    However, you may consider (and I recommend you to take actions about it)
    1. BY being one of the few still-standing developers for Blackberry, you will be observed by several reasons:
    1.a. you are by your own, accomplishing what other big buck companies has not.
    1.b. there are several stakeholders intentionally trying to harm Blackberry, and trying to influence others into that.
    1.c. you are monetizing some apps that are free for other platforms.
    1.d. there is not a clear process in Nemory to evaluate overall app quality, and also there is no visible process of bug-fix/support.
    2. Enlarge your company's footprint. At some point, specially by having published that many apps, you will need help and there is nothing wrong about it. It will only increase your company's reliability and eventually it will pay off.
    3. consider yourself to publish and maintain a proper NemoryStudios domain, with proper security and a proper communication strategy. There is nothing bad to be "garage-like" entrepreneurial /startup company; but also there is nothing wrong to have the basics of big corporations associated with your brand.

    Now, what I personally (strongly) request to you by being a customer of Nemory:
    1. Please make sure none of our customer data/metadata/behavior is being used for commercial purposes / profiling / advertising.
    1.a. if you are paying for an app, it is expected that the adds are removed. in-app-ads are annoying but understandable when using free versions. upgraded/plus/paid versions should never display apps. it is not a good practice to monetize from ads when customer has already paid for the app.
    1.b. please provide warranties to paid customers. If a paid customer receives the same support that a free user, then there is not much sense to pay for an app.
    2. Please enhance the app performance in terms of:
    2.a. Device Memory management. Please connect the proper dots to make the app stable, but also reliable. I have experienced app and device hangs because of Nemory Apps.
    2.b. Data usage. It is not only by the tech reports saying, but my user experience has confirmed that Nemory Apps request/sends more data that they "should" (benchmarked against other apps)
    2.c. Battery life management. Please, please review all of your code intensively, focusing on saving battery.
    3. Please contribute to Blackberry by honoring the same principles that has helped the customer base to rely on Blackberry. Please enforce the security of your apps, please avoid intellectual property rights infringement, please manage a better customer service, please improve!.

    An unsatisfied (yet sympathetic) customer.

  16. Very nice and interesting post. Beautifully structured and very close to facts. I found myself lucky to go through it. Hope to have more post in future like this. Do you want to check Summer Olympics 2016? Vist followings:
    2016 rio Olympics streaming
    Rio 2016 Olympic Tennis Schedule
    Rio 2016 Olympic Soccer Schedule
    Rio 2016 Olympics Table Tennis Schedule
    Rio 2016 Olympic Rugby Schedule


  18. We contemplated offering popcorn, App Security Analysis, and confection alongside our Mobile App Development in Los Angeles. Our specialization is Mobile App based arrangements. We give end-to-end arrangements from necessities advancement, framework engineering, plan, create, test, and usage.

  19. Hello admin,
    I have read your post. I Totally agree with this post as according to an analysis in 2016, Blackberry OS is the safest Operating system of in mobile to use. It is non hack able phone. Well, i wanna share signs of pregnancy before missed period here. As you can see most ladies don't have any information of pregnancy signs. Women can see that beafore clearing about pregnancy, there are some strange changes om women's body.

  20. This comment has been removed by the author.

  21. Visit us now to view & share beautiful collection of Best Images of
    rose day 2017

  22. Nice looking site.really appreciate for it and It is also useful for me.Thank you for sharing.
    Easter Quotes
    Happy Fathers Day quotes
    birthday wishes for husband
    Short Mothers Day Wishes

  23. Hello admin,
    This is Ayesha Saleem. i have read htis article and i have seen that you have a great information regarding this blog.6w5d pregnant Well, i am searching for some pregnancy bloogs to get to know about the 6w5d pregnant.

  24. courses after 12th science While most of the information on this page (e.g. course list, types) is relevant for any MBA in India and abroad, What to do after 12th the final article focuses on international GMAT MBA degrees. By definition, an MBA (here’s the full form of MBA) is an internationally accepted masters (post-graduate) level degree that what to do after 12th commerce with maths Whether you are looking at MBA courses in India or abroad, the choices can make the process overwhelming. Starting from the type of the program to shortlisting the best MBA courses, it takes lot of effort. List of career options in arts stream

  25. When someone writes an piece of writing he keeps the thought of a user in his brain that how a user can understand it
    bridal blouse designs
    happy married life wishes
    sweet love quotes for husband

  26. Exclusive Collection of Salwar Suit And Many More….
    We Have Some For You In Your Budget For more….
    Eid Mubarak Photo

  27. Have Lovely and Beautiful Salwar Suit And Many More…
    We Have Some For You In Your Budget For more…
    Plz visit:- Kurties

  28. Best Outfits For Young ladies,Womens and Girls
    We Have Some For You In Your Budget For more…
    Plz visit:- Online Shopping Clothes

  29. Fancy designer wear our website and reasonable price More…
    We Have Some For You In Your Budget For more…
    Plz visit:- Designer Anarkali salwar kameez

  30. Although you English and grammar was not perfect, you have presented the information on Web Security Analysis of 12 BlackBerry 10 Applications and I have understood how the security issues were handled. Since you have good and informative ides to share with your ideas, hire our professional writers who will help you to write quality and accurate articles by clicking on Dissertation Data Presentation.

  31. This is what i was looking for thak you for sharing this amazing post. keep on posting these kind of nice post
    happy independence day 2017
    Eid Mubarak images
    avast premier license file till 2050

  32. India is a country of colorful festivals. All the festivals in India are according to the Indian Hindu Calendar.for more..
    Plz visit:- Raksha Bandhan Images
    Through the passage of time festivals are undergoing modifications. Raksha Bandhan is also known as Rakhi.for more..
    Plz visit:- Rakhi Wishes

  33. Designer Saree is perhaps the desire of every single girl in this world to look amazing on her wedding day.
    It is certainly important that the bride must be the star of the show.The most beautiful woman at the wedding venue.
    In India,sarees are the most obvious choice for the brides.There are many designer saree in our site...
    For more...
    Plz visit:- Salwar Kameez


  34. شركة المثالية للتنظيف الشركة الرائدة لجميع خدمات التنظيف بالمنطقة الشرقية - خبراء النظافة الشاملة - خبرة 23 عاما تستطيعون من خلال المثالية للتنظيف الحصول علي افضل خدمات التنظيف ومكافحة الحشرات للمنازل والشقق والفلل والمجالس والمفروشات بجميع مدن ومحافظات المنطقة الشرقية بالمملكة العربية السعودية فتقدم شركة المثالية للنظافة كل ما ليديها من امكانيات وخبرات لخدمة عملائها فهي حقا افضل شركة تنظيف بالمملكة وتوفر لعملاها الخدمات بجميع المحافظات فتوفر

    شركة المثالية للتنظيف بالدمام
    شركة المثالية للتنظيف بالخبر

    شركة المثالية للتنظيف بالقطيف
    شركة المثالية للتنظيف بالجبيل
    شركة المثالية للتنظيف بالاحساء

    وتستطيعون ايضا الحصول علي تنظيف شاملة مع التعقيم والتلميع وابادة الحشراتبجودة ودقة مثالية واسعار رخيصة مع شركة تنظيف منازل بالاحساء المتخصصة في خدمة عملائها بالاحساء علي اكمل وجة

    شركة تنظيف منازل بالاحساء
    شركة تنظيف بالاحساء

    شركة المثالية للتنظيف بالاحساء

    تواصلوا معنا لمعرفة اسعار المثالية للتنظيف بالمنطقة الشرقية وخدماتها المتميزة


  35. هل تبحثون عن شركة تنظيف متخصصة ؟ هل تريدون الحصول علي خدمات تنظيف بجودة فائقة واسعار رخيصة ؟ هل تعانون من مشاكل التنظيف ؟ اليكم الحل الامثل الشركة التي تقدم خدمات تنظيف شاملة لجميع اركان المنزل وكل ما يحيط به من والي مع التعقيم والتلميع للجدران والسيراميك وتنظيف وتعقيم المجالس والمفروشات وبارخص الاسعار وهي شركة تنظيف بالقطيف والتي من خلالها انتم دائما في امان فمع افضل شركة تنظيف منازل بالقطيف تحصلون علي منزل نظيف امن خالي من الحشرات والامراض والاوبئة تسطيعون ايضا الحفاظ علي صحة اطفالكم وتكسبوا منازلكم المنظر الراقي المبهر مع شركة تنظيف منازل بالقطيف فتوفر الشركة جميع خدمات التنظيف التي يبحث عنها اهالي محافظة القطيف وهي تنظيف الشقق والفلل والمجالس والكنب والسجاد والموكيت والمفروشات بجميع انواعها فنولكم

    شركة تنظيف شقق بالقطيف
    شركة تنظيف مجالس بالقطيف

    شركة تنظيف كنب بالقطيف
    شركة تنظيف خزانات بالقطيف

    شركة المثالية للتنظيف بالقطيف
    المثالية للتنظيف بالقطيف
    شركة المثالية لمكافحة الحشرات بالقطيف

    كما توفر الشركة خدمات مكافحة الحشرات ورش المبيدات الالمانية المستوردة ذات التاثير الفعال في ابادة الحشرات نهائيا وبلا رجعة فاذا اردتم الحصول علي خدمات مكافحة الحشرات وخاصة النمل الابيض لا تترددوا في الاتصال بشركة المثالية للتنظيف بالقطيف

    شركة مكافحة حشرات القطيف
    شركة مكافحة النمل الابيض بالقطيف

  36. An adorable personality partnered with a perfect choice for designer kurtis and designer kurti is unbeatable. Even before the blossom of modernization in Indian culture, kurta, sarees, and shalwar kameez had been part of India's unique civilization. for more...
    Plz visit:- Designer Kurties

  37. Exclusive Collection of Gown and Best Outfits For Young ladies,Womens and Girls
    We Have Some For You In Your Budget For more…
    Plz visit:- Gown

  38. Designer Sarees is perhaps the desire of every single girl in this world to look amazing on her wedding day.
    It is certainly important that the bride must be the star of the show.The most beautiful woman at the wedding venue.
    In India,sarees are the most obvious choice for the brides.There are many designer Sarees in our site...
    For more...
    Plz visit:- Sarees

  39. Designer Sarees is perhaps the desire of every single girl in this world to look amazing on her wedding day.
    It is certainly important that the bride must be the star of the show.The most beautiful woman at the wedding venue.
    In India,sarees are the most obvious choice for the brides.There are many designer Sarees in our site...
    For more...
    Plz visit:- Sarees

  40. This blog is identified with Real Estate Trends !!! A debt of gratitude is in order for sharing this helpful data! latest pakistani news in urdu read this for
    expectation that you will keep doing a pleasant article this way. I will be one of your dedicated perusers.


  41. I am upbeat to discover this post extremely helpful for me, as it contains a great deal of data. I generally want teddy bear wallpaper hd
    to peruse the quality substance and this thing I found in you post. Much obliged for sharing.

  42. This comment has been removed by the author.

  43. This comment has been removed by the author.

  44. This comment has been removed by the author.

  45. This comment has been removed by the author.

  46. This comment has been removed by the author.

  47. This comment has been removed by the author.

  48. This comment has been removed by the author.

  49. Designer Ethnic clothes are the reflection of personality of a person.It's very necessary to choose the wear according to an ocassion.In India,Designer Bridal Saree are the most obvious choice for the Young Ladies & Girls.Many more Collection is available at our site.
    There is Something for everyone here.So,to look for Further Collection see our site.
    For More....
    Plz visit:- Lehenga

  50. Diwali is celebrated on the darkest night of Amavasya in the month of Kartik which falls in the October to November time period.For Diwali Wishes, Images, Status..
    Happy Diwali
    Christmas is celebrated each year in December by many thousands of people worldwide. This is done to wish them a safe and happy holiday. Looking back on the history...
    Merry Christmas
    Happy New Year 2018 celebrations give everyone the time to sort out all their issues and start a new beginning. One celebrates this occasion by organizing parties for their families and friends.
    Happy New Year Images

  51. India is the country of culture Festival.People in india are so crazy about festivals.Diwali is the biggest festival of India.It is the Festival Of Lights.
    Christmas is the New Year of Christians.
    Plz visit:- Happy Diwali
    Merry Christmas
    Happy New Year Images

  52. Most women dream of having an elegant wedding dress for their special day from the time that they are young girls.
    When it comes time to begin shopping for a dress,
    they may feel overwhelmed by the vast selection of wedding dresses and accessories to choose from.
    For More...
    Wedding Lehenga
    Salwar Kameez
    Salwar Suit
    Anarkali Suit
    Anarkali Dress
    Punjabi Dress
    Wedding Saree
    Lehenga Choli
    Ghagra Choli
    Silk Saree

  53. Salwar suits are the timeless addiction for Indian women and girls.
    At any auspicious occasion, festival times, wedding ceremonies or related functions,
    you simply can't miss at least one out of every three women wearing them.
    for more...
    Ladies Suit
    Indian Saree
    Designer Dress
    Bridal Dress
    Designer Kurti
    Wedding Dresss
    Punjabi Suit

  54. India is known as a land of fairs and festivals.
    There are number of Indian festivals that are celebrated throughout the year as there are various religions in various parts of the country.
    They are Sikhs, Muslims, Hindus, Christians and Buddhists and many others.
    India is a land of mixed cultures; so every festival is celebrated in different fashion in accordance with the culture of people in different regions.
    For more...
    Happy Diwali Wishes
    Merry Christmas Images
    Happy New Year Wishes

  55. An adorable personality partnered with a perfect choice for Designer Dress unbeatable. Even before the blossom of modernization in Indian culture, kurta, sarees, and salwar kameez had been part of India's unique civilization. There are many Designer Salwar Kameez in our site...
    For more... Salwar Kameez

  56. Movies are essential to provide entertainment for childern, old age Person, etc.. That entertainment industry provide to entertainment movie idea. to watch and download movie visit at:
    kingsman: the golden circle full movie
    kingsman: the golden circle full movie download