Blackberry JAVA DEVELOPMENT ENVIRONMENT - - FUNDAMENTALS GUIDE Specifiche Scaricare il pdf (Pagina 14)

Attack Surface Analysis of BlackBerry Devices

Legend:

F: Firewall A: Application Control/Permissions I: IT Policy O: Other Device Settings

All but one of the attacks (JAD Spoofing) outlined in this section require malicious code to be present on the

device. The only way for malicious code to get onto the device is through user interaction. User interaction

is also required in order to authorise the malicious code to perform sensitive actions. These facts highlight

the need for user education around safe computing practises when using all forms of computing including

mobile devices.

JAD Files

JADs (Java Application Descriptors) are plain text files that describe the

attributes of a java application, such as its vendor, description, and size.

A .jad file also provides the URL where the application can be down-

loaded, and for this reason it is used as a standard way to provide Over

The Air (OTA) installation of java applications on J2ME mobile devices.

When a BlackBerry user opens a .jad file, they are presented with the

application details, and can decide whether or not to download and

install it. However, by using a specially crafted .jad file, spoofed infor-

mation can be introduced into the display to make the application

appear signed

(in the context of MIDP signing

, not BlackBerry

Signing) (Figure 7). Note that the attacker does not have complete con-

trol of the display (for example there is a duplicate "Vendor" entry which

was necessary to align the text correctly).

This problem is not unique to BlackBerry devices, Symantec have previ-

ously found a number of JAD parsers on other mobile devices which

Sub-System Spoofing Data

Interception

/Access

Data

Theft

Backdoor Service

Abuse

Availability Network

Access

Wormable

JAD Files AI

File System AO

SMS FAI FAI FAI FAI

Bluetooth FAIO FAIO

Email FAI FAI FAI

PIM A A

TCP/IP FAI FAI

HTTP FAI FAI FAI

Telephony A A A

Figure 7: A .jad file with spoofed informa-

tion

1 2 ... 9 10 11 12 13 14 15 16 17 18 19 ... 38 39

Commenti su questo manuale

Nessun commento

Blackberry JAVA DEVELOPMENT ENVIRONMENT - - FUNDAMENTALS GUIDE Specifiche Pagina 14

Commenti su questo manuale

Prodotti e manuali riguardandi Software Blackberry JAVA DEVELOPMENT ENVIRONMENT - - FUNDAMENTALS GUIDE