Blackberry JAVA DEVELOPMENT ENVIRONMENT - - FUNDAMENTALS GUIDE Specifiche Scaricare il pdf (Pagina 25)

Attack Surface Analysis of BlackBerry Devices

Data Theft

A malicious signed application could read all the PIM data (including that mentioned in the table above) and

send it to an attacker using the variety of transport mechanisms outlined in this document.

Loss of data availability and integrity

A malicious signed application could compromise the availability and integrity of the data stored in the PIM

database.

For example it could:

• Change the number associated with a contact name.

• Change the name associated with a phone number.

• Delete a Contact, Event, or To-Do task.

• Change the timing of a scheduled event (for example a meeting of conference call).

• Change the email address associated with a contact.

• Read in all the contact names and numbers, and randomly swap them.

Mitigation

You can set the following options to mitigate the attacks outlined above. See Mitigation Strategies for more

information.

Data Theft / Loss of data availability and integrity

TCP/IP Connections

Unsigned and signed applications can open TCP connections on the BlackBerry. If the application is not

signed, the user is prompted with an "Allow Network Connection" dialog box when the application is first

run (Figure 12). BlackBerrys can make connections to both the broader Internet, and within the corporate

LAN, via Mobile Data Service (MDS). MDS acts as a proxy for data from authenticated BlackBerrys sitting

outside the corporate LAN to services inside the LAN such as Web servers and databases. When writing the

code to open a socket, the parameter

deviceside=false tells the BlackBerry to establish the connection via

the Mobile Data Service, instead of a direct connection. TCP server sockets can also be created, however the

BlackBerry is unlikely to have a publicly routable IP address, which would be necessary for a third party to

establish a connection to it from the broader internet. However it is not unreasonable to expect that an

IT Policy

Application Controls "PIM Data Access" = Not Permitted

Device Firewall

Application Permissions User Data > PIM = Deny

Other Device Settings

1 2 ... 20 21 22 23 24 25 26 27 28 29 30 ... 38 39

Nessun commento

Blackberry JAVA DEVELOPMENT ENVIRONMENT - - FUNDAMENTALS GUIDE Specifiche Pagina 25