Blackberry JAVA DEVELOPMENT ENVIRONMENT - - FUNDAMENTALS GUIDE Dokumentacja Pobierz pdf (Strona 15)

Attack Surface Analysis of BlackBerry Devices

exhibit similar behavior.

Typically however the screen which presents the contents of the .jad file is only

one of a number of checks which are performed. When the user then executes the code the signature of the

JAR (Java ARchive) in the case of non-BlackBerry devices is still checked and the user warned if not signed.

In addition the application will still be constrained by security constraints outlined in the J2ME (MIDP2)

and CLDC

specifications, and subject to any additional controls imposed using Application Permissions or

an IT Policy. A .jad file is generally presented to the user as a hyperlink in an email, SMS or MMS. If a user

chooses to open this hyperlink the .jad file is downloaded and the user is presented with a prompt as

described above.

Mitigation

You can set the following options to mitigate the attack outlined above. See Mitigation Strategies for more

information.

JAD Spoofing

File System

The BlackBerry Pearl 8100 has seen the addition of a file system API, which older models didn't feature.

Instead, these models (and the Pearl 8100) can make use of what is known as "Persistent Storage". This

allows applications to save state and user data between runs, but they can't generally access or modify data

belonging to the operating system.

Persistent Storage

Two kinds of Persistent Storage are available:

(MIDP) Record Stores

• Platform independent

• Can be used by unsigned applications

• Basic storage: a string of bytes

• Data is only accessible by the application that created it

IT Policy "Disallow Third Party Application Download " = True

Application Controls "External Domains" = [list of allowed domains]

"External Network Connections" = Not Permitted

Device Firewall Status = Enabled

Application Permissions Connections > Carrier Internet = Deny

1 2 ... 10 11 12 13 14 15 16 17 18 19 20 ... 38 39

Brak uwag

Blackberry JAVA DEVELOPMENT ENVIRONMENT - - FUNDAMENTALS GUIDE Dokumentacja Strona 15