Blackberry JAVA DEVELOPMENT ENVIRONMENT - - FUNDAMENTALS GUIDE Dokumentacja Pobierz pdf (Strona 33)

Attack Surface Analysis of BlackBerry Devices

Call Record Monitoring / Bypassing Caller Verification Systems / Telephony Data Theft / Premium Rate Calls

Camera

The Pearl 8100 includes a 1.3 megapixel digital still camera. Signed applications can invoke the supplied

camera application, but cannot instruct it to take pictures. When the user takes pictures, they are stored in

the file system of the phone, and can be accessed by applications using the

javax.microedition.io.file

package discussed previously.

The fact that photographs which have been previously taken can be accessed means that as with any other

data that is accessible via

javax.microedition.io.file there is the risk of data theft.

Mitigation

You can set the following options to mitigate the scenario outlined above. See Mitigation Strategies for more

information.

Camera Data Theft

Conclusions

The BlackBerry has been designed from the ground-up to be a secure platform. This strict adherence to

security has made the platform very popular with governments and corporations worldwide. This document

outlined attacks from malicious programs using available API's (MIDP2, CLDC, RIM). For these attacks to

succeed, these malicious programs would need to be specifically installed by a user. If the malicious pro-

grams are not signed, limited opportunities exist to exploit the platform, most involving a significant

amount of social engineering. However, the burden of buying a code-signing key for $100 would discourage

only the most casual attacker. Any entrepreneurial, curious or malicious party could buy a signing key using

the means outlined in this document and develop a range of deceptive or malicious software for the

BlackBerry handheld device. Without a signing key, all of the attacks require further user judgement and

IT Policy

Application Controls "Phone Access" = Not Permitted

Device Firewall

Application Permissions Connections > Phone = Deny

Other Device Settings

IT Policy "Disable Camera" = True

Application Controls

Device Firewall

Application Permissions User Data > Files = Deny

Other Device Settings

1 2 ... 28 29 30 31 32 33 34 35 36 37 38 39

Brak uwag

Blackberry JAVA DEVELOPMENT ENVIRONMENT - - FUNDAMENTALS GUIDE Dokumentacja Strona 33