687355e6c0ed148caed1f7503f9b6486

Web Security Analysis of (more) BlackBerry 10 Applications


Since creating the first article, I’ve had a barrage of requests to create a follow up article.  Before I jump into those though, I want to mention that following the previous article several developers have made changes to their code and one developer in particular has taken the article seriously and dropped everything to adopted new strategies to their apps.  The new Inst4gram application may look the same on the outside as Insta10 – but after careful testing – it has had some critical foundational changes (in a good way) as mentioned in this tweet.

In addition, several other applications mentioned such as Blaq have also buttoned down the hatches on any findings and several applications are no longer available.  So without further ado, lets run through a list of applications.

687355e6c0ed148caed1f7503f9b6486TL;DR

Everything is coming through clean in my last batch of tests.

Web Security : BlackBerry 10 Applications
Snap2Chat No longer available
Snap10 No longer available
Insta10 / Inst4gram Clean
Blaq Clean
Gadget Box Clean
Neatly Clean
Snap2Share Clean
Clipman Clean
PhotoStudio Clean
Instant Clean
SmartList10 Clean
Privacy Suite Pro Clean

Before We Continue

The developers and people I’ve met with regarding these articles have been truly great to work with and I’ve had some amazing discussions with people in the community over the last 4 weeks – so a big thank you to anyone that read the articles and provided feedback.  With this one minor exception aside the community support has been great.

As a result I do apologize to anyone who finds this worth reading and was dismayed about the delay, this follow up article has been pushed back far more than I intended it to and it will likely be the last article from me on this topic.  If anyone wishes to conduct their own analysis, don’t forget to use this article as a starting point …and if your article rocks, let me know so I can link to it.

Updated fiddler logs!

Updated Items

Now for the apps that have been updated and reported back to me.

Inst4gram / Insta10 – Status:  Clear

  • Logs
  • Connection point on KellyEscape is confirmed not in use
  • Flurry was moved to SSL (Note: This was not a required step per the assessment)
  • Smaato issue with background add requests is resolved
    • At this time there are no outstanding security items for Inst4gram
    • The application is now marked as clean and actually functioning better than any Instagram application tested so far.

Blaq – Status: Clear

  • Awaiting package for retest
  • Flurry was moved to SSL (Note: This was not a required step per the assessment)
  • IP 0,0,0,0 connection is resolved

Newly Tested Items

4 Square: Clear

  • Analytics for doubleclick.net, encrypted
  • All other data encrypted

PushBullet: Clear

  • No Analytics
  • All other data encrypted

Snap2Share: Clear

  • Flurry analytics passed unencrypted
  • No other data sent

SmartList10: Clear

  • No Analytics
  • No other data sent

PhotoStudio: Clear

  • No Analytics
  • No other data sent

Privacy Suite Pro: Clear

  • Analytics, Encrypted
  • No other data sent

Neatly: Clear

  • Analytics, Self Encrypted
  • No other data sent

Instant: Clear

  • No Analytics
  • No other data sent

Gadget Box: Clear

  • Flurry analytics, unencrypted.
  • No other data sent

Clipman: Clear

  • No analytics
  • No other data sent

I continued to test another dozen or so applications, including built-in BlackBerry applications and some Android variants.  None with any concerns at this time.

Leave a comment

Your email address will not be published. Required fields are marked *


*