BlackBerry 10.2.1 recently began rolling out to users worldwide. The Android runtime, which allows you to install Android APKs directly, looks to have a security flaw.
Frank Büttner from the ABS Team GmbH has found that even while having a BES policy in place to block his business contacts, his installed Android apps such as Skype and Go Launcher EX were able to pull his BES contacts.
You can toggle the availability of this information with the “Personal Apps Access to Work Contacts” policy. There are three options for allowing apps access to your BES contact info: All, Only BlackBerry Apps, or None.
Though, as found by Büttner, no matter what policy is set in place the Android apps still have access to the work contacts. This is interesting in itself, as Android apps are not allowed on the work-side of BlackBerry 10, only native apps.
BlackBerry is now aware of the security flaw and has issued the following official statement to us:
“We have investigated an issue in the Android player involving specific app permissions, which will be addressed in a forthcoming software update.”
BlackBerry will be at the mercy of the carriers to swiftly roll out an update. If you’re running Android apps that gain access to your contacts, beware.