One of the main reasons BlackBerry users love their smartphones is the added security and peace of mind they provide when used. Some new research has surfaced today that may show that even though BlackBerry is the most secure OS, some third-party apps may still pose some type of security risks for the end user.[Disclaimer: we are not an information security website. When it comes to topics we don’t fully cover/comprehend, we defer to research done by others, and report their findings.]
A security research report submitted by Lloyd Summers from FileArchiveHaven.com has taken 12 of the most popular social BlackBerry 10 apps and broke them by their potential security risks to the end user, and unfortunately, some have failed those tests and analysis.
In FAH’s analysis, Snap10, a third-party SnapChat client made by NemOry Studios, was considered an app with compromised security.
“In testing, it connected to Snapchat 2x for every ~340x internet connections it made meaning it has the potential to use up-to 300 times the bandwidth compared to the official Snapchat application. It connected to a dozen websites in addition to the Snapchat website, and requested a total of 10 permissions. The application submitted hundreds of hidden advertisement requests to Smaato but did not show them to the user. More importantly, it is submitting user data including name, gender, age etc. in plain text over the internet to a hidden Nemory Studios website.”
We spoke to Nemory prior to writing this post, and he claims the only data that is collected from users is “user data when they’re required to submit it.” He also does not store any passwords from any user’s login. This was corroborated by the FAH report.
Nemory has stated he will change some parts of each of his apps that the FAH report found a bit fishy:
“Finally it then submits private user data in plain text over regular HTTP to a website called http://kellyescape.com. The application queries Kelly Escape many times and plain text data means your personal information is fully viewable by anyone else on the same network as you and anyone between KellyEscape.com and you.”
According to Nemory, he “will remove Kellyescape.com because […] the domain is dead.” He will also “change any http that needs to be https [sic].”
These changes will not only have to take place on Snap10, but also a couple of other apps. Two other NemOry Studios apps, Insta10 and Twittly, were graded as having a high risk of security breaches for the end user as well.
About Twittly the report states:
“For the most part the application is submitting analytics and downloading unusual data from Google translate. It is also looping links through either a hacked website, or someone else’s website, using PHP files stored on http://waterworldjax.com – this is a major security risk from hijacking. Because all the data is submitted over HTTP in plain text, it is high risk for someone to steal the information. The bounce URL is suspicious enough to move this from medium to high risk.”
Other apps that were tested like Blaq, iGrann, and even Foursquare showed to have very low risk of any security issues for the end user. [Check out the full report in the source link for more]
At the end of the day, if this report can teach all of us something is that we should always check and look into the apps we love to use. Sure, being on a BlackBerry device brings added confidence to what we’re using, but we should always be mindful of what permissions are requested, and what information we’re giving up to use them.
We’re expecting NemOry to release updates to his current apps to address these issues. As always use any app at your own discretion.
Updated: Nemory’s official response has been posted to his personal blog and can be read here.