Just say no! BlackBerry + Facebook = Security FAIL

Point 1:

I’m not the biggest fan of any RIM device, though I do utilize one for my job.

Point 2:

I support the development of applications for mobile devices.  Applications are key to driving the adoption and growth of many of the new “smart” (and I use that term loosely) phones on the market.

Point 3:

Applications, regardless of what platform they are developed for, should all be done securely and efficiently.  And in that order.

What the heck does all this have to do with the BlackBerry and Facebook????

Here: http://www.spylogic.net/2010/02/facebook-spam-on-blackberry-devices/

Thanks to the guys that really spend a lot of time reviewing social media stuff (specially Tom Eston and Kevin Johnson), they have noted that specifically crafted SPAM messages will show up as a Facebook notification in your Facebook for Blackberry application.

What makes this troublesome from an information protection standpoint is that, the Facebook application is actively scanning your email inbox.  In the case of many, many Blackberry users, this is not your personal email, but your corporate email.  Of the 13,934,752 monthly active users (according to facebook.com) I’m sure you all read the EULA when you installed the app right?  That’s another post…

To be fair, this is how the application is presented to the end user: “Facebook for BlackBerry smartphones allows BlackBerry smartphone users to connect their friends’ profile pictures, Facebook names, and company names to existing BlackBerry smartphone contacts in the Contacts application. Facebook for BlackBerry smartphones updates the caller ID pictures of your synchronized friends with their latest profile pictures.”

So in order to do this, you have full access to contact names.  So if you’re on a corporate BES, the information contained therein is your corporate email directory?  Uh, yeah.  So corporate BlackBerry users with the Facebook app are willingly providing a valid contact list for their entire company.  My understanding of SPAM and capitalism is that this is quite valuable information and can be sold to email distribution list providers quite readily.  Can someone please point me to the data management policy that protects this information from disclosure?  I’d be ecstatic if it existed.

To all the BlackBerry users:

Rather than send out 14,000,000 apologizes, I put it out there now.  Sorry.  But if you have this app installed on your BlackBerry.  Uninstall it.  NOW! Do not finish reading this post, uninstall the app and come back to finish the post.

To RIM:

I trust (which is always a bad thing) when you provide a singed application that you have performed a review of how the application performs on your device and that it doesn’t do anything we don’t expect.  Like skim our emails and contact information.  Much like an application requests permission to utilize your GPS coordinates (which is another bad thing) why would you not have the same request when an application wants access to your personal information and email?

Let me check here… Options – Security Options – Application Permissions -….  hmmm I’m sure the app is on here, let me look again…

Options – Security Options – Application Permissions -… nothing.  So, when I install Facebook for BlackBerry devices, it doesn’t ask me for any permissions?  NONE?!?  FAIL!

But wait, during the setup there is an option to “allow” access to your messages, calendar, and contacts.  First, the statement that it will send a copy of your contacts to the FaceBook site should be alarming enough.  But worse yet, it seems that turning all these off during the setup did not affect a SPAM’ers ability to inject a properly crafted email.  I infer from this that it still reads emails from your message list.  So can I expect it will also send contacts even if I ask it not to?

To all BES admins (you know who you are):  (updated May2010)

It appears that RIM may be slightly ad odds with the application developers here.  In the 5.0 release of BES, the settings that allow an end user to do this are set to FASLE by default.  Which is what I would expect those settings to be. It is my hope at this point that you are running BES 5.0.  If so, please make certain the IT policy Disable Organizer Data Access for Social Networking Applications is used.  I also understand that this is backwards compatible to BES 4.x installs, so everyone has the opportunity to enable this policy.

Advertisements

5 thoughts on “Just say no! BlackBerry + Facebook = Security FAIL

  1. Pingback: Faux Facebook emails use password reset ploy – SC Magazine US « Noodle On This – Security, Technology, and a smattering of the unrelated

  2. Hi there – good info – exactly what I was afraid of, although I had the old FB app on my BB Tour and I did NOT experience any of these issues.. But I am on a BES and I am in the “unrestricted” group, and the last thing I want is for FB to send a message to all of my contacts – which are many b/c of my corporate stuff on here..
    I’m writing b/c I don’t understand your own reply to your post. Also, is there any chance they’ll fix this, and how will we know?

    Thanks – Maggie

    Reply
    • If your previous device was in a BES policy group that had the “Disable Organizer Data Access for Social Networking Applications” option set, then you would have been protected against the default behavior. This is a default setting on BES 5.x but requires some work to get it enabled in any previous versions. However you’ve indicated that you were moved to a less restrictive policy group and, based on that, it seems that there are little or no policy controls in place on that group.

      The questions I would ask are:

      1. Why is there a need for a less restrictive group?
      2. If that less restrictive group is required, then define what that requirement is and keep all other policy settings consistent with your “normal” group.
      3. If that less restrictive group requires 100% uncontrolled devices, I would expect someone to justify that and be willing to accept the risk in doing so. This seems a bit irresponsible to me.

      Sorry about the other comment. That is a trackback. I mentioned this article in another posting and it automatically tracks back with a comment. I can see where that is confusing and will probably disable that feature.

      Reply
  3. Pingback: Anonymous

  4. Hey, Kevin!

    I’m glad I found your post. It was tough to find anything on the RIM facebook app custom installation permission settings. No, I did NOT allow to have my location data nor my organizer data. What about the other permission settings?

    Your post confirmed my thoughts on facebook lack of respect of user privacy. Let’s be honest, facebook is ran by a bunch of genius’ who are completely devoid of honesty and integrity.

    Thanks for delving into the details.

    mm

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s