Dan Ford, Chief Security Officer with SGP Technologies, the company that recently produced the Blackphone, published a story at medium.com detailing his investigation into SGP rival BlackBerry’s BlackBerry Messenger (BBM) service.
The researchers wanted pursue three basic questions: 1) Does BBM utilize proper encryption while data is in transit?, 2) Does BBM utilize proper encryption for data at rest? and 3) Does BBM secure sensitive data?
Using viaLab to analyze BBM security
Answering the first question proved fairly straightforward as BBM didn’t appear to require a password prior to entering the application, which meant there could be no encryption key for data in transit. To discover how the BlackBerry program treated data at rest, SGP utilized viaLab’s forensic analysis tool, which allowed them to find text messages stored locally within an unencrypted SQLite database. The story used an informative graphic featuring viaLab’s desktop interface (below) detailing how this was done. To discover whether BBM secured sensitive data, SGP looked at how BBM accesses the device’s local address book to pull known BBM contacts, and adds the BlackBerry PINs to your BBM contacts. Because these PINs can be used by BlackBerry to track the device through its geolocation sensors, Ford noted is possible that other parties might be able to track the device as well.
Using BBM to verify Silent Text security
Ford then touched upon how his researchers perform penetration testing on Blackphone’s own competing Silent Text app, using viaLab to run automated MITM, SSL Proxy, and SSL Strip attacks against it. The story also featured a screenshot (below) taken of viaLab’s interface to contrast the transparency of BBM’s database to that of Silent Text’s.
This was a compelling case study that highlighted some of viaLab’s capabilities, and it’s great to see companies utilizing viaLab to help test the security of their own apps and raise awareness about the sometimes complex issues surrounding mobile security.
More on viaLab
viaLab is a mobile application security assessment suite. It automates the process of identifying risks and vulnerabilities in mobile applications, both custom and third-party, and provides detailed, customized reporting and recommendations for vulnerability remediations.
For more info on viaLab, or to schedule a demo contact us today.