The preceding chapters discussed how to start analyzing BlackBerry 10 apps and how you might go about attacking them. This chapter covers specific classes of vulnerability and how you go about identifying them within the apps being assessed.
BlackBerry apps are not radically different from apps on any other platform. Thus the classes of issue that they are potentially susceptible to are not radically different compared to other platforms either.
When you do practical and risk-aware assessments of apps, you are primarily concerned with attacks that fall into five categories:
- App permissions—The permissions requested by the app need to be proportional and essential to the functionality the user expects. Determine whether the permissions requested are excessive in nature.
- Data storage—The app should store data in such a way that information is not exposed unnecessarily, and data that is accessible should not undermine the app's security.
- Data transmission—Data should be transmitted by the app in a secure and integral manner proportional to the sensitivity of the data.
- Personally Identifiable Information (PII) handling and privacy—Where PII data or other privacy-infringing data is processed and transmitted by the app, developers should be respectful of the user's privacy and opt for providing informed consent.
- Secure development—Developers should write the app in a broad and secure fashion to mitigate against vulnerabilities ...