Attify's Guide to get started with Pentesting Blackberry Apps

. 8 min read

Attify does a lot of Mobile application security assessments and auditing for various mobile platforms including Android, iOS, Windows and Blackberry.

Since not many resources are available for BlackBerry mobile app auditing, I’ll just share some of the basics of Blackberry pentest and how to setup a BlackBerry pentesting environment, and identifying the low hanging vulnerabilities.

Just a quick intro to the BB platform before we dive into its security. . The new Blackberry 10 runs on the QNX Neutrino RTOS (Real Time Operating System). QNX was one of the first commercially successful microkernel OS. You could find more info about the BB platform here and here .

Applications

Blackberry 10 applications are compiled into a .bar file, which is an archive file containaining all the application specific code, third party libraries and resources.

To extract the .bar file content, we could simply extract it and have a look at the contents.

Below is an example of what you should expect to see once you extract a .bar file.

Unzipping a Blackberry Application by AttifyUnzipping a Blackberry Application

At the root, we have the META-INF folder which contains the application’s MANIFEST.MF which has simply the information about the application such as the Bundle-Name, Bundle-ManifestVersion and so on.

If you see the above screenshot, you’ll also notice the folder named native which contains the app binary and other application resources such as logs, images, bar descriptor files, database files and so on.

Digging Deeper

This section will be divided into three different sub-sections:

  1. Traffic Interception (HTTP and HTTPS)
  2. Insecure Data Storage
  3. Logs Analysis

Traffic Interception for Blackberry

Intercepting the normal HTTP traffic in BB devices is as simple as setting up a proxy on the device, and running a proxy on your host, where you’ll be intercepting the entire traffic.

However you’ll notice over here is that you’re not able to intercept the SSL traffic of the applications and browser.

Blackberry does not accept X509 certificate solely but demands for Public-Key Cryptography Standards (PKCS). Due to this, we need to set up a pkcs#12 certificate.

The pkcs#12 certificate (certificate with “.p12 or .pfx” extension) can be created using a tool named keytool which will be found under JDK directory.

As for proxying, we will use Burp Suite. Also, with using Burp Suite for proxying, that makes things simpler when creating a pkcs#12 certificate.

Creating Certificates

Fire up burp suite and navigate to Proxy | Options | CA certificate

Setting up burp proxy for blackberry by Attify
Setting up burp proxy for blackberry

Under the CA-certificate option, select the Certificate and Private Key in PKCS#12 option.

Exporting CA using Burp

Set the location where you want to save the pkcs#12 file, provide an appropriate name, set the password in password field and click “Next”.
Once everything is successfully done, you will see a final window saying The Certificate and private key was successfully exported.

Exporting CA finished

Transferring certificate to simulator

Once the certificate is created, we need to send it to Blackberry simulator.
This can be achieved either by using SSH or file transfer using an FTP Client.

For this particular scenario, we will use FTP client, filezilla and transfer the certificate to sdcard of Blackberry simulator.

SCPing to BB using FileZilla
SCPing to BB using FileZilla

Under the Host option, provide the ip address of simulator, which can be seen at the bottom of the simulator.
The login credentials are devuser:devuser.
Once the connection is established with the simulator, we can transfer the certificate to /sdcard with simple drag-and-drop.

Importing certificate in simulator

Once we have pushed the certificate to the simulator/device, we need to add it to the trusted list as well.
In order to import the certificate, you need to go to Settings | Security and Privacy | Certificates.

Blackberry Settings
Blackberry Settings

Once you’re into certificates, you’ll have something looking like the one shown below.

Importing certificates in Blackberry
Importing certificates in Blackberry

Click the Import icon located on the bottom right.

On the next screen, select the options acc to your convenience and click next.

Installing a new certificate in Blackberry
Installing a new certificate in Blackberry

After clicking next, you will see the certificate which you’ve just now imported. Select thatpkcs#12 certificate (in our case, it was BB10.p12).
Type the password which you provided while creating the certificate and click OK.
At this step, the pkcs#12 certificate is successfully imported and should be visible in simulators trusted store.
Import pkcs#12 certificate in Burp Suite.

In burp suite, and navigate to Proxy | Options | CA Certificate

burp-proxy-options-CA-1
Under the Import options, select Certificate and private key in PKCS

Importing a new PKCS in Burp
Importing a new PKCS in Burp

Select the pkcs#12 certificate that was created in above step, provide the password and click Next.

imported-BB10-cert
At this point, after the certificate has been successfully imported, restart the burp suite as well as Blackberry Simulator.

Route traffic through proxifiers

Blackberry’s architecture does not allow anyone to intercept its traffic normally. In order to intercept traffic for security assessment, we will be using proxifiers.
Proxifiers are basically programs that provide functionality to intercept and modify traffic of other programs by making them pass through proxy server.
There is an option to use any proxifier of your interest. Some of them which you could use are

  1. ProxyChains
  2. Redsocks
  3. Proxifier
  4. ProxyCap

We will be using Proxifier. Create a new profile in Proxifier and save it as BB10.

1.Go to Profile > Proxy Servers, and add a new entry as shown below:

Using Proxifier for Blackberry Traffic Interception
Using Proxifier for Blackberry Traffic Interception

*Important Note : The port used here should be same as that of Proxy being used. In our case, we have set port 8080 in burp suite, so we will be using 8080 here *

2.Go to Profile | Proxification rules and add a new rule for routing all the traffic of simulator though proxifier.

Setting up Proxifier Rules
Setting up Proxifier Rules

  1. Go to **Profile | Advanced | Services and other users ** and check both the available options as shown below :

proxifier-advanced

4.Go to Profile | Http Proxy Server and check the Enable HTTP option.

proxifier-advanced-HTTP

  1. Select the infinite loop option.

infinite-loop

Make sure to save the proxifier profile.

Once this set up is done, we can easily proceed through SSL traffic interception for further security assessment.

Part 2 – Insecure Data Storage

Often developers make mistake of storing sensitive information on the device, sometimes in plaintext which could be easily read by the attackers.

Getting access to data storage is not a tough task. There are various methods available to get root access to devices. Yes, I am talking about “Jailbreaks” and “Rooting” here.
Neither simulator nor the device will directly allow access to local data storage of the application. There is no readily available wizard to root Blackberry 10 devices yet but there are still workaround available to analyze the local data storage.

Also, note that Blackberry 10 is based on QNX Operating System as we have already discussed before.

The idea behind getting access to local storage is to get a qnx based environment and attach the simulator’s virtual disk with it.

You can download Blackberry Simulator from Blackberry’s official website.

Note: It is advisable to use Blackberry 10.1.X simulators (http://developer.Blackberry.com/develop/simulator/bb10allsimversions.html/)
Once the simulator is downloaded, start it within virtual workstation (or VirtualBox).

Next step would be to install the app in simulator, which can be easily done with “BB10 Chrome Extension”

Blackberry 10 Chrome Extension
Blackberry 10 Chrome Extension

BB10-Extension_1

Before proceeding; you will need QNX based platform.
It can be found here (http://www.qnx.com/download/feature.html?programid=21367)
After downloading QNX Neutrino image file, create a new virtual machine and attach the Blackberry simulator’s virtual disk.
Once virtual machine with qnx is created and Blackberry simulator’s virtual disk attached, boot up the qnx virtual machine.

Setting up QNX
Setting up QNX

Note – You could safely ignore the errors here and proceed*
The default credentials are root: (blank password)

QNX login screen
QNX login screen

Go to utilities on the right side of your desktop and select Terminal

QNX Terminal
QNX Terminal

Once you get access to terminal, traverse to /fs.

Analyzing Blackberry filesystem
Analyzing Blackberry filesystem

Now finally we have access to the Blackberry’s storage.

The folder named hd1-qnx6-2 is the Blackberry simulator’s virtual disk that we attached.

To see the local data storage of any app, we need to traverse to
/fs/hd1-qnx6-2/accounts/1000/appdata.

Inside this folder we can see the installed apps.

Viewing the Blackberry file system
Viewing the Blackberry file system

After getting into the appdata, we can traverse the apps storage for further analysis.

Below screenshot shows the access to local storage of an app where we can find the sqlite databases.
Further analysis showed that none of them were encrypted.

Vulnerabilities Vulnerabilities Everywhere! Blackberry.
Vulnerabilities Vulnerabilities Everywhere! Blackberry.

Part 3 – Logs Interception

By default, Blackberry 10 stores the logs under a folder named Logs.

The steps to get to this folder are similar as explained above.

Once you have attached the Blackberry simulator’s virtual disk to qnx based virtual machine, start the qnx virtual machine and get to /fs/hd1-qnx6-2/accounts/appdata/<app-folder>/logs

Application Logs - another big security risk
Application Logs – another big security risk

Hence forth you can analyze the logs found at this instance for further sensitive information.

That’s all for this blog post. The environment is up and running and open for you to play around.

Feel free to get in touch with us at secure@attify.com for any queries or app auditing projects or even customized trainings for your organisation.

Also, we are conducting few trainings all over the year for Mobile Exploitation. Have a look at the entire course details and structure at here.

Hope you enjoyed the blog post and it helped you getting started with Blackberry App Auditing.



Attify Team

IoT Security and Penetration Testing

Get IoT Security Training

IoT Pentesting Exploitation Training

Tags

analog modulation Android android application security android hands on security and exploitation training android security Apktool application auditing application security auditing appsec usa appwatch arduino nano arm ARM binaries ARM course ARM exploitation book ARM exploitation video training ARM gadgets ARM Training attify attify badge attify training best security practices biggest iot attacks of all time binwalk blackberry pentesting blackhat ble BLE attacks BLE dangers BLE hacking and exploitation BLE security issues BLE sniffing BLE vulnerabilities bleah bluetooth technology box brut Exception BtleJuice capture radio traffic career in cybersecurity CCTV cameras challenges in iot retail chroot cloud based mobile application security scanner consulting CTF cyber attacks cybersecurity Damn Vulnerable iOS App dangers of iot DDoS attacks devops digital modulation dumping memory embedded hacking expert Exploit ARM devices exploitation exploiting ble exploiting smart devices firmadyne firmware analysis toolkit firmware emulation Firmware hacking firmware reverse engineering Flare-on frida getting started with firmware hacking GSMA guide to ARM exploitation hacked security IP cameras hacked smart devices hackers hackfest hacking smart devices healthcare business protection against iot threats healthcare cyber security how can healthcare fight iot threats How Mirai botnet infects your device How Mirai works how retail can prevent cyber attacks how to exploit ble how to hack radio waves how to protect iot devices how to secure iot device IDA internet of things Internet of Things Security internet security ios application security ios security iot iot attacks iot bots, malwares iot device IoT Devices IoT Exploitation iot hacking iot hacks IoT hacks on ARM devices iot penetration testing iot pentest iot pentesting iot security IoT security guidelines iot security training iot threats iot threats to healthcare industry iotsecurity IP cameras jtag jtag debugging latest iot attacks learn ARM exploitation measures to prevent cyber attacks on healthcare organisations Mirai Botnet mirai history mobile app mobile application security mobile application security testing mobile security monitor iot devices Mozilla network security in retail ninja recon technique NIST offensive iot exploitation ola cabs owasp owasp appsec penetration testers penetration testing pentesting pentesting mobile apps phishing attacks powerofcommunity PrinterSecurity privacy protection profession professional qemu quizup radio communication protocol radio coomunication radio waves hacking recent ARM attacks recent cyber attacks recent iot attacks recent security camera attacks retail iot Reversing safety measures to protect privacy sdr secure coding guidelines security security cameras security challenges in retail IoT security in healthcare iot security issue security issues faced by e-retailers security services security training security vulnerability setup smart devices smart user security social networking spi steps to prevent iot attacks on healthcare surveillance cameras hijacked threat modeling tools to exploit ble training uart Understanding Mirai Botnet virus vulnerabilities discovered in popular IoT IP cameras vulnerabilities in internet connected cameras vulnerability vulnerable ARM devices What is mirai botnet? why choose career in cybersecurity writeups xposed hooking zigbee zigbee exploitation zigbee security zwave

Instagram