Attify's Guide to get started with Pentesting Blackberry Apps

Attify does a lot of Mobile application security assessments and auditing for various mobile platforms including Android, iOS, Windows and Blackberry.

Since not many resources are available for BlackBerry mobile app auditing, I’ll just share some of the basics of Blackberry pentest and how to setup a BlackBerry pentesting environment, and identifying the low hanging vulnerabilities.

Just a quick intro to the BB platform before we dive into its security. . The new Blackberry 10 runs on the QNX Neutrino RTOS (Real Time Operating System). QNX was one of the first commercially successful microkernel OS. You could find more info about the BB platform here and here .

Applications

Blackberry 10 applications are compiled into a .bar file, which is an archive file containaining all the application specific code, third party libraries and resources.

To extract the .bar file content, we could simply extract it and have a look at the contents.

Below is an example of what you should expect to see once you extract a .bar file.

[![Unzipping a Blackberry Application by Attify](https://blog.attify.com/content/images/2014/11/unzip-bar.png)](https://blog.attify.com/content/images/2014/11/unzip-bar.png)Unzipping a Blackberry Application
 

At the root, we have the META-INF folder which contains the application’s MANIFEST.MF which has simply the information about the application such as the Bundle-Name, Bundle-ManifestVersion and so on.

If you see the above screenshot, you’ll also notice the folder named native which contains the app binary and other application resources such as logs, images, bar descriptor files, database files and so on.

Digging Deeper

This section will be divided into three different sub-sections:

  1. Traffic Interception (HTTP and HTTPS)
  2. Insecure Data Storage
  3. Logs Analysis

Traffic Interception for Blackberry

Intercepting the normal HTTP traffic in BB devices is as simple as setting up a proxy on the device, and running a proxy on your host, where you’ll be intercepting the entire traffic.

However you’ll notice over here is that you’re not able to intercept the SSL traffic of the applications and browser.

Blackberry does not accept X509 certificate solely but demands for Public-Key Cryptography Standards (PKCS). Due to this, we need to set up a pkcs#12 certificate.

The pkcs#12 certificate (certificate with “.p12 or .pfx” extension) can be created using a tool named keytool which will be found under JDK directory.

As for proxying, we will use Burp Suite. Also, with using Burp Suite for proxying, that makes things simpler when creating a pkcs#12 certificate.

Creating Certificates

Fire up burp suite and navigate to Proxy | Options | CA certificate

[![Setting up burp proxy for blackberry by Attify](https://blog.attify.com/content/images/2014/11/burp-proxy-options-CA.png)](https://blog.attify.com/content/images/2014/11/burp-proxy-options-CA.png)Setting up burp proxy for blackberry
Under the **CA-certificate** option, select the **Certificate and Private Key** in **PKCS#12** option.

Exporting CA using Burp

Set the location where you want to save the pkcs#12 file, provide an appropriate name, set the password in password field and click “Next”.
Once everything is successfully done, you will see a final window saying The Certificate and private key was successfully exported.

Exporting CA finished

Transferring certificate to simulator

Once the certificate is created, we need to send it to Blackberry simulator.
This can be achieved either by using SSH or file transfer using an FTP Client.

For this particular scenario, we will use FTP client, filezilla and transfer the certificate to sdcard of Blackberry simulator.

[![SCPing to BB using FileZilla](https://blog.attify.com/content/images/2014/11/BB10-FileZilla.png)](https://blog.attify.com/content/images/2014/11/BB10-FileZilla.png)SCPing to BB using FileZilla
Under the **Host** option, provide the ip address of simulator, which can be seen at the bottom of the simulator. The login credentials are `devuser:devuser`. Once the connection is established with the simulator, we can transfer the certificate to /sdcard with simple drag-and-drop.

Importing certificate in simulator

Once we have pushed the certificate to the simulator/device, we need to add it to the trusted list as well.
In order to import the certificate, you need to go to Settings | Security and Privacy | Certificates.

[![Blackberry Settings](https://blog.attify.com/content/images/2014/11/settings.png)](https://blog.attify.com/content/images/2014/11/settings.png)Blackberry Settings
 

Once you’re into certificates, you’ll have something looking like the one shown below.

[![Importing certificates in Blackberry](https://blog.attify.com/content/images/2014/11/BB10-Import-Cert-1.png)](https://blog.attify.com/content/images/2014/11/BB10-Import-Cert-1.png)Importing certificates in Blackberry
Click the **Import** icon located on the bottom right.

On the next screen, select the options acc to your convenience and click next.

[![Installing a new certificate in Blackberry](https://blog.attify.com/content/images/2014/11/BB10-Import-Cert.png)](https://blog.attify.com/content/images/2014/11/BB10-Import-Cert.png)Installing a new certificate in Blackberry
After clicking next, you will see the certificate which you’ve just now imported. Select that`pkcs#12` certificate (in our case, it was BB10.p12). Type the password which you provided while creating the certificate and click **OK**. At this step, the pkcs#12 certificate is successfully imported and should be visible in simulators trusted store. Import pkcs#12 certificate in Burp Suite.

In burp suite, and navigate to Proxy | Options | CA Certificate

burp-proxy-options-CA-1
Under the Import options, select Certificate and private key in PKCS

[![Importing a new PKCS in Burp](https://blog.attify.com/content/images/2014/11/burp-import-pkcs.png)](https://blog.attify.com/content/images/2014/11/burp-import-pkcs.png)Importing a new PKCS in Burp
Select the `pkcs#12` certificate that was created in above step, provide the password and click **Next**.

imported-BB10-cert
At this point, after the certificate has been successfully imported, restart the burp suite as well as Blackberry Simulator.

Route traffic through proxifiers

Blackberry’s architecture does not allow anyone to intercept its traffic normally. In order to intercept traffic for security assessment, we will be using proxifiers.
Proxifiers are basically programs that provide functionality to intercept and modify traffic of other programs by making them pass through proxy server.
There is an option to use any proxifier of your interest. Some of them which you could use are

  1. ProxyChains
  2. Redsocks
  3. Proxifier
  4. ProxyCap

We will be using Proxifier. Create a new profile in Proxifier and save it as BB10.

1.Go to Profile > Proxy Servers, and add a new entry as shown below:

[![Using Proxifier for Blackberry Traffic Interception](https://blog.attify.com/content/images/2014/11/proxifier-add-proxy-server.png)](https://blog.attify.com/content/images/2014/11/proxifier-add-proxy-server.png)Using Proxifier for Blackberry Traffic Interception
* Important Note : The port used here should be same as that of Proxy being used. In our case, we have set port 8080 in burp suite, so we will be using 8080 here* 2.Go to **Profile | Proxification rules** and **add** a new rule for routing all the traffic of simulator though proxifier.
[![Setting up Proxifier Rules](https://blog.attify.com/content/images/2014/11/proxification-rule.png)](https://blog.attify.com/content/images/2014/11/proxification-rule.png)Setting up Proxifier Rules
3.  Go to **Profile | Advanced | Services and other users ** and check both the available options as shown below :

proxifier-advanced
4.Go to Profile | Http Proxy Server and check the Enable HTTP option.

proxifier-advanced-HTTP

  1. Select the infinite loop option.

infinite-loop
Make sure to save the proxifier profile.

Once this set up is done, we can easily proceed through SSL traffic interception for further security assessment.

Part 2 – Insecure Data Storage

Often developers make mistake of storing sensitive information on the device, sometimes in plaintext which could be easily read by the attackers.

Getting access to data storage is not a tough task. There are various methods available to get root access to devices. Yes, I am talking about “Jailbreaks” and “Rooting” here.
Neither simulator nor the device will directly allow access to local data storage of the application. There is no readily available wizard to root Blackberry 10 devices yet but there are still workaround available to analyze the local data storage.

Also, note that Blackberry 10 is based on QNX Operating System as we have already discussed before.

The idea behind getting access to local storage is to get a qnx based environment and attach the simulator’s virtual disk with it.

You can download Blackberry Simulator from Blackberry’s official website.

Note: It is advisable to use Blackberry 10.1.X simulators (http://developer.Blackberry.com/develop/simulator/bb10allsimversions.html/)
Once the simulator is downloaded, start it within virtual workstation (or VirtualBox).

Next step would be to install the app in simulator, which can be easily done with “BB10 Chrome Extension”

[![Blackberry 10 Chrome Extension](https://blog.attify.com/content/images/2014/11/BB10-Extension.png)](https://blog.attify.com/content/images/2014/11/BB10-Extension.png)Blackberry 10 Chrome Extension
 

BB10-Extension_1

Before proceeding; you will need QNX based platform.
It can be found here (http://www.qnx.com/download/feature.html?programid=21367)
After downloading QNX Neutrino image file, create a new virtual machine and attach the Blackberry simulator’s virtual disk.
Once virtual machine with qnx is created and Blackberry simulator’s virtual disk attached, boot up the qnx virtual machine.

[![Setting up QNX](https://blog.attify.com/content/images/2014/11/qnx-starting.png)](https://blog.attify.com/content/images/2014/11/qnx-starting.png)Setting up QNX
* Note – You could safely ignore the errors here and proceed* The default credentials are `root:` (blank password)
[![QNX login screen ](https://blog.attify.com/content/images/2014/11/qnx-os.png)](https://blog.attify.com/content/images/2014/11/qnx-os.png)QNX login screen
Go to **utilities** on the right side of your desktop and select **Terminal**

[![QNX Terminal](https://blog.attify.com/content/images/2014/11/qnx-terminal.png)](https://blog.attify.com/content/images/2014/11/qnx-terminal.png)QNX Terminal
Once you get access to terminal, traverse to `/fs`.
[![Analyzing Blackberry filesystem](https://blog.attify.com/content/images/2014/11/fs-folder.png)](https://blog.attify.com/content/images/2014/11/fs-folder.png)Analyzing Blackberry filesystem
Now finally we have access to the Blackberry’s storage.

The folder named hd1-qnx6-2 is the Blackberry simulator’s virtual disk that we attached.

To see the local data storage of any app, we need to traverse to
/fs/hd1-qnx6-2/accounts/1000/appdata.

Inside this folder we can see the installed apps.

[![Viewing the Blackberry file system ](https://blog.attify.com/content/images/2014/11/inside-hd1.png)](https://blog.attify.com/content/images/2014/11/inside-hd1.png)Viewing the Blackberry file system
After getting into the `appdata`, we can traverse the apps storage for further analysis.

Below screenshot shows the access to local storage of an app where we can find the sqlite databases.
Further analysis showed that none of them were encrypted.

[![Vulnerabilities Vulnerabilities Everywhere! Blackberry. ](https://blog.attify.com/content/images/2014/11/inside-app-folder.png)](https://blog.attify.com/content/images/2014/11/inside-app-folder.png)Vulnerabilities Vulnerabilities Everywhere! Blackberry.
Part 3 – Logs Interception

By default, Blackberry 10 stores the logs under a folder named Logs.

The steps to get to this folder are similar as explained above.

Once you have attached the Blackberry simulator’s virtual disk to qnx based virtual machine, start the qnx virtual machine and get to /fs/hd1-qnx6-2/accounts/appdata/<app-folder>/logs

[![Application Logs - another big security risk](https://blog.attify.com/content/images/2014/11/logs-folder.png)](https://blog.attify.com/content/images/2014/11/logs-folder.png)Application Logs – another big security risk
Hence forth you can analyze the logs found at this instance for further sensitive information.

That’s all for this blog post. The environment is up and running and open for you to play around.

Feel free to get in touch with us at secure@attify.com for any queries or app auditing projects or even customized trainings for your organisation.

Also, we are conducting few trainings all over the year for Mobile Exploitation. Have a look at the entire course details and structure at here.

Hope you enjoyed the blog post and it helped you getting started with Blackberry App Auditing.



comments powered by Disqus
Tags
Android android application security android hands on security and exploitation training android security Apktool application auditing application security auditing appsec usa appwatch attify attify badge attify training binwalk blackberry pentesting blackhat ble BLE hacking and exploitation BLE sniffing box brut Exception chroot cloud based mobile application security scanner consulting CTF Damn Vulnerable iOS App devops dumping memory embedded hacking exploitation exploiting smart devices Firmware hacking frida hackfest hacking smart devices how to secure iot device IDA internet of things Internet of Things Security ios application security ios security iot iot device IoT Exploitation iot hacking iot pentest iot pentesting iot security iot security training iotsecurity jtag jtag debugging mobile app mobile application security mobile application security testing mobile security ninja recon technique offensive iot exploitation ola cabs owasp owasp appsec penetration testing pentesting pentesting mobile apps powerofcommunity PrinterSecurity qemu quizup radio communication protocol radio coomunication Reversing sdr secure coding guidelines security security issue security services security training security vulnerability smart devices social networking spi threat modeling training uart vulnerability writeups xposed hooking zigbee zigbee exploitation zigbee security zwave firmware reverse engineering firmware emulation firmware analysis toolkit firmadyne getting started with firmware hacking iot penetration testing iot attacks recent iot attacks cyber attacks iot hacks biggest iot attacks of all time hacked smart devices iot bots, malwares latest iot attacks BtleJuice bleah

Instagram