BlackBerry is struggling enough in the smartphone wars as it is, but the venerable pocket assistant company has been dealt a blow: a vulnerability around the BlackBerry World app store has been discovered, which would allow spoofing in order to serve up malicious files.
The flaw affects BlackBerry 10 smartphone customers running the BlackBerry World widget, which device-owners use to search for and download apps. According to the BlackBerry advisory, the problem exists in the BlackBerry World service’s download mechanism, and opens the door to a man-in-the-middle attack.
An attacker could essentially masquerade as the app store, so that a user would think that they are downloading an official app from an official source, when in fact it’s a malicious file from a fake source.
After using a MiTM approach to intercept a user’s BlackBerry World application download, and the rogue app is installed on the phone, nefarious sorts can use the malware to gain access to any data or settings allowed by the app permissions that the user granted.
“BlackBerry customer risk is limited both by the requirement that customers must first connect to an attacker-controlled network, and by the inability of a potential attacker to force exploitation of the vulnerability without customer interaction,” the company stressed.
It added, “Successful exploitation requires an attacker to intercept a user’s application download/update request from BlackBerry World over a compromised network and replace the response from the server with a malicious file. [It also] requires that a user accept the permissions and install the malicious app.”
The company also noted that BlackBerry World employs application integrity checking and secure download methods to ensure that the correct app is downloaded and installed.
The vulnerability is not currently being exploited, the company said, and BlackBerry has issued a fix.
BlackBerry is struggling enough in the smartphone wars as it is, but the venerable pocket assistant company has been dealt a blow: a vulnerability around the BlackBerry World app store has been discovered, which would allow spoofing in order to serve up malicious files.
The flaw affects BlackBerry 10 smartphone customers running the BlackBerry World widget, which device-owners use to search for and download apps. According to the BlackBerry advisory, the problem exists in the BlackBerry World service’s download mechanism, and opens the door to a man-in-the-middle attack.
An attacker could essentially masquerade as the app store, so that a user would think that they are downloading an official app from an official source, when in fact it’s a malicious file from a fake source.
After using a MiTM approach to intercept a user’s BlackBerry World application download, and the rogue app is installed on the phone, nefarious sorts can use the malware to gain access to any data or settings allowed by the app permissions that the user granted.
“BlackBerry customer risk is limited both by the requirement that customers must first connect to an attacker-controlled network, and by the inability of a potential attacker to force exploitation of the vulnerability without customer interaction,” the company stressed.
It added, “Successful exploitation requires an attacker to intercept a user’s application download/update request from BlackBerry World over a compromised network and replace the response from the server with a malicious file. [It also] requires that a user accept the permissions and install the malicious app.”
The company also noted that BlackBerry World employs application integrity checking and secure download methods to ensure that the correct app is downloaded and installed.
The vulnerability is not currently being exploited, the company said, and BlackBerry has issued a fix.