Chirashi Security | The ‘Security Timer Reset’ permission

a blog with scattered thoughts on security.

Search

// you’re reading...

BlackBerry

The ‘Security Timer Reset’ permission

By chopstick ⋅ November 6, 2009 ⋅ Post a comment

Filed Under BlackBerry, permissions, security, ubertwitter

Did you ever wonder what some of those Application Permissions were on your BlackBerry? I’m putting together a paper that details the more important ones and why you should be careful in changing them. For now, I thought I’d share some information about the “Security Timer Reset” permission and what you can do with it.

The Security Timer Reset permission is set to Deny by default. This is good. Be wary of applications asking you for Allow permissions on this. One of the things you can do with this permission enabled is to delay your lock screen. Indefinitely.

The lock screen usually appears when your Security Timeout is exceeded.

Device Lock Screen

For example, if you have a Security Timeout set to 2 minutes, your screen will lock automatically and you will have to enter your password to access the device again. This is handy to have, if you leave your BlackBerry on your desk at work and are afraid someone will pick it up and install nasty stuff on your BlackBerry.

Security Timeout

Let’s take the case where you download a malicious application (you don’t know its malicious of course). It is such a compelling one (read: porn slideshow) that you just HAD to download it. Now the application innocently asks you for the “Event Injection” & “Security Timer Reset” permission to ‘advance’ the slides back and forth. “Sure”, you think, “no problems there now is it?” and you grant Allow access to the application. What this application could do is to then inject a key event every 15 seconds. This can be done so that you don’t notice. When this key event is injected every 15 seconds, its as if you are moving the trackball or clicking a key. This delays the device lockout because the timer is reset every 15 seconds. The device will now never lock itself out.

So be wary of granting Allow Permissions on almost everything. I know UberTwitter is an application that asks for a lot of Allow permissions (although it doesn’t ask you for the Security Timer Reset permission). I think it might be worthwhile starting a Permissions Hall of Shame on my site, just to list such offenders.