Today, I’m releasing source code to three of my projects that I’ve been incubating.  1) bbt 2) evt2sqlite  3) ConParse Take! Build! Enjoy! At some point or another, I may just split them up into their own repos.  For now, they all live in the bb-tools repository down at github. Update: I’ve split them up now

In today’s post, I’ll cover the first tool, bbt.

bbt

bbt is a python script that analyzes the thumbnail cache from a BlackBerry.  The purpose of a thumbnail cache in any system, is generally to speed up the browsing of large numbers of graphic or video files.  Instead of presenting a static icon to the user, a small thumbnail of the picture or frame of the video file is shown.  Apparently this is a good thing, because  you can see an icon of the image that you’re clicking on and will hopefully be able to find the file you’re looking for quicker.  Typically, the Operating System will find and shrink pictures found in directories of the filesystem.  These shrunk pictures will then be placed inside the thumbnail cache.

When conducting a digital forensics analysis of a computer, looking for these thumbnail caches often provide clues as to what files may have existed before they were deleted off the file system.  The thumbnail cache is important enough to warrant its own entry on the Forensics Wiki (albeit only the Windows thumbnail cache is spoken about).  The principle generally remains the same when extended to the BlackBerry device as well.  So, bottom line: being able to analyze this file is useful.

bbt will do just that for thumbnail cache files found on BlackBerry devices.  There are two types of thumbnail caches on the BlackBerry device: 1) BBThumbs.dat format 2) key/dat format.

Format 1 is pre OS 5.0 and the key/dat format is post OS 5.0  The key/dat combination is interesting because it uses two files to keep track of thumbnails.  They look something like thumbs86x86.key and thumbs86x86.dat (the 86×86 indicates the size of the thumbnail – 86 pixels by 86 pixels).  I’ve noticed quite a few interesting things in these files and no doubt, you will too after you look through the source or play around with them long enough:

1. The BBThumbs.dat header is 0×24052003 (which is a hex number)
2. The thumbs.dat file header is 0×22062009 (hex again)
3. The thumbs.key file header is 0×08062009 (hex)

This is pure speculation, but if you took those hexadecimal representations and looked at just the numbers, don’t they look like dates?

• 0×24052003 –> 24 05 2003
• 0×22062009 –> 22 06 2009
• 0×08062009 –> 08 06 2009

Maybe birth dates of the file format itself or someone significant to someone who wrote it? Dunno.

Another interesting observation of the key/dat thumbnail cache is that it not only stores image thumbnails, but also stores details of all types of media including ‘wav’, ‘mp3′, and ‘mid’.  It doesn’t store any content inside it though.  The only content stored inside the files is image data.

I’m not actually going to tell you what is found inside the thumbs files in this post, but instead, I am going to tell you how to run bbt.  bbt is a python script and as such will require that you have python installed on your system.  I’d always recommend cloning my repository on github so that you can easily pull any updates.  You may also want to sign up for a github account and watch the repository so that you will be notified of any commits I make.  You could also fork the project and get to work on it yourself.

azazel:Device sheran$ ~/github/bb-tools/bbt/bbt.py
Usage: bbt.py [options]
  -h, --help: This cruft
  -k, --key <bbthumbs key file>: Process post OS5 thumbs.key file (requires thumbs.dat file in same directory)
  -b, --bbthumbs <old bbthumbs file>: Process pre OS5 BBThumbs.dat file
  -x, --extract: Extracts the thumbnails into directory specified by -o
  -o, --output <output directory>: Directory to extract thumbs to (used only with -x)
azazel:Device sheran$

The output above is what you will receive if you run bbt without options.  As of the latest release (0.3b), the most magical thing you can do with this tool is to extract the thumbs into a specific output directory.  Additionally, bbt will parse out information about 1) What thumbnails are stored in the file (filename) for BBThumbs.dat files or 2) Where at what offset in a ‘dat’ file a specific record id is stored.  Here’s some example output when parsing a key/dat pair:

azazel:Device sheran$ ~/github/bb-tools/bbt/bbt.py -k thumbs116x116.key -x -o out
*** Processing thumbs116x116.key on 2011-07-22 21:50:48.156899
Record ID C620B80A is at offset 7 in 'dat' file // [1306132653179.jpeg]
Record ID DB0B7CA3 is at offset 25930 in 'dat' file // [1306492410606.jpeg]
Record ID D2EC23E3 is at offset 52123 in 'dat' file // [1306732433796.jpeg]
*** thumbs116x116.key has 9 records
*** Processed 3 records
azazel:Device sheran$

When you parse a key/dat file combination, you need to make sure that both the ‘key’ and ‘dat’ file are in the same directory.  When you run bbt, you will point it to the location of the ‘key’ file.  From the output above, you can see that it has discovered 3 records, corresponding record ids and offsets where they are stored in the ‘dat’ file.  Also, the filename of the thumbnail is provided.  What do the offsets mean?  Well, if you were to take the numbers and open up the ‘dat’ file in a hex editor, then you would land on the location where that specific record began.  This is what it looks like:

The highlighted portion is the first part of the record with the correct starting offset.  You may also notice that the ‘key’ file supposedly has 9 records but only 3 were processed.  This happens because the ‘key’ file holds 9 record ids and 9 offsets, but only 3 of those actually match up in the ‘dat’ file.  One assumption that can be made is that the files were deleted from the ‘dat’ file, but the ids and offsets still remained in the ‘key’ file.

bbt also has the ‘-x’ option which allows you to extract the thumbnails that are inside either the BBThumbs.dat file or the key/dat files.  You do this by specifying the ‘-x’ option along with the ‘-o’ option to tell bbt where to extract the thumbnails to.  You will need to make sure that the output directory specified by the ‘-o’ option does not already exist.

For now, that’s as much as you’re going to get out of bbt.  Some features that are planned in the roadmap for bbt are:

• HTML Reporting
• Identification of Exif data within thumbnails
• Completely parsing some of the header and record bytes that are as yet unknown

I’ll cover the other tools in subsequent posts.  For now, though, the tools are all live in the github repository.  All of the tools contain a basic README doc that tells you how to get started with each of the tools.

Example Event Log Output:

guid:0x3B91E1630F0745BC time:2010/06/30 22:45:40.0 severity:Always Log type:String app:net.rim.tunnel data:Clos-MagicRudyAPN.rim
guid:0x316C1626A9DDC375 time:2010/06/30 22:45:40.0 severity:Always Log type:String app:net.rim.tcp data:clos
guid:0xB2EC7A712090AD8F time:2010/06/30 22:45:46.0 severity:Always Log type:String app:net.rim.smsui data:UTSC
guid:0xB2EC7A712090AD8F time:2010/06/30 22:45:46.0 severity:Always Log type:String app:net.rim.smsui data:UTSC
guid:0xB2EC7A712090AD8F time:2010/06/30 22:45:54.0 severity:Always Log type:String app:net.rim.smsui data:UTSC
guid:0xB2EC7A712090AD8F time:2010/06/30 22:45:54.0 severity:Always Log type:String app:net.rim.smsui data:UTSC
guid:0xB2EC7A712090AD8F time:2010/06/30 22:45:57.0 severity:Always Log type:String app:net.rim.smsui data:UTSC
guid:0x647E5DBBC34B5549 time:2010/06/30 22:46:09.0 severity:Always Log type:String app:net.rim.clock data:+CHG
guid:0xDAA64EAD4E49C5D5 time:2010/06/30 22:46:09.0 severity:Always Log type:String app:net.rim.usb.pwd data:CbCn
guid:0x5D41D4729582C2DA time:2010/06/30 22:46:09.0 severity:Always Log type:String app:RootRegister data:usbConnectionStateChange:1

sheran@devbox:~/progs$ ./beg -p -r
Connected to 20fe2f60
2010/06/30 21:07:55.0: Incoming Call from +622157939018
2010/06/30 22:29:19.0: Outgoing Call to 02114045
2010/06/30 22:30:37.0: Outgoing Call to +628119917931
2010/06/30 22:41:54.0: Outgoing Call to +6281219684934
2010/06/30 22:53:27.0: Outgoing Call to +6281219684934
sheran@devbox:~/progs$

Inner workings

To read an InputStream directly to a byte array you can do something like this:

FileConnector fconn = (FileConnector)Connector.open("testfile.txt");
InputStream inStream = fconn.openInputStream();
byte[] byteData = IOUtilities.streamToBytes(inStream);

The thing that jumps out at me regarding this patent application is the fact that RIM is certainly becoming more consumer friendly.  In the country where I reside at the moment, one thing is apparent.  BlackBerries rule.  I have seen teenage girls in malls who have their faces buried in their BlackBerry.  I have also seen the regular business user owning not one but two.  It is easily the most popular phone sold here.  While corporates praise RIM for their security, consumers will not feel the same way.  In my brief, personal experience with alleged power-users, I came away feeling like no one really understood security at all.  This will most likely multiply with regular end-users.  So, in an effort not to appear too anal, RIM seems to have decided to provide a way for a user to remember his password.  Of course the patent refers to “unique version data” and remains fairly nebulous on what it can be.  In it’s patent application, RIM states that this unique data can be a date, integer or string.  It might be that the end-user will have the ability to configure an option like “prompt me with the 3rd and 8th character of my password”.  I know the maximum limit for incorrect passwords is no more than 10.  I still think it won’t be possible to guess a password in 10 attempts.  Thus this is quite a good move in helping make the device both secure and consumer-friendly.  I expect they will roll it out in one of their next OS updates.

I started releasing commercial applications on BlackBerry App World and yesterday was the first time I used the Dynamic Licensing model.  I devised a solution based on Google App Engine and this post shows how this can be achieved and also includes sample source code for other developers in a similar situation.  Dynamic Licensing provides a mechanism for granting activation codes to user who purchase applications.  The system works like this:

App World Flow

As with almost all commercial, downloadable applications, online purchase and activation codes have become the norm.  The end-user pays for the product, downloads it and waits for an activation code to be sent to his email address.  Once he receives the code, he enters it into the app and he can begin using it.  This is straightforward if the developer sells the app on his own store that is hosted on his own server.  If he is to sell it on other stores, however, things become tricky.  Usually, well established stores like MobiHand and others have a mechanism that allows a developer to interface with their storefront for various purposes.  One of these instances is when activation codes are involved.  In cases like these, here is a quick run-down of how the purchase flow works:

1. End-user visits Online Store
2. End-user buys app from the Online Store
3. Online Store contacts the Developer Server (using an HTTP POST request) with end-user specific details
4. Developer Server generates the activation key
5. Developer Server responds to the Online Store POST request with an activation key
6. Online Store then presents this activation key to the End-user

It is the Developer’s responsibility to get his activation server up and running to ensure steps 3-5 are completed.  Sometimes this can be a painful task; especially after you’ve spent a few grueling weeks in developing your latest and greatest application.  My solution is to setup a free account on Google App Engine to host my activation server routines there.  Why bother you ask?  Here are some advantages that I can see:

1. App Engine is free and can easily be converted to a paid model (reasonably priced) based only on usage of resources
2. App Engine offers Java so its more likely to be familiar to a BlackBerry developer
3. No administrative overhead with setting up a server or maintaining it
4. It’s cool if you like to get into “Cloud Computing”
5. It’s very easy to move off Google App Engine and onto your own server when you’re ready because of the standardized modules

I’m not going to talk you through how to get an account, sign-up, etc.  Google has tons of docs and tutorials on how to do so.  I’ll assume you’ve already got your App Engine and know how to deploy apps on it.  What we’re going to create is a servlet and optionally, some classes to help us persist the incoming information to the app engine database.  If you’re using Eclipse with the Google App Engine plugin, then creating a project is simple.  On Eclipse simply click File->New->Project and then choose Web Application Project under the Google folder.  By default, a new project will be created with a servlet having the “doGet” method.  This method handles only HTTP GET requests.  You also need to create your own “doPost” method.  This is usually because stores including App World will POST the data to your URL.  What I do is just swap the doGet with doPost.

I then write my routines to handle the incoming request.  I usually capture all relevant information, extract some key parameters, use it to generate my activation key and provide a response.  For the sake of simplifying things.  Here is the code for my servlet that captures information from BlackBerry App World, generates the Activation Code and responds with that code:

package net.zenconsult.keyserver;

import java.io.IOException;

import javax.jdo.PersistenceManager;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import net.zenconsult.codec.binary.Hex;

@SuppressWarnings("serial")
public class KeyServerServlet extends HttpServlet {
	public void doPost(HttpServletRequest req, HttpServletResponse resp)
			throws IOException {
		// The RIM POST Format:
		// PIN=12341234&email=customeremail@email.com&product=product&version=1.2&transactionid=123&test=false

		String PIN = req.getParameter("PIN");
		String email = req.getParameter("email");
		String product = req.getParameter("product");
		String version = req.getParameter("version");
		String transactionId = req.getParameter("transactionid");
		String test = req.getParameter("test");
		String verify = req.getParameter("verify");

		//Init vlaues
		if(email == null)
		{
			email = "";
		}
		if(product == null)
		{
			product = "";
		}
		if(version == null)
		{
			version = "";
		}
		if(transactionId == null)
		{
			transactionId = "";
		}
		if(test == null)
		{
			test = "true";
		}

		// I realize using String.matches is taboo, but I did it anyway.  Feel free to change it
		// Since you can also pass your own parameters, I am passing the "verify" parameter; security by obscurity, I know,
		// but when using App Engine, your Servlet is publicly accessible, so...

		if((PIN.matches("\p{XDigit}{8}")) && (verify != null) && (verify.equalsIgnoreCase("bbappworld")) )
		{
			// This is my own Key Generation Routine
			KeyGen kg = new KeyGen(PIN);
			String hexString = new String(Hex.encodeHex(kg.genKey()));

			String Key = hexString.toUpperCase();
			if(test.equals("false"))
			{
				PersistenceManager pm = PMF.get().getPersistenceManager();
				Entry entry = new Entry(email, product, version, transactionId);
				pm.makePersistent(entry);
				pm.close();
			}
			resp.setContentType("text/plain");
			resp.getWriter().println("key="+Key);
		}

	}
}

If you paste the code above into your Eclipse, you will run into some errors.  These are the typical ones and how they can be fixed:

1. The KeyGen Class isn’t available.  This is my own KeyGen routine for generating Activation Keys.  It takes the BlackBerry PIN as an argument and does some magic on it.  You have to write this one yourself.
2. The Hex Class isn’t available.  In my case, I wanted to work with Hex strings and convert them back and forth.  I looked up the source to the Apache Commons Codec project and copied across the source code for the Hex class and all its dependencies into my own project.  You do not need to use it, but if you do, then I advise you to look at the Apache Commons Project.
3. The PMF class is missing.  This class is used if you want to Persist or store data. The PMF class source code is standard and Google App Engine has the sample code for it here.  If you need it, I’ve attached the code later on in this post.

As far as I recall this is what you will need to address.  Now, lets move onto storing the incoming data on the database.  I store each request in a class called an Entry.  Thus, each POST request to my servlet will be checked and if it isn’t tagged as a test, then it will be stored to the database.  The Entry object is marked as persistable and this makes it easy to store in the App Engine datastore.  Here is the code for the Entry object:

package net.zenconsult.keyserver;

import java.util.Date;

import javax.jdo.annotations.IdGeneratorStrategy;
import javax.jdo.annotations.IdentityType;
import javax.jdo.annotations.PersistenceCapable;
import javax.jdo.annotations.Persistent;
import javax.jdo.annotations.PrimaryKey;

import com.google.appengine.api.datastore.Key;

@PersistenceCapable(identityType = IdentityType.APPLICATION)
public class Entry
{
	@PrimaryKey
    @Persistent(valueStrategy = IdGeneratorStrategy.IDENTITY)
    private Key key;

	@Persistent
	private String email;

	@Persistent
	private String product;

	@Persistent
	private String version;

	@Persistent
	private String transactionId;

	@Persistent
	private Date creationDate;

	public Entry(String email, String product, String version, String transactionId)
	{
		setEmail(email);
		setProduct(product);
		setVersion(version);
		setTransactionId(transactionId);
		setCreationDate(new Date());
	}

	/**
	 * @param key the key to set
	 */
	public void setKey(Key key) {
		this.key = key;
	}

	/**
	 * @return the key
	 */
	public Key getKey() {
		return key;
	}

	/**
	 * @param email the email to set
	 */
	public void setEmail(String email) {
		this.email = email;
	}

	/**
	 * @return the email
	 */
	public String getEmail() {
		return email;
	}

	/**
	 * @param product the product to set
	 */
	public void setProduct(String product) {
		this.product = product;
	}

	/**
	 * @return the product
	 */
	public String getProduct() {
		return product;
	}

	/**
	 * @param version the version to set
	 */
	public void setVersion(String version) {
		this.version = version;
	}

	/**
	 * @return the version
	 */
	public String getVersion() {
		return version;
	}

	/**
	 * @param transactionId the transactionId to set
	 */
	public void setTransactionId(String transactionId) {
		this.transactionId = transactionId;
	}

	/**
	 * @return the transactionId
	 */
	public String getTransactionId() {
		return transactionId;
	}

	/**
	 * @param creationDate the creationDate to set
	 */
	public void setCreationDate(Date creationDate) {
		this.creationDate = creationDate;
	}

	/**
	 * @return the creationDate
	 */
	public Date getCreationDate() {
		return creationDate;
	}

}

Once you get this up and running, you have about the simplest mechanism for working with Dynamic Licensing with not only BlackBerry App World, but other stores as well.  You can, of course, make this as grandiose as you wish; that part is left as an exercise.  I’m just giving you a point to start at.

[Call Attribute: upto 4 characters][Date or Time: upto 6 characters]

Some examples of these are:

(W) 9:58p
(W2)11:22p
(H) 01/09

You will see in example 2 above, that all 10 characters are used up.  After I figured this out, the rest was pretty straightforward.  Here is the source code to my Field called PhoneNumberListField.

import net.rim.device.api.ui.DrawStyle;
import net.rim.device.api.ui.Graphics;
import net.rim.device.api.ui.component.ListField;
import net.rim.device.api.ui.component.ObjectListField;

public class PhoneNumberListField extends ObjectListField
{

	public PhoneNumberListField()
        {
     	    super();
        }

	public PhoneNumberListField(long style)
        {
     	    super(style);
        }

        public void drawListRow(ListField listField, Graphics graphics,
        		int index, int y, int width)
        {

        	String tmpCol1 = (String) this.get(listField, index);
        	String col1 = tmpCol1.substring(0, (tmpCol1.length() - 10));
        	String col2 = tmpCol1.substring(tmpCol1.length()-10);

        	int col2Size = this.getFont().getAdvance(col2);
                int col1Size = width - col2Size;

        	int col1Start = 0;
        	int col2Start = (width - col2Size);

        	graphics.drawText(col1, col1Start, y, DrawStyle.ELLIPSIS, col1Size);

        	graphics.drawText(col2, col2Start, y, DrawStyle.HDEFAULT, col2Size);

        }

}

How to implement

You first create an array of Strings.  This array can contain phone numbers or a combination of First Name, Last Name together with the phone attribute like (W), (H) for Work and Home numbers respectively.  The last field will be the date or time.  I check the time of the call to see if it is older than 24 hours.  If it is, I use the date.  The format for the time is “h:mma” and for date it is “MM/dd”.  You can format these using SimpleDateFormat.

The full list of BlackBerry Attributes are represented as follows:

Home: (H)
Work: (W)
Mobile: (M)
Pager: (P)
Fax: (F)
Other: (O)
Work2: (W2)
Home2: (H2)

The attribute constants can be found in the BlackBerryContact Interface.  A typical array of mine would look like this:

String[] numList = {“Sheran Gunasekera (W) 09/09”, “Scott Mosier (M) 9:39a”,
“Kevin Smith (M)10:39p”, “+12120031337     10:04p};

Then, if I want to place this field on my MainScreen, I do this:

PhoneNumberListField numbers = new PhoneNumberListField();
numbers.setEmptyString(“*** No Calls Yet ***”, DrawStyle.HCENTER);
numbers.set(numList);
add(numbers);

This is what it looks like:

PhoneNumberListField

1. You don’t know if your “Input Simulation” permission is set to “Allow”.  If it is allowed, any application can make key-presses on your handheld as if they were you.  Potential: an application can answer your phone calls.
2. You’re not sure your “Security Timer Reset” permission is set to “Allow”.  If it is, then any application can render your screen lockout useless.

I can almost hear you asking me, “Why tell me about it? You think I don’t know about this?” and the truth is, its an even split.  There are users out there that are blissfully unaware of things like Default Application Permissions.  The BlackBerry is going the way of the consumer, and fast.  With the rise in popularity of the BlackBerry Internet Service, a user no longer needs to be a part of an large organization to reap the many benefits of a BlackBerry.  The flip side?  There is no enterprise security administrator or policy to protect these users.  Thus when they decide to go with BIS, they take on the task of remaining secure.  For a second, leave these users out of the picture.  Pick the other half of the users who are aware.  Suppose they set some permissions and then forgot about them?  Maybe they allowed access based on an application requesting them to do so and they never set the permissions back.  What then?

I thought about this and came up with a solution of sorts.  Why not have a list of the most important security permissions and check them at a timed interval to see if they have been changed?  If they have, then send the user an alert.  Here’s the code I came up with:

package com.zensay.sectest;

import java.util.Timer;
import java.util.TimerTask;
import net.rim.device.api.applicationcontrol.ApplicationPermissions;
import net.rim.device.api.applicationcontrol.ApplicationPermissionsManager;
import net.rim.device.api.system.Application;
import net.rim.device.api.system.Bitmap;
import net.rim.device.api.ui.Manager;
import net.rim.device.api.ui.Screen;
import net.rim.device.api.ui.Ui;
import net.rim.device.api.ui.UiEngine;
import net.rim.device.api.ui.component.Dialog;

public class Main extends Application
{
    public static void main(String args[])
    {
        Main app = new Main();
        app.enterEventDispatcher();
    }

    public Main()
    {
        TimerTask tm = new TimerTask()
        {
			public void run()
			{
				reqPerm();
			}
        };
    	Timer t = new Timer();
        t.schedule(tm,10000, 10000);
    }

    public void reqPerm()
	{
		ApplicationPermissionsManager apm = ApplicationPermissionsManager.getInstance();
		int input = apm.getPermission(ApplicationPermissions.PERMISSION_INPUT_SIMULATION);
		if(input == ApplicationPermissions.VALUE_ALLOW)
		{
			synchronized(Application.getEventLock())
			{
				UiEngine ui = Ui.getUiEngine();
				Screen screen = new Dialog(Dialog.D_OK, "Input Simulation is allowed!!",
						Dialog.OK, Bitmap.getPredefinedBitmap(Bitmap.EXCLAMATION), Manager.VERTICAL_SCROLL);
				ui.pushGlobalScreen(screen, 1, UiEngine.GLOBAL_QUEUE);
			}
		}
	}
}

To explain it a little bit, the code (when compiled, signed and executed on your BlackBerry) will check your “Input Simulation” permission.  If it is set to “Allow” the application will pop open a message window and notify the user.  It does this every 10 seconds.  Its annoying as hell, but I think you get the general idea.  I tested this on my Bold and it works very well.  I’m thinking about making it an additional feature in Kisses; with a slightly longer timeout of course.  Its a feature I would find useful.

The Security Timer Reset permission is set to Deny by default.  This is good.  Be wary of applications asking you for Allow permissions on this.  One of the things you can do with this permission enabled is to delay your lock screen.  Indefinitely.

The lock screen usually appears when your Security Timeout is exceeded.

Device Lock Screen

For example, if you have a Security Timeout set to 2 minutes, your screen will lock automatically and you will have to enter your password to access the device again.  This is handy to have, if you leave your BlackBerry on your desk at work and are afraid someone will pick it up and install nasty stuff on your BlackBerry.

Security Timeout

Let’s take the case where you download a malicious application (you don’t know its malicious of course).  It is such a compelling one (read: porn slideshow) that you just HAD to download it.  Now the application innocently asks you for the “Event Injection” & “Security Timer Reset” permission to ‘advance’ the slides back and forth.  “Sure”, you think, “no problems there now is it?” and you grant Allow access to the application.  What this application could do is to then inject a key event every 15 seconds.  This can be done so that you don’t notice.  When this key event is injected every 15 seconds, its as if you are moving the trackball or clicking a key.  This delays the device lockout because the timer is reset every 15 seconds.  The device will now never lock itself out.

So be wary of granting Allow Permissions on almost everything.  I know UberTwitter is an application that asks for a lot of Allow permissions (although it doesn’t ask you for the Security Timer Reset permission).  I think it might be worthwhile starting a Permissions Hall of Shame on my site, just to list such offenders.

Permission Change Request

Allow All

...like really!

The thread demonstrates some of the ways in which people formulate opinions and it highlighted something very important; to me at least.  Its a trait that I have seen with so many developers of applications as well.  It would appear to me that people are always looking to “play” within a certain set of distinct boundaries.

I’ll give you an example of a web application developer.  In one banking application I tested, I was able to do a “negative transfer”.  It worked like this, if Alice were to transfer -$1000 to Bob, the logic of the application made Bob do a transfer of $1000 to Alice.  So by Alice initiating a negative transfer, she was able to pull money out of Bob’s account.  When confronted with this, the developer simply stated “yes, but a user is not supposed to do this.”  Well of course he’s not supposed to do this, but isn’t it your job as a developer to check for it?  An attacker is not going to play nice; he’s going to find any way he can to own you.  If he can’t hack your systems, he’ll come at you with a knife or a gun.  To him, the end goal is getting what he wants.  He’s not going to stop doing something just because “a user is not supposed to do this”.

If you take the case of what happened in the forums above, it seems very similar.  Here goes:

The forum users and moderators that did reply, seem to be under the impression that just because I released PhoneSnoop, I am trying to infect them by pushing Kisses (in their minds a malicious app) as a cure.  So to me, at least, it appears that their “boundary” or “sandbox” is the fact that I should have released one or the other but not both.  I’ll cover why this is not a very sound way of thinking later, but first, some fun.  Here are some of the things said in the forum post if you didn’t bother reading the whole thing.

• I was asked if now that I had raised awareness how long I will make PhoneSnoop available for.
• I was compared to a fox guarding a hen house
• I was compared to a pharmaceutical company
• I was wished with “Kisses of death”
• I was threatened with being sent back to Sri Lanka in a box.
• I was called a lovely set of names ranging from “super-spy”, “spy-master” and compared with mid-eastern terrorists
• I asked for donations to help get my hands of copies of FlexiSpy and MobileSpy (mostly because I was writing Kisses for free and was not in a position to pay over $200 for them) and thanks to some members of the phone community out there, I was able to get my hands on copies.  I was questioned as to why I asked for donations and they stated that even free anti-virus product companies don’t ask for donations.
• One of them thinks my Kim Jong Il avatar (taken from Team America; very apt in this case I must say ) on my twitter page makes me look very shady.

So I now am going to dub these wonderful people who are protectors of the BlackBerry community as Team BlackBerryForums.

I have to admit, though, that I respect them very much.  The are very dedicated and I hope that most of what they say comes from some place inside them where they want to protect other users.  For this, yes, I have to bow down and say that I’m impressed.

Right, now onto the reason why this sort of behavior is not very helpful.  First, I really don’t care if users don’t download and use my Kisses application.  I put it up there, because I wanted to give something back to users for free to help them protect themselves.  This was my only intention.

By making it appear to other users that I am evil because I wrote PhoneSnoop and now I’m writing Kisses, Team BlackBerryForums are not being helpful to their users.  Its like in Green Eggs and Ham – a pre-conceived notion before investigating things further. It would have been far more helpful to their users if they had verified things first before seemingly writing off the app as spyware.  To their credit, however, they did ask a lot of questions.  CrackBerry Forums just shut down the thread.  If they had researched what I presented in the Hack In The Box security conference, they would known that there are far more creative ways of infecting BlackBerry users.  I tried to stress this point in my replies, but I guess their minds were already made up.

Lets hypothetically take the situation where I am someone evil and my only job is to spy on BlackBerry users.  I think I would have a far better chance of being stealthy.  I would certainly not highlight the fact that I can bug peoples phones and I surely would not release a proof-of-concept application.  This removes the element of stealth from my plan.  This is how I would do it, again, hypothetically.

I think Team BlackBerryForums believes that by releasing a proof-of-concept tool makes me a terrorist of sorts.  They seem to think that nothing I do from now on can be trusted and is not well-intentioned.  Now I can see how they would think that.  But surely, they should be aware that if I had a serious need to read people’s email or tap their phone calls, I would find a way to do it?  And do it quietly?

Looking at my latest log file, I have 489 distinct downloads of Kisses.  I have had numerous emails from people asking me to support older versions of their BlackBerries and I have had lots of emails thanking me for releasing the free app.  I’m very happy that some people out there perceive the app as useful.  I think that’s enough for me.  So for the sake of those people out there, I will continue to develop Kisses and release it.  A big thanks go out to you guys.