1. You don’t know if your “Input Simulation” permission is set to “Allow”.  If it is allowed, any application can make key-presses on your handheld as if they were you.  Potential: an application can answer your phone calls.
2. You’re not sure your “Security Timer Reset” permission is set to “Allow”.  If it is, then any application can render your screen lockout useless.

I can almost hear you asking me, “Why tell me about it? You think I don’t know about this?” and the truth is, its an even split.  There are users out there that are blissfully unaware of things like Default Application Permissions.  The BlackBerry is going the way of the consumer, and fast.  With the rise in popularity of the BlackBerry Internet Service, a user no longer needs to be a part of an large organization to reap the many benefits of a BlackBerry.  The flip side?  There is no enterprise security administrator or policy to protect these users.  Thus when they decide to go with BIS, they take on the task of remaining secure.  For a second, leave these users out of the picture.  Pick the other half of the users who are aware.  Suppose they set some permissions and then forgot about them?  Maybe they allowed access based on an application requesting them to do so and they never set the permissions back.  What then?

I thought about this and came up with a solution of sorts.  Why not have a list of the most important security permissions and check them at a timed interval to see if they have been changed?  If they have, then send the user an alert.  Here’s the code I came up with:

package com.zensay.sectest;

import java.util.Timer;
import java.util.TimerTask;
import net.rim.device.api.applicationcontrol.ApplicationPermissions;
import net.rim.device.api.applicationcontrol.ApplicationPermissionsManager;
import net.rim.device.api.system.Application;
import net.rim.device.api.system.Bitmap;
import net.rim.device.api.ui.Manager;
import net.rim.device.api.ui.Screen;
import net.rim.device.api.ui.Ui;
import net.rim.device.api.ui.UiEngine;
import net.rim.device.api.ui.component.Dialog;

public class Main extends Application
{
    public static void main(String args[])
    {
        Main app = new Main();
        app.enterEventDispatcher();
    }

    public Main()
    {
        TimerTask tm = new TimerTask()
        {
			public void run()
			{
				reqPerm();
			}
        };
    	Timer t = new Timer();
        t.schedule(tm,10000, 10000);
    }

    public void reqPerm()
	{
		ApplicationPermissionsManager apm = ApplicationPermissionsManager.getInstance();
		int input = apm.getPermission(ApplicationPermissions.PERMISSION_INPUT_SIMULATION);
		if(input == ApplicationPermissions.VALUE_ALLOW)
		{
			synchronized(Application.getEventLock())
			{
				UiEngine ui = Ui.getUiEngine();
				Screen screen = new Dialog(Dialog.D_OK, "Input Simulation is allowed!!",
						Dialog.OK, Bitmap.getPredefinedBitmap(Bitmap.EXCLAMATION), Manager.VERTICAL_SCROLL);
				ui.pushGlobalScreen(screen, 1, UiEngine.GLOBAL_QUEUE);
			}
		}
	}
}

To explain it a little bit, the code (when compiled, signed and executed on your BlackBerry) will check your “Input Simulation” permission.  If it is set to “Allow” the application will pop open a message window and notify the user.  It does this every 10 seconds.  Its annoying as hell, but I think you get the general idea.  I tested this on my Bold and it works very well.  I’m thinking about making it an additional feature in Kisses; with a slightly longer timeout of course.  Its a feature I would find useful.

The Security Timer Reset permission is set to Deny by default.  This is good.  Be wary of applications asking you for Allow permissions on this.  One of the things you can do with this permission enabled is to delay your lock screen.  Indefinitely.

The lock screen usually appears when your Security Timeout is exceeded.

Device Lock Screen

For example, if you have a Security Timeout set to 2 minutes, your screen will lock automatically and you will have to enter your password to access the device again.  This is handy to have, if you leave your BlackBerry on your desk at work and are afraid someone will pick it up and install nasty stuff on your BlackBerry.

Security Timeout

Let’s take the case where you download a malicious application (you don’t know its malicious of course).  It is such a compelling one (read: porn slideshow) that you just HAD to download it.  Now the application innocently asks you for the “Event Injection” & “Security Timer Reset” permission to ‘advance’ the slides back and forth.  “Sure”, you think, “no problems there now is it?” and you grant Allow access to the application.  What this application could do is to then inject a key event every 15 seconds.  This can be done so that you don’t notice.  When this key event is injected every 15 seconds, its as if you are moving the trackball or clicking a key.  This delays the device lockout because the timer is reset every 15 seconds.  The device will now never lock itself out.

So be wary of granting Allow Permissions on almost everything.  I know UberTwitter is an application that asks for a lot of Allow permissions (although it doesn’t ask you for the Security Timer Reset permission).  I think it might be worthwhile starting a Permissions Hall of Shame on my site, just to list such offenders.

Permission Change Request

Allow All

...like really!