BlackBerry has patched a vulnerability in its BlackBerry 10 devices that could allow an attacker to intercept usersÃ¢â‚¬â„¢ traffic to and from the BlackBerry World app store and potentially install malware on a targeted device.
The vulnerability is a weakness in the integrity checking system that BlackBerry uses to verify the apps that users download. If an attacker is able to gain a man-in-the-middle position between a user and the BlackBerry World servers, he could replace the legitimate requested app with malware. BlackBerry say that the vulnerability only affects the devices running BlackBerry 10, andÃ‚Â recommend updating to the new version of the app as soon as possible.
A vulnerability exists in the BlackBerry World serviceÃ¢â‚¬â„¢s download mechanism, which is used by the BlackBerry World app on affected BlackBerry 10 smartphones. BlackBerry World allows you to search for and download apps for your BlackBerry device. BlackBerry World employs application integrity checking and secure download methods to ensure that the correct app is downloaded and installed. In some cases, a weakness in these methods could allow an attacker, through a man-in-the-middle attack, to intercept a userÃ¢â‚¬â„¢s BlackBerry World application download and, as a result, install malware on the device. Successful exploitation of this vulnerability could potentially result in an attacker gaining access to any data or settings that are accessible through the permissions that the user accepted when installing the malicious app.
In order to exploit this vulnerability, an attacker must intercept a userÃ¢â‚¬â„¢s application download/update request from BlackBerry World over a compromised network and replace the response from the server with a malicious file. The user must then accept the app permissions and install the malicious application.
The vulnerability affects versions 10.2, 10.2.1 and 10.3 of the BlackBerry World app.
- BlackBerry World impacted versions on BlackBerry 10 smartphones. The impacted versions depend on the BlackBerry 10 OS version, as follows:
|BlackBerry 10 OS version||Affected BlackBerry World versions:|
|10.3.0||Versions earlier than 220.127.116.11|
|10.2.1||Versions earlier than 18.104.22.1683|
|10.2.0||Versions earlier than 22.214.171.1242|
BlackBerry has issued a fix for this vulnerability, which is included in the specified BlackBerry World resolution versions. The resolution versions depend on the BlackBerry 10 OS version, as follows:
|BlackBerry 10 OS version||Resolution BlackBerry World versions:|
|10.3.0||Versions 126.96.36.199 and later|
|10.2.1||Versions 188.8.131.523 and later|
|10.2.0||Versions 184.108.40.2062 and later|
Manually updateÃ‚Â the BlackBerry World application
You can download BlackBerry World or manually update your existing version of BlackBerry World by visiting www.mobile.blackberry.com from your BlackBerry device or by visiting www.blackberry.com/blackberryworld from a computer.
BlackBerry saysÃ‚Â that user communications with BlackBerry World now are done over SSL, which can help protect against MITM attacks.
[signoff predefined=”Enjoy this?” icon=”icon-users”][/signoff]