Monday, February 9, 2015

Response - Web Security Analysis Of 12 BlackBerry 10 Applications

First sorry for my very bad english and construction of this post.

I have no bad intentions to user data. I don’t and never store user passwords in any form online or offline. I do store cache for app use like images, logged in status, tokens, user ids (OFFLINE) because required and for better experience.

Snap2Chat in it’s very early stages, I used my own server http://kellyescape.com without SSL / no https. After like 2 weeks Knobtviker (Dev of Whine) advised/helped me to just sniff the API and use it directly and so I did. No more using 3rd party servers. (This time it is very risky).


I use Flurry and Smaato SDKs as advertised by BlackBerry that BlackBerry Developers can use. Unfortunately I didn’t know they send http and not https. And if BlackBerry doesn’t want us to use http, they shouldn’t advertised to us Smaato and Flurry SDKS.

Smaato advertised by BlackBerry:

The SDK provided by BlackBerry has a parameter that we can set an interval , the default is 10 and I set it to 10. so it’s every 10 seconds it connects to the Smaato Service. in Snap10 that's why there are a lot of requests because Snap10 uses tabs, and all those tabs request each every 10 seconds. I have not fixed that yet. But there's nothing bad it's doing there, it doesn't even increase revenue.

I just followed everything they provided, from the WebCast Meeting, The Smaato Guys, The Smaato Ad Sample BlackBerry Provided in GitHub. And I cannot modify the Compiled Libraries to forcely use HTTPS because it's their own and there's no way. (same with Flurry Analytics)

Flurry advertised by BlackBerry: 

http://kellyescape.com (NO SSL) - this is my own domain and it’s hosted on my own host. (this has been dead for like 6 months now) this was used for Snap2Chat and for FB Messenger for pulling Stiker Images, also used for my own web service the ShoutBox in Snap2Chat.

The ShoutBox I admit doesn’t use SSL or https and is very high risk of security. And that’s why I shut it down early. This screenshot by : http://www.filearchivehaven.com/2015/02/09/web-security-analysis-of-12-blackberry-10-applications/

I built ShoutBox so that Snap2Chat users can find more friends. It's a public chat room for all users.

this part of the code is for creating a user in ShoutBox service. Profiles need some information and I chose to give it a age, biography, name, gender, username.  This is the PLAIN TEXT they’re talking about. 

EXTENDED PROFILE isn’t part of SnapChat Service (Snap2Chat Hardcore Early Adopters knows what this is. used for the ShoutBox)



https://cloudfront.net - It’s owned by Amazon. It’s used for storing pictures by some services (not my own services). I am not exactly sure in what app he got this because none of my apps connect  (not used for sending user data)

http://parse.com (NO SSL) - it’s owned by Facebook. Also BlackBerry provided a Parse SDK. (used for pulling announcements, app status (not sending user data))

http://blogblog.com (NO SSL) - I am not familiar, but I think it’s related to smaato (not used for sending user data)

http://nemorystudios.blogspot.com (NO SSL) - this is my own blog for my apps. Not used for sending or receiving data. It’s used for viewing the blog. (not used for sending user data)

http://ih6.googleusercontent.com (NO SSL) - this is owned by Google.  (not used for sending user data)

http://chat.facebook.com (NO SSL) - it’s owned by Facebook. I used a Facebook Chat QT Library. (used for sending and receiving chat messages) login for Messenger app uses https SSL and Secure OAuth provided by Facebook

http://translate.google.com - it’s owned by Google. (not used for sending user data) I use this website for translating texts to any language in the Twittly App. login for Twittly app uses https SSL and Secure OAuth provided by Twitter

http://waterworldjax.com - my own host and domain - (used for twitter oAuth (does not store any username or password and not possible that’s why there’s oauth for more security, just loads up the twitter login page required by twitter that it should use)) Twitter requires a separate website link for OAuth. This is why I used this. Most twitter apps uses the same method.

Permissions used

Camera - To use Camera Hardware
Capture Screen - used for saving edited Snaps Painting and Caption
Contacts - used for finding friends from contacts
Device Identifying Information - used for optimizing the UI to get Display Height and Width check what exact device
Internet - Use the internet
Location - To use location service to get location of the user (for Dater, FB Messenger for sending location in chats)
Microphone- required for recording videos
Post Notifications - to post noficiations in the hub
Push - for Push Notifications
Run as Active Frame- to run in active frame
Shared Files - to allow the camera to save temporary images i the shared directory

I apologize for the security risks. And I will do patches for them. But I also suggest BlackBerry not to advertise the risky SDKs so that we devs don't use them.

Also it's not just my apps that uses Flurry and Smaato. BlackBerry advertised it to thousands of devs and for sure there are more than a thousand of apps uses the 2 risky services right now.

I am 100% True and Honest that I don't sell or whatever the user data that's being collected. I am just using the services provided by BlackBerry and I just knew they're risky.

IF EVER BLACKBERRY WANTS A 100% FULL PROOF I AM 100% OKAY TO PROVIDE SOURCE CODES AND ALL THE INFORMATION NEEDED. EVEN DECOMPILING ALL VERSIONS

I AM CONFIDENT THAT I AM NOT DOING ANY BAD THINGS AT ALL AND NEVER.

THANK YOU ALL


Tuesday, November 18, 2014

Snap10 - FAQs

——— Frequently Asked Questions ———

Can't find Snap10/Snap2Chat in BlackBerry World?


I am very sorry that you cannot download Snap10 anymore in BlackBerry World.
SnapChat told us to remove it and I cannot put it back anymore.
But I am still here and will not stop supporting my users. If you need any help please don’t hesitate to contact us.

Or if you prefer to install Snap10 BAR File please download the bar: 

Then follow this YouTube Video Tutorial on how to install BAR Files


Apply Filters? Fonts? Customizations? Replay? Notifications? Front Flash?

Customizations: Please tap the awesome Setting icon on the top right. Or swipe down from the top then tap Settings.
Filters and Fonts: Take a snap, then tap the Setting icon on top.

How to register?

My only solution for now is to borrow a friend’s iPhone or Android with SnapChat installed, or if they don’t have SnapChat installed, open their Google Play Store or App Store, search for SnapChat, download it, and register from there. After doing that you can login your information using Snap10. Please bear with us as we’re still working on an update.

Black Camera?

Please make sure you did accepted all permissions especially “Shared Files, Camera, Microphone”.
To re-enable permissions please go tohttp://goo.gl/xe0VNw and look for Snap10
If you’re on the Passport and having a black screen when recording a video, we’re still working on a fix.

App crashing / not opening?

We're very sorry for this issue, we’re still working on an update. But a workaround there is to reinstall the app or restart your phone.
To uninstall: tap and hold the Snap10 icon then tap the trash can icon. Or click this :http://goo.gl/VzPJGx then tap the menu on the bottom right and tap uninstall.

Doesn’t accept the password?

There are some issues for password that use special characters so what I can suggest is please change your password to a simpler one without special characters.
To change your password please click:https://support.snapchat.com/login2?next=%2Fpassword-change

How to start a Chat Conversation?

The current version doesn’t support chats. We’re doing our best to implement that feature.


Can't login? Wrong username or password?

If you're 100% sure your username and password is right, please try to reset your password to a simpler one https://support.snapchat.com/password-reset-request

Forgot your password?

Please click:https://support.snapchat.com/password-reset-request


Looking for Privacy Terms?

Please click:https://www.snapchat.com/privacy

Snaps sent are half black?

Please send only when the keyboard is not showing.

—————————————————————
Thank you so much for using Snap10.

Download Twittly - Best Twitter Client: http://goo.gl/FrTVqA
Download Best Facebook Messenger : http://goo.gl/JS3w7c
Download Tinder Client - Dater - http://goo.gl/ieA9Kx

Follow @NemOry for more updates!
Join our BBM Channel: C00374EB3
More of our Apps: http://goo.gl/BXEDEK
Facebook Page: http://goo.gl/JtrMCK

Friday, October 3, 2014

Features of Twittly


Twittly's Features:

  • Super Beautiful User Interface,User Experience, User Friendly & Faster Network Response
  • Compose from the BlackBerry Hub
  • Set / Change In App Wallpaper
  • Full BlackBerry Passport Support (UI + Touch Sensitive Keyboard)
  • Super Advanced Compose Page with complete Emojis & Emoticons
  • Ability to attach Videos, Photos, Voice Notes and Location
  • Snap2Chat Photo Editor Integration
  • DropBox Integration
  • Ability to Merge Timlines from Multiple Accounts
  • Supports Full Keyboard Shortcuts
  • Online Wallpaper Store
  • Supports Unlimited Multiple Accounts
  • Super Advanced Translation Tool, Translate from any language to any language
  • Backup and Restore Settings
  • Ability to View Multiple Media in a Tweet
  • Ability to post from all accounts at the same time including BBM & Facebook Status Update
  • Ability to Switch to Dark Theme
  • Can View/Play 3rd Party Media Site Contents from Youtube, Vine, Instagram, SoundCloud and more without leaving the app
  • Ability to Compose SMS, Facebook Status, LinkedIn Status, BBM Message, and Email without leaving the app
  • Ability to Customize the Active Frame and show only latest Messages, Mentions or Timeline
  • Customize the Overall Color Scheme with our Beautiful Color Presets
  • Search with Super Advanced Filters: Only Users, Photos, Top, Recent, All or from Saved Search
  • Ability to Filter Timelines with only Replies, Photos, Retweets
  • In App Password Security
  • Advanced Retweet Options
  • Quick Pinch Gesture for Quicker Actions
  • Quick Tweet Button
  • Ability to Save Tweets for Offline Use
  • Customize Font Size, Weight and Alignment
  • Customize the Keyboard's Enter Key to Submit or as a New Line
  • Drafts
  • Ability to Live Stream Tweets with a Keyword/Location/Home Timline
  • Ability to show a Tweet’s Location and Open the Location in an advanced 3D Perspective Map with a Compass and able to navigate
  • Option to Stay where you left off / Hold Place in Timeline
  • Ability to Share a Tweet to any type of Accounts(text only, with link .. etc)
  • Ability to Copy a Tweet with customizations very quick and easy(text only, with link .. etc)
  • Tells you the Count of Retweets, Favorites, Followers, Following etc...
  • Share a Photo / Text / Link from the Gallery or anywhere in the OS to Twittly
  • Ability to show quick buttons for quicker actions
  • View Photos of a User Profile / Timeline
  • Super Advanced Preview of URL Embedded Content
  • Includes a Smooth and Fast Built-in Browser
  • Quick Jump to Top & Bottom Buttons
  • Less Clicks and Actions to go or do something
  • Has all the Official Twitter Functions
  • Open Links, Hashtags, Mentions from anywhere in the OS to Twittly
  • Ability to Clear Cache for a new and Refreshing Experience
  • Set how many items it should load per network request for a more personalized experience

Saturday, September 27, 2014

Twittly Beta Testers

So much much thank you to all who has taken part of the Beta for Twittly. Without you guys the app hasn't shaped like this so quick. The app is now incredibly feature packed. Thank you to all Beta Testers.
  • The Twittly Beta Tester Hardcores
    • Mossa / Massi (MondoBlackBerry)
    • Richard Staples
    • JSanders
    • DJ Reyes
    • Shlomi
    • Mortem
    • Badi
    • isKhazy
    • John Z
    • Elias
    • ChriZ KingDaddy
    • The (2) Andy's
    • Rohil
    • Xavier
    • Raju
    • Ronnel
    • Ali Makhlooq
    • Lil E
    • KPO
    • TheAsianEddie
    • John Clark
    • iam1Piece
    • Romain
    • Amir
    • BBSavior
    • Ben Smith
    • Bilal H
    • Indi
    • James Baker
    • Jess / JCangoku
    • Ju
    • Mike Vocalz
    • MARKKK
    • Omar Reyes
    • Stephen Aitchison
    • Steven
    • Wael
    • Willy Sandi
    • Zim
    • Christina
    • NerdyDaddyO
  • To all the Beta Zone Testers
  • The whole CrackBerry Forum Community in the Twittly Topic.

Thank you once again all! :)

Twittly Tutorial