Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

Web and WebWorks Development

Reply
Developer
Developer
Posts: 607
Registered: ‎04-29-2011
My Device: PlayBook 16GB, BB10 LE Z10 (red)
My Carrier: none

BB10 - blackberry.io.sandbox - What about security?

Hi @all.

 

Working with the new HTML5 fileSystem support in BB10 you can access shared folders if you use the below piece of source, if you set the value to true nothing happens and you won't be able to access the shared folders, also not if permission is granted by the user on installation of you app:

 

// un-sandbox file system to access shared folder
blackberry.io.sandbox = false;

I tried working with it and yes, it works very well, but for me it isn't quite the result I would expect from a sandboxed file system. Since when changing like done above to un-sandbox the file system I'm able (and so also the user if apps are not well done) access the whole file system with all the files and folders. For me this is a big security issue.

 

Since an app is asking for the permission to access the shared folders, it shouldn't be "sandboxing" the shared folders at all, but it should sandbox all other files and folders in root for those permissions. I do not know if this is for development purposes only at this time or in general for the future.

 

Haven't I understand it in the right way to (un-)sandbox the file system in BB10 or I'm right with this security issue/mistake/bug?


"Like" if you liked the post.
"Accept as Solution" if the post solves your question.
Retired
Posts: 1,382
Registered: ‎07-02-2009
My Device: BlackBerry Bold 9900
My Carrier: Bell

Re: BB10 - blackberry.io.sandbox - What about security?

I've asked for clarification over the nature of the blackberry.io.sandbox API.  It is designed to allow you to access different parts of the file system.  The /shared folder should be the only one that you gain access to when changing this value.

 

>> I'm able (and so also the user if apps are not well done) access the whole file system with all the files and folders

 

Can you confirm which file system folders you are able to access?

Follow me on Twitter: @n_adam_stanley
-------------------------------------------------------------------------------------------------------------------------
Your app doesn't work? Use BlackBerry remote web inspector to find out why.
New Contributor
Posts: 6
Registered: ‎07-30-2012
My Device: torch 9810
My Carrier: tesco

Re: BB10 - blackberry.io.sandbox - What about security?

wot lol
Developer
Developer
Posts: 607
Registered: ‎04-29-2011
My Device: PlayBook 16GB, BB10 LE Z10 (red)
My Carrier: none

Re: BB10 - blackberry.io.sandbox - What about security?


astanley wrote:

I've asked for clarification over the nature of the blackberry.io.sandbox API.  It is designed to allow you to access different parts of the file system.  The /shared folder should be the only one that you gain access to when changing this value.

 

>> I'm able (and so also the user if apps are not well done) access the whole file system with all the files and folders

 

Can you confirm which file system folders you are able to access?


Hi Adam. Will send you a PM with a screenshot. I think if un-sandboxing the filesystem a user/dev only should be able to see the shared + home + sdcard folders and files recursivly.


"Like" if you liked the post.
"Accept as Solution" if the post solves your question.
BlackBerry Development Advisor
Posts: 137
Registered: ‎01-19-2010
My Device: BlackBerry Z10
My Carrier: AT&T

Re: BB10 - blackberry.io.sandbox - What about security?

Hello everyone.

 

When you un-sandbox the filesystem, you get access to the same things you would if you were a native application using our Native SDK.  The OS still enforces the file system permissions, so you won't get access to areas/files that your shouldn't based on the user permissions and security.   So when you un-sandbox then request a File System, you will get one that has it's root at "/".  We then provide in blackberry.io defined constants to take you directly to the home, SD Card, and Shared folder (which automatically configures to either the Personal or Enterprise perimeter shared folder based on where the app was installed from).

 

Thanks!

Ken Wallis - Senior Product Manager, WebWorks and Android Runtime
@ken_wallis
Developer
Developer
Posts: 607
Registered: ‎04-29-2011
My Device: PlayBook 16GB, BB10 LE Z10 (red)
My Carrier: none

Re: BB10 - blackberry.io.sandbox - What about security?


kwallis wrote:

Hello everyone.

 

... So when you un-sandbox then request a File System, you will get one that has it's root at "/".  We then provide in blackberry.io defined constants to take you directly to the home, SD Card, and Shared folder (which automatically configures to either the Personal or Enterprise perimeter shared folder based on where the app was installed from).

 

Thanks!


Hi Ken.

 

Why we, as a developer, need access to a uge number of files in some folders when looking recursively through the filesystem that are for eg. configuration of hardware. We can not change them as of permissions and I think they also do not need to be visible to us, isn't it?

 

Regards.


"Like" if you liked the post.
"Accept as Solution" if the post solves your question.