11-27-2009 09:19 AM
I am working on an app and am wanting to sign/encode the file with a public/private key that I created. I have created the key and everything seems to be working as far as creating the file, except that I cannot view the file on my BlackBerry. I keep getting an error that the file already exists when i try to create the file in my app, but the folder that I created is empty when I look on the phone. When I have the device connected to the debugger, it throws an error in the file explorer saying the it is not signed with my key. Is this supposed to be the expected result? I would think the BB OS would be able to bypass the file key requirements at least for the file explorer. I think would be a major bug as someone could create and sign files on your device without your knowledge and there would be no way for you to find out if you do not know and have their key.
I am using the BB Storm with Verizon OS 184.108.40.2068.
11-27-2009 11:23 AM
I'm not clear on what you are saying. I think you are saying that it seems possible to an application to create hidden files on your system? I'm not sure if you are saying that or you are asking for help because your app does not create a file - the folder is empty?
Can you please clarify what you are reporting here.
11-27-2009 01:48 PM
You can use code sigining on files as well as applications (in case you were not aware). I have an app that uses a CodeSigningKey to encode files written to the device so that only my program can read them. I assume that it is working as there is no error thrown when the file is initially created, but only when I am attempting to overwrite or append to it. When I try to do one of those I get an error message that the file already exists. When I use the native file explorer in the BB OS, it does not show any files in the directory(ies). When I attach my device to the debugger it throws a SecureAccessException (or whatever the exact wording is) and says that the BB file explorer is not signed with my private key that I created.
My issue is:
* Why would the BB OS not be able to read (or at least discover) any file that is on the file system
* This seems to be a security issue to me because people can hide files on your device and you would never know it
11-28-2009 10:34 AM
CMY wrote:* This seems to be a security issue to me because people can hide files on your device and you would never know it
Doesn't seem like a big deal to me. You can write to the persistent store and most users will never see it.
If you use the crypto stuff it has to be signed so if you do something bad RIM will know who you are.
11-28-2009 05:20 PM
That is true, but when something is written to the persistent store you know because the RMS database size grows, but you would not readily notice that on the onboard memory. Also the persistent store has a limited size and number of files, while the same is true for the internal memory it is alot larger. Though the security issues may not be much of an issue, i think it is an issue that the native OS file explorer cannot read files that were not signed with RIM keys. The device can check that an app is signed with your private keys, so why not include the ability to actually determine that the files are there.
12-01-2009 04:41 PM
Anyone from RIM care to comment on whethere the OS (system File Explorer) should be able to detect files on the device that were signed with a non RIM issues key?
12-07-2009 06:35 PM
I think I agree with jonberry, if this is a security exposure, this seems "small beer" compared with other things that an installed program could do - for example delete emails at random, or bug the owner (as seen with PhoneSnoop).
Regarding the fact that encrypted files are hidden, I can see this from both sides. If I wanted to encrypt a file so that no-one else could view it, then I might also want to hide it by default. I suspect you can hide files that are not encrypted anyway - otherwise why would the file connection API have a setHidden method?
So perhaps you could test whether setHidden actually hides files as well before worrying about hidden encrypted files? Just a thought.
12-08-2009 01:18 AM
The security issue is not really a big deal as there are other more vicious things that an app can do.
The issue with not being able to see the files is that even if you set a file to hidden you can unhide it in the file explorer (there is an option under the BB menu) so the files are still viewable on the device.
With the "signed" files, there is no way at all to view the files, unless your app is also signed with the key. So with that, you would have to know the location of the file on the device in order to be able to find it (kind of a paradox since if you knew where the file was, you would not need to search for it). The only reason this could become an issue is that everything in the persistent store is erased on an OS upgrade, and while you can save the data to the device (SDCard would work, but then what if it is removed?) what if the directory that you saved it to were moved or removed? Then the file would be lost and there would be no way to recover the contents, which if the file is important enough to want to encrypt/hide then losing it could be a very big issue.
So my real question is, why would the OS not be able to detect that the file was on the device? You dont need to be able to read it, just know that it is there.
12-10-2009 05:11 PM
What type of file are you creating? Where are you saving the file to? Can you provide the path/directory you are using? Does the file show up if you choose "Show Hidden" in the file explorer menu? That should display everything. If not, could you post some sample code that shows how you are saving the file? Does the file show up in Windows when using USB mass storage mode?