10-03-2013 11:45 AM
When sending an APDU to a microSD smart card via SmartCardSession.sendAPDU() the first 16 or so bytes of the APDU response is printed to the debug console. Is it possble to turn this off (notice that information about the APDU command, such as length, is printed, but not the actual command bytes)? Printing the response bytes to the console could expose sensitive information. See console output below, noting lines prefixed with "microSD-JNI":
[577.07] Calling SmartCardSession.sendAPDU()... [577.078] microSD-JNI: exchangeApdu() - channel=0, clength=5, tag=1 [577.14] microSD-JNI: getApduResponse() - channel=0, tag=1 [577.14] microSD-JNI: getApduResponse() - insize=34 [577.14] microSD-JNI: getApduResponse() - outsize=34 bytes=[577.14] 45 [577.14] 68 [577.14] 11 [577.14] F9 [577.14] 6D [577.14] DB [577.14] 9B [577.14] E9 [577.14] 0A [577.14] 20 [577.14] 56 [577.14] 72 [577.14] 5F [577.14] 11 [577.14] F5 [577.14] BA [577.14] ...[577.14] [577.148] SmartCardSession.sendAPDU() has returned
10-10-2013 02:45 AM - edited 10-10-2013 02:48 AM
Can you please tell me what model of BlackBerry you are observing this behaviour with and what OS version it is running? I assume you're running debug sessions from Eclipse with the device plugged in over USB. Is that correct?
Meanwhile I'll discuss this issue with our security team.
10-10-2013 04:09 PM
Yes, this is witnessed in Debug console in Eclipse when phone is attached via USB.
I believe this can be observed on all models running BB Software 6.0, 7.0, and 7.1, however I can confirm it on the following:
BlackBerry Torch 9810 Software version 7.1 Bundle 1149
BlackBerry Torch 9810 Software version 7.0 Bundle 1355
BlackBerry Bold 9700 Software 6.0 Bundle 2949
10-11-2013 10:18 AM
The issue you reported has been assigned to a BlackBerry security response manager and we are currently investigating the behavior. There will be a further update asap.