Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

Native Development

Reply
Developer
Posts: 84
Registered: ‎04-22-2013
My Device: BB 10 Dev
My Carrier: Simulator

Is it possible to extract codes from the signed release BAR file

Hi all,

 

I have a signed release BAR file that will be sent for penetration test. So I would like to know are they possible to extract the codes out from my BAR file? As what I've tried to extract the BAR file, I'm able to see all my QML and images in asset folder. Do I need to obfuscate the qml file, as it can be viewable, if so how should i do?

 

Thanks in advance.

Developer
Posts: 6,152
Registered: ‎07-05-2012
My Device: Playbook, Dev Alpha C, Z10 LE, Z30
My Carrier: Orange

Re: Is it possible to extract codes from the signed release BAR file

The jury is still out on this one.

 

If your app is going to be free then it may be less secure, from certain server attacks.

Also judging from the latest OS leak, BlackBerry may allow loading of apps from other sources at some future point.

 

There is no obfuscating of QML but you can precompile it which will offer some protection...

 

https://developer.blackberry.com/native/documentation/cascades/dev/tools/compiling.html#wba135364409...

 

 

 

 


If you've been helped click on Like Button, if you've been saved buy the app. Smiley Happy

Developer of stokLocker, Sympatico and Super Sentences.
Developer
Posts: 1,163
Registered: ‎03-20-2013
My Device: Red LE Developer Z10
My Carrier: Fido

Re: Is it possible to extract codes from the signed release BAR file

Echoing BBSJdev, There are two issues here... how easy is it to get a copy of your bar file, and what can be gleaned from within it if you do.

 

The first issue is complicated. It used to be possible (in the early Playbook days) to download apps from BB World using a proxy and save them to your PC. Apparently BlackBerry has closed this loophole, and now the only way to get the bar file is to download it onto your device via the BB World app. The bar is unpacked and then discarded during installation, so in theory nobody should be able to get a copy of the actual bar file. In situations like this however you should assume that if somebody REALLY wants to get copy of your bar, they will figure out a way. It is not easy, but will always be possible given a dedicated and skilled attacker

 

As for the second issue, my own perusal suggests that the only easily viewable entities in a bar file are the QML sources. Unless you precompile you QML files they will be plainly readable just by unzipping the bar file. My own solution was just to move anything sensitive from QML to C++, which is more secure by virtue of being compiled into machine code before inclusion in the bar. There is not much risk if the only thing you define in your QML is page layouts, since attackers can discern this easliy enough just by using your app. Any functionality written in ECMAscript in your QML is plainly readable, so for added protection move anything sensitive to C++ and call it from the QML instead.


jessica99327 wrote:

Hi all,

 

I have a signed release BAR file that will be sent for penetration test. So I would like to know are they possible to extract the codes out from my BAR file? As what I've tried to extract the BAR file, I'm able to see all my QML and images in asset folder. Do I need to obfuscate the qml file, as it can be viewable, if so how should i do?

 

Thanks in advance.






Developer of Built for BlackBerry certified multiFEED RSS/Atom feed reader and aggregator.  multiFEED Icon

Play nice: Clicking Like Button on posts that helped you not only encourages others to continue sharing their experience, but also improves your own rating on this board. Also, don't forget to accept a post if it solves your problem or answers your question.
Developer
Posts: 828
Registered: ‎10-16-2012
My Device: Red Z10
My Carrier: Rogers

Re: Is it possible to extract codes from the signed release BAR file

[ Edited ]

I really think BlackBerry should step in here with a method of obsfucation or something to better protect QML files,  I've seen this discussion a few times and Its already  been pointed out that any experienced person could easily extract the precompiled QML files so that's really only a placebo solution(makes you feel warm and fuzzy while actually doing nothing)...

 

Whoevers after your qml files probably has that experience =(

Developer
Posts: 1,163
Registered: ‎03-20-2013
My Device: Red LE Developer Z10
My Carrier: Fido

Re: Is it possible to extract codes from the signed release BAR file

Yep, as I said, I think given the current situation, the safest thing to do is move anything you don't want attackers to see to C++ since this is inherently the hardest thing in a bar to reverse-engineer. Assume that anything you leave in QML is vulnerable with minimal effort.


slashkyle wrote:

I really think BlackBerry should step in here with a method of obsfucation or something to better protect QML files,  I've seen this discussion a few times and Its already  been pointed out that any experienced person could easily extract the precompiled QML files so that's really only a placebo solution(makes you feel warm and fuzzy while actually doing nothing)...

 

Whoevers after your qml files probably has that experience =(






Developer of Built for BlackBerry certified multiFEED RSS/Atom feed reader and aggregator.  multiFEED Icon

Play nice: Clicking Like Button on posts that helped you not only encourages others to continue sharing their experience, but also improves your own rating on this board. Also, don't forget to accept a post if it solves your problem or answers your question.
Developer
Posts: 1,163
Registered: ‎03-20-2013
My Device: Red LE Developer Z10
My Carrier: Fido

Re: Is it possible to extract codes from the signed release BAR file

I've been thinking about this question a little since my earlier reply, and without ever actually implementing this solution, this is what I would probably do if I had sensitive code or data in plain view in a QML file. QML is loaded, parsed, and interpreted by your application at runtime only on demand by calling QmlDocument::create(). This allows us to do something like this:

 

  • Choose a two-way QML encryption method that satisfies your level of paranoia.
  • Add a #define to your release build settings so that you can add some code that only compiles in a release build. Something like #define _RELEASE_
  • In your main UI class header add a new class function called something like LoadQml() that returns a QmlDocument*.
  • In the body of LoadQml() create an #ifdef _RELEASE_ ... #else ... #endif block. In the true part of the block write code that decrypts ALL the QML files and copies them to the application data path and then creates a QmlDocument from the decrypted versions with QmlDocument::create() passing it back as the return value.
  • If you are really paranoid your code could delete the decrypted QML files after they have been loaded.
  • In the false part of the #ifdef block you should just load the original QML files from the assets path without decrypting them.
  • In the constructor of the main UI class rather than calling QmlDocument::create() call your new function instead.
  • Do your development with unencrypted QML files.
  • When you are ready for release encrypt all your QML files with the chosen encryption method and replace all the QML files in assets:/// with the obfuscated versions.
  • Build your app with _RELEASE_ defined.
  • Restore the unencrypted QML files to continue development.

Now when your signed and released app runs it will decrypt the QML just before loading it, so there will be no plaintext source code in the bar file. This technique is obviously rather onerous, but if you are sufficiently paranoid it will prevent anyone but the most dedicated crackers from seeing your source code, depending on the encryption method you choose.

 

Note that this same technique can be used to obfuscate anything you don't want anyone to see in your bar file, including data files, secret URLs, images, etc.

 

Not the most effortless technique, but it should prevent almost anyone but the NSA from snooping into your source code. Of course, a skilled attacker could possibley reverse-engineer the compiled C++ code that does the decryption. In that case all bets are off.

 


jessica99327 wrote:

Hi all,

 

I have a signed release BAR file that will be sent for penetration test. So I would like to know are they possible to extract the codes out from my BAR file? As what I've tried to extract the BAR file, I'm able to see all my QML and images in asset folder. Do I need to obfuscate the qml file, as it can be viewable, if so how should i do?

 

Thanks in advance.






Developer of Built for BlackBerry certified multiFEED RSS/Atom feed reader and aggregator.  multiFEED Icon

Play nice: Clicking Like Button on posts that helped you not only encourages others to continue sharing their experience, but also improves your own rating on this board. Also, don't forget to accept a post if it solves your problem or answers your question.