Mobile device maker BlackBerry on Thursday notified customers about four mobile applications that were removed from BlackBerry World (the company’s App store) due to privacy implications.
According to BlackBerry’s privacy notice, the Apps in question upload the user’s contact list, network identifiers, device identifiers, and the smartphone location to an external server. The Apps also have the ability to send SMS, premium SMS, and PIN messages from the user’s BlackBerry device.
The applications (all from the same developer) removed from BlackBerry World include:
• WhozCalling – Caller ID
• WhozCalling – Caller ID and name revealer
While the applications in question were not outright malicious or considered malware, the BlackBerry Security Incident Response Team concluded that the Apps did not provide sufficient notification to BlackBerry users about what information is collected from their device, or how that information may be used or shared with other parties.
BlackBerry, which requires developers to adhere to its App World Vendor Guidelines, warned that the Apps do not seek consent from the user’s contacts (whose information is uploaded to external servers) before disclosing their personal phone numbers to other users of the respective App and possibly users of the other listed Vendor Apps.
“While mobile malware is a significant concern, we believe apps that unintentionally infringe on customers’ privacy represent one of the greatest challenges for our industry,” Adrian Stone, Director of Security Response, BlackBerry told SecurityWeek at the CanSecWest Security Conference in Vancouver on Thursday. “Although these apps are developed without malicious intent, customers deserve greater transparency about how their data is being used and shared. We are working to better educate third-party developers as well as using privacy notices to ensure customers can make informed decisions about the apps on their devices.”
BlackBerry didn’t outright say that users should remove the apps from their smartphone, but instead suggested that users make a decision based on the information included in the privacy notice to determine whether or not to remove the App(s). That being said, any user that cares about their privacy and doesn’t love the idea of apps uploading their contact list to a third-party server without need should remove the apps.
For BlackBerry Enterprise Server administrators who want to run a check, BlackBerry says that running the following SQL statement on the BlackBerry Configuration Database can identify BlackBerry devices in their environment that are affected by a particular Vendor App.
SELECT u.DisplayName, u.PIN, s.Data, s.ServerTime
FROM UserConfig u INNER JOIN SyncDeviceMgmt s ON u.Id=s.UserConfigId
WHERE s.TableId=1 AND s.Data like ‘%[Name of application]%’
Replace [Name of application] with the specific app name (WhozCalling, 5Index, SuperSMS) you wish to identify.
BlackBerry also reminded users that the application permission settings should be used to control what information and functions an application can access, and that it allows users control whether information can be transferred from a smartphone.
The removed apps were previously available for BlackBerry OS 5.0, 6.0, 7.0, and 7.1, but were not offered for its new BlackBerry 10 devices, BlackBerry said.
A BlackBerry spokesperson did not have exact download stats available for the affected apps, but did say that they do not believe a significant portion of BlackBerry customers were using the apps.
BlackBerry is providing the developer with an opportunity to address the privacy concerns and resubmit the apps, the spokesperson told SecurityWeek.
Updated to clarify BlackBerry’s suggestion on removal of the apps.