Privacy Notice - NumberBook

Article ID: KB33336

Type:   Security Notice

First Published: 02-01-2013

Last Modified: 02-01-2013

 

Product(s) Affected:

  • BlackBerry 7 OS and earlier Applications
CollapseOverview

Application: NumberBook versions 3.7 and earlier

Executive summary

The NumberBook app submitted by a third party developer DEV_Engineer ("Vendor") to BlackBerry® World™ (formerly BlackBerry App World) is described by Vendor as a caller identification application. This app uploads the user's contact list (which may include personal phone numbers), network identifiers, device identifiers, and the smartphone location to a web server. The app may also send PIN, SMS, and email messages from the device.

Although the app is not malware, BlackBerry's investigation determined that the app does not provide sufficient notification to BlackBerry smartphone users about what information is uploaded from their device, or how that information is used or shared with third party(ies), in contravention of the BlackBerry App World Vendor Guidelines and the BlackBerry SDK License Agreement. Moreover, the app does not seek consent from the user’s contacts (whose information is uploaded to its servers) before NumberBook discloses their personal phone numbers to other NumberBook users. BlackBerry contacted the app vendor to inform them that the NumberBook app was removed from BlackBerry World.

BlackBerry recommends that customers who have downloaded NumberBook use the information included in this privacy notice to determine whether or not to remove the app from their smartphones.

Before NumberBook was removed from BlackBerry World, it was available for BlackBerry OS versions 5.0, 6.0, 7.0, and 7.1. NumberBook was not offered for BlackBerry 10 smartphones.

Who should read this notice?

  • BlackBerry smartphone users
  • BlackBerry Enterprise Server administrators

Details of the information disclosed

The NumberBook app sends location information, contact information (including names and personal phone numbers) from the user’s contact book, network identifiers, and device identifiers to an external server. Without sufficient or any notice to the data owners, NumberBook also shares the user’s name and phone number with other NumberBook users upon request from another user.

Versions 3.4 and earlier of the app send location information, device identifiers, network identifiers, and Wi-Fi network information to http://wf.numberbook.org. In addition, these versions send location information, contact information that may include personal phone numbers, device identifiers, and network identifiers to https://api.numberbook.org.

Version 3.6 of the app sends location information, contact information that may include personal phone numbers, device identifiers, and network identifiers to https://api.numberbook.org.

Version 3.7 of the app sends location information, device identifiers, network identifiers, and Wi-Fi network information to http://wf.numberbook.org. In addition, if the SIM card’s IMSI is from Kuwait, Bahrain, Qatar or the United Arab Emirates, it sends location information, contact information that may include personal phone numbers, device identifiers, and network identifiers to http://co.contramain.co. If the SIM card’s IMSI is from any other country, it sends location information, contact information that may include personal phone numbers, device identifiers and network identifiers to https://api.negusa.info.

Instructions for viewing or removing the application

If a BlackBerry smartphone user downloaded the NumberBook app, it typically appears in the Applications list on your BlackBerry smartphone. If the app is installed on your BlackBerry smartphone and it does not appear in the Applications list, look for it in the Modules list.  Instructions for viewing and removing installed apps on your BlackBerry smartphone are in KB10040 (How to view or remove installed applications on a BlackBerry smartphone).

Note that removing the NumberBook app may not remove all of the data associated with it. However, if the app is not present, then it cannot continue to gather additional data. To remove all data, or all data and apps, from your BlackBerry smartphone, follow the instructions in KB02318 (How to delete all data or all data and applications on the BlackBerry smartphone).

For BlackBerry Enterprise Server administrators

You can run the following SQL statement on the BlackBerry Configuration Database to help identify affected BlackBerry smartphones with the NumberBook app that are associated with a BlackBerry Enterprise Server in your environment. This statement should only be considered a starting point and may not apply in all situations.

SELECT u.DisplayName, u.PIN, s.Data, s.ServerTime
FROM UserConfig u
INNER JOIN SyncDeviceMgmt s ON u.Id=s.UserConfigId
WHERE s.TableId=1 AND s.Data like '%NumberBook%'

For information on using the BlackBerry Application reporting tool to list the apps installed on BlackBerry devices in an MDM domain, see the BlackBerry Application Reporting Tool section of the BlackBerry Enterprise Server Resource Kit Administration Guide.

Instructions for changing application permissions

You can use the application permission settings on your BlackBerry smartphone to control what information and functions an application can access on your smartphone, such as email messages, contacts, pictures, or GPS. Application permissions also let you control whether information can be transferred from your smartphone, such as over an Internet or Bluetooth connection.

Instructions for viewing and changing application permissions on your BlackBerry smartphone are in KB29104 (How to modify application permissions on a BlackBerry smartphone). For additional information about application permissions, see Application Permissions - Protecting Information on your BlackBerry Smartphone.

Mitigations

A BlackBerry smartphone prompts a user for permission to install any third party software or to grant certain permissions to a third party application.

A BlackBerry smartphone user or a BlackBerry Enterprise Server administrator can configure the smartphone to require the user to enter the smartphone password to allow an app to install. We recommend that users and administrators use this setting.

BlackBerry smartphone users also have the ability to set default permissions for all apps. See Application Permissions - Protecting Information on your BlackBerry Smartphone for information about default permissions and changing application permission settings.

CollapseAdditional Information

When was the NumberBook app made available in BlackBerry App World?

App versionDate it became available in BlackBerry World
2.1September 17, 2012
3.0September 25, 2012
3.1September 28, 2012
3.2, 3.3October 3, 2012
3.4October 8, 2012
3.6November 22, 2012
3.7January 2, 2013

What data did the NumberBook app access and what did it do with that data?

This app uploads the smartphone location, contact list (names and telephone numbers), network identifiers, and device identifiers to a web server. The app may also send PIN, SMS, and email messages from the device.

The data, once uploaded, is within the domain and control of the Vendor.

What is an IMSI?

An IMSI is an International Mobile Subscriber Identity, a unique ID associated with GSM, LTE, and UMTS SIM cards. Part of the IMSI indicates the country of the wireless service provider that issues the SIM card.

What is the difference between a privacy notice, a security notice, and a malware security notice?

A privacy notice informs BlackBerry customers that an app may pose a privacy risk because the information the app accesses or how it uses that information may not be clearly disclosed by the vendor. The privacy notice provides information about an app's behavior so that customers can make an informed decision about whether to continue to use the app.

A security notice publicly acknowledges and notifies BlackBerry customers of potential security concerns for which a code level fix is not available or needed. The security notice may provide, if applicable, potential mitigations, workarounds, and authoritative guidance to reduce risk to BlackBerry customers.

A malware notice informs BlackBerry customers about a piece of malicious software that could be installed on a customer’s device. It includes information about the malware, mitigations, and how to remove it from the device.

Why doesn't BlackBerry classify this app as malware?

BlackBerry did not classify this app as malware because the vendor’s intent did not appear to be malicious.

How did NumberBook get onto my BlackBerry smartphone?

NumberBook is a third party application that was available for download in several smartphone vendors’ app stores, including BlackBerry World. You or someone else with access to your smartphone downloaded and installed it.

Where can I read more about application permissions on BlackBerry smartphones?

For more information about permissions on BlackBerry smartphones, read Application Permissions - Protecting Information on your BlackBerry Smartphone.

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.