Privacy Notice - mxData Ltd Apps

Article ID: KB35365

Type:   BlackBerry Security Notice

First Published: 11-19-2013

Last Modified: 11-21-2013

 
CollapseOverview

Update: After BlackBerry raised its concerns with the Vendor, mxData Ltd, they issued new versions of the apps that resolved the issues identified in this privacy notice. These new versions are available in BlackBerry World, and BlackBerry strongly encourages customers who use these apps to update to the latest versions listed below:

  • Tube Map 2.4.45.0
  • Bus London 1.1.15.0
  • Tube Map for BlackBerry 10 1.2.19.0

Additional questions or concerns about the apps, including the use of user data and protections, should be directed to mxData Ltd.

The full and complete text of this privacy notice remains available below.

-------------------------------------------------------------------------------------------------------

This notice addresses privacy concerns regarding apps submitted by third-party developer, mxData Ltd, ("Vendor") to BlackBerry® World™ (formerly BlackBerry App World™). The BlackBerry Security Incident Response Team (BBSIRT) recognizes that the Vendor’s apps are not malware, but removed the app or app versions from BlackBerry World that do not sufficiently protect user credentials. BBSIRT determined that the affected apps listed in this privacy notice do not provide sufficient notification to BlackBerry customers about what information is uploaded from their device, or how that information is shared with third parties. BlackBerry is actively working with the Vendor to address the privacy issues detailed in this notice and potentially reinstate the apps in BlackBerry World. BlackBerry recommends that customers who have downloaded any of the affected apps use the information included in this privacy notice to determine whether or not to remove the app(s) from their smartphones.

Who should read this notice?

  • BlackBerry smartphone users who are using a device with BlackBerry operating systems 5.0, 6.0, 7.0, and 7.1
  • BlackBerry 10 smartphone users
  • BlackBerry® Enterprise Server administrators

Details of the information disclosed

These apps send the users Oyster card username, password, and card number over the internet, to the Vendor’s servers using HTTP plain text. The Vendor does not provide adequate information to users regarding the use and storage of those credentials. The BBSIRT’s investigation determined that the affected apps do not provide sufficient notification to BlackBerry customers about what information is uploaded from their device, or how that information is used or shared with third party or parties, in contravention of the BlackBerry App World Vendor Guidelines, the RIME Store Vendor Agreement (formerly BlackBerry App World Vendor Agreement), and the BlackBerry SDK License Agreement. BlackBerry contacted the app Vendor to inform them that the listed apps, which do not provide sufficient notification to BlackBerry customers, have been removed from BlackBerry World.

mxData Ltd Applications:

App Name

App Version

Date Available

App Name

App Version

Date Available

Tube Map

2.4.40.0

10-May-2013

Tube Map For BlackBerry 10

1.2.10.0

12-Nov-2013

2.4.39.0

6-May-2013

1.2.6.0

22-Jun-2013

2.3.38.0

14-Mar-2013

1.1.48.0

14-Jun-2013

2.2.33.0

11-Sep-2012

1.0.1.0

26-Feb-2013

2.1.15.0

12-Jul-2012

1.0.0.0

29-Jan-2013

2.0.11.0

6-Jul-2012

Bus London

1.1.10.0

20-Sep-2013

1.1.7.0

22-Jun-2013

1.0.0.21

4-Jun-2013





Instructions for viewing or removing the application(s)

BlackBerry 5.0, 6.0, 7.0, and 7.1 OS

If BlackBerry customers download a listed Vendor app, it typically appears in the Applications list on your BlackBerry smartphone. If a listed Vendor app is installed on your BlackBerry smartphone and it does not appear in the Applications list, look for it in the Modules list. Instructions for viewing and removing installed apps on your BlackBerry smartphone are in KB10040 (How to view or remove installed applications on a BlackBerry smartphone).

Note: Removing these apps might not remove all of the data associated with them. However, if the Apps are not present, they cannot continue to collect additional data. To remove all data or all data and apps from your BlackBerry smartphone, see KB02318 (How to delete all data or all data and applications on the BlackBerry smartphone).

BlackBerry 10 OS

If BlackBerry customers download a listed Vendor app, it typically appears on the BlackBerry smartphone home screen. If the application was installed through BlackBerry World the app would appear in the “My Apps & Games” section of the users BlackBerry World app. See the appropriate BlackBerry device manual for additional information.

For BlackBerry Enterprise Server administrators

To help identify BlackBerry smartphones associated with a BlackBerry Enterprise Server in your environment that are affected by a listed Vendor app, you can run the following Structured Query Language (SQL) statement on the BlackBerry Configuration Database. This statement should only be considered a starting point and might not apply in all situations.

SELECT u.DisplayName, u.PIN, s.Data, s.ServerTime
FROM UserConfig u
INNER JOIN SyncDeviceMgmt s ON u.Id=s.UserConfigId
WHERE s.TableId=1 AND s.Data like '%[Name of application]%'

Replace [Name of application] with the specific app name you wish to identify.

For information on using the BlackBerry Application Reporting Tool to list the apps installed on BlackBerry devices in a mobile device management (MDM) domain, see the BlackBerry Application Reporting Tool section of the BlackBerry Enterprise Server Resource Kit Administration Guide.

Instructions for changing application permissions

You can use the application permission settings on your BlackBerry smartphone to control what information and functions an application can access on your smartphone, such as email messages, contacts, pictures, or GPS. Application permissions also let you control whether information can be transferred from your smartphone, such as over an Internet or Bluetooth® connection.

Instructions for viewing and changing application permissions on your BlackBerry smartphone are in KB29104 (How to modify application permissions on a BlackBerry smartphone). For additional information about application permissions, see Application Permissions - Protecting Information on your BlackBerry Smartphone Whitepaper.

Mitigations

A BlackBerry smartphone prompts a user for permission to install any third-party software or to grant certain permissions to a third-party application.

A BlackBerry smartphone user or a BlackBerry Enterprise Server administrator can configure the smartphone to require the user to enter the smartphone password to allow an app to install, and BlackBerry recommends that all customers use this setting.

BlackBerry smartphone users can also set default permissions for all apps. See Application Permissions - Protecting Information on your BlackBerry Smartphone Whitepaper for information about default permissions and changing application permission settings.

ExpandMore Information

What is an Oyster card?
An Oyster card is the form of electronic ticketing used on public transport in Greater London in the United Kingdom.

What data did the listed Vendor Apps access and what did they do with that data?
These apps send the users Oyster card username, password, and card number credentials to the vendor’s servers over the internet using HTTP Plain text. The Vendor does not provide adequate information to users regarding the use and storage of those credentials

What is the difference between a privacy notice, a security notice, and a malware notice?
Privacy notices inform customers about third-party applications that do not clearly or adequately inform customers of how the app is accessing and possibly using their data. While such apps do not typically appear to have malicious objectives or aim to mislead customers, BlackBerry wants to provide customers with information regarding an app’s behavior in order for them to make an informed decision about whether to continue using the app. BlackBerry targets every third Tuesday of the month for privacy notices.

Security notices inform customers about software vulnerabilities that we are either working to address, or that we do not believe warrant a security update, given the low risk and severity. We do not follow a set schedule for issuing security notices, but rather release these notifications as needed to provide customers with information on how to best secure their device.

Malware notices inform customers about third-party applications containing software that is developed with malicious intent. Similar to security notices, malware notices are released as needed to inform and protect users, and there is no set schedule.

Why doesn't BlackBerry classify these apps as malware?
BlackBerry did not classify these apps as malware because the Vendor’s intent did not appear to be malicious.

How can I tell if I have one of these Apps on my BlackBerry smartphone?
If a BlackBerry smartphone user downloads a listed Vendor app, it typically appears in the Applications list on your BlackBerry smartphone. If a listed Vendor app is installed on your BlackBerry smartphone and it does not appear in the Applications list, look for it in the Modules list.

How did a listed Vendor app get onto my BlackBerry smartphone?
The listed Vendor apps are third-party apps that were available for download in BlackBerry World. You or someone else with access to your smartphone downloaded and installed it onto your BlackBerry device.

Where can I read more about application permissions on BlackBerry smartphones?
For more information about permissions on BlackBerry smartphones, read Application Permissions - Protecting Information on your BlackBerry Smartphone Whitepaper.

CollapseAcknowledgements
BlackBerry would like to thank Appthority for their involvement in helping protect our customers.
CollapseChange Log

11-21-2013
Updated to to address the resolution of the privacy concerns for the Vendor's apps and their reinstatement in BlackBerry World.

11-19-2013
Initial publication.

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.