Blackberry Runtime

[Billie Kjergaard]

BlackBerry10 is a proprietary QNX-based operating system. In addition to native core system apps and services, BlackBerry 10 includes the BlackBerry Runtime for Android Apps, which consists of the open-sourced Android application framework running on top of the QNX microkernel. BlackBerry 10 core operating system services and frameworks are mapped to the Android runtime to allow access to hardware and software services that are generally available on Android devices. Android apps are opened and run via Dalvik.

The BlackBerry Runtime for Android Apps can handle apps written with the Android NDK (Native Development Kit), so that apps that make use of native C/C++ code will work with a few limitations noted in Android Native Support.

BlackBerry developers who have a BlackBerry 10 app written using the Momentics IDE and Cascades SDK can bring their app to Android and the Amazon Appstore by porting their native C/C++ code to the Android SDK, either by rewriting it in Java or making use of the Android NDK.

In general, developers should target BlackBerry 10 devices as they would any other Android device with the caveat that certain Google Play Services and some specific APIs are not supported. See Features and Unsupported APIs for a list of unsupported services.

Adobe AIR: As of BlackBerry 10.3.1, Adobe AIR is no longer supported. If your app requires Adobe AIR, build your app as an Android app, or use BlackBerry WebWorks to port your app to HTML5. For more information, see End of Support Notice.

Google Play Services: Apps running on BlackBerry devices do not have access to Google Play Services. If your app accesses Google Play Services, either remove the features that require these services, or modify them to degrade gracefully. If you modify your app to degrade gracefully, consider using an error message such as: This feature is not currently available on this device.

Applications using the BlackBerry Dynamics framework can't directly link to third party libraries included in the runtime, but should instead should include and maintain their own copies of any of these third party libraries if required.

Note: Here, application set-up means the creation of the BlackBerry Dynamics entitlement identifier and version. It doesn't mean server address configuration, policy settings, nor end user entitlement, for example.

Within the URL type declaration, five URL schemes must be declared. Two schemes must be declared that are the same as the URL type, with .sc2 and .sc3 appended. An additional scheme must be declared that is the same as the URL type with .sc2. and then the BlackBerry Dynamics entitlement version appended. First and second discovery schemes com.good.gd.discovery and com.good.gd.discovery.enterprise must also be declared. The URL type and schemes would be declared in the application's Info.plist file, as usual.

The Info.plist file of any of the official sample applications that come with the BlackBerry Dynamics SDK can be used as a guide. The second discovery scheme com.good.gd.discovery.enterprise is not included in the samples and must be added manually. Alternatively, add the following XML to the application's Info.plist file, using a text editor. Change all instances of com.iOS.App.ID to the native bundle identifier of the application and change 1.0.0.0 to the BlackBerry Dynamics entitlement version.

Note that the first three CFBundleURLSchemes array items have suffixes of .sc2, .sc2.1.0.0.0 and .sc3 applied to the native bundle identifier. The CFBundleTypeRole element is not used by BlackBerry Dynamics and could take another value, as required by the application.

Any BlackBerry Dynamics application that is part of a suite developed by the same enterprise must support data sharing. This is required for Easy Activation delegation between the applications in the suite. If an enterprise has only a single BlackBerry Dynamics application, then supporting data sharing is still advised because it has no disadvantages.

The above build-time configurations are for in-house BlackBerry Dynamics applications. Other types of application must use a variation with a different declaration of URL schemes. In-house URL scheme declarations are under Inter-Application Communication, above.

Face ID is a facial recognition feature that is available on some iOS devices. The BlackBerry Dynamics management console has a policy setting by which the enterprise administrator can allow end users to authenticate using Face ID. Authentication processing for Face ID is handled by the BlackBerry Dynamics runtime, without reference to the application code. The purpose for which Face ID is used must be declared by the application, and this cannot be handled by the runtime.

A purpose for using Face ID must be declared by all BlackBerry Dynamics iOS applications. This is a mandatory build-time configuration. The declaration goes in the Info.plist file, in the NSFaceIDUsageDescription property. For example, the following key and value could be added.

The value will be presented in a confirmation dialog for the end user, before the first attempt to authenticate using Face ID is made. Note that if enterprise policy doesn't allow the current end user to authenticate by this mechanism, then the dialog won't be shown.

Because this value is a message to the end user, it should be made available in different languages and in localized variations. This can be done by using InfoPlist.strings files. The mechanism is described in the Information Property List Key Reference on the apple.com developer website. See under Localizing Property List Values.

By default, the BlackBerry Dynamics runtime checks that there is a GDiOSDelegate event receiver when an authorize function is called. If there isn't, the runtime will raise an assertion and the program will terminate. This check must be switched off in the case that the application doesn't implement GDiOSDelegate and instead uses the GDState interface to monitor authorization.

BlackBerry Dynamics supports App Thinning by slicing. In principle, App Thinning by use of on-demand resources is also supported but this isn't useful to typical BlackBerry Dynamics applications. Bitcode isn't supported.

The user interface for these options can be found in the Xcode Project Editor, on the Build Settings tab. The easiest way to locate the options may be to key the name of each setting in the search box.

Close Topics Topics Cybersecurity Best Practices Cyber Threats and Advisories Critical Infrastructure Security and Resilience Election Security Emergency Communications Industrial Control Systems Information and Communications Technology Supply Chain Security Partnerships and Collaboration Physical Security Risk Management How can we help? GovernmentEducational InstitutionsIndustryState, Local, Tribal, and TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help LocallyFaith-Based CommunityExecutivesHigh-Risk Communities Spotlight Resources & Tools Resources & Tools All Resources & Tools Services Programs Resources Training Groups News & Events News & Events News Events Cybersecurity Alerts & Advisories Directives Request a CISA Speaker Congressional Testimony CISA Conferences CISA Live! Careers Careers Benefits & Perks HireVue Applicant Reasonable Accommodations Process Hiring Resume & Application Tips Students & Recent Graduates Veteran and Military Spouses Work @ CISA About About Culture Divisions & Offices Regions Leadership Doing Business with CISA Site Links Reporting Employee and Contractor Misconduct CISA GitHub CISA Central 2023 Year In Review Contact Us Free Cyber Services#protect2024Secure Our WorldShields UpReport A Cyber Issue

CISA strongly encourages critical infrastructure organizations and other organization developing, maintaining, supporting, or using affected QNX-based systems, to patch affected products as quickly as possible. Refer to the Mitigations section for more information about patching.

CVE-2021-22156 is an integer overflow vulnerability affecting the calloc() function in the C runtime library of multiple BlackBerry QNX products. Exploitation of this vulnerability could lead to a denial-of-service condition or arbitrary code execution in affected devices. To exploit this vulnerability, an attacker must have control over the parameters to a calloc() function call and the ability to control what memory is accessed after the allocation. An attacker with network access could remotely exploit this vulnerability if the vulnerable product is running and the affected device is exposed to the internet.[3]

All BlackBerry programs with dependency on the C runtime library are affected by this vulnerability (see table 1 for a list of affected BlackBerry QNX products). Because many affected devices include safety-critical devices, exploitation of this vulnerability could result in a malicious actor gaining control of sensitive systems, possibly leading to increased risk of damage to infrastructure or critical functions.

CISA strongly encourages critical infrastructure organizations and other organizations developing, maintaining, supporting, or using affected QNX-based systems to patch affected products as quickly as possible.

Tycoon is a multi-platform Java ransomware targeting Windows and Linux that has been observed in-the-wild since at least December 2019[1]. It is deployed in the form of a Trojanized Java Runtime Environment (JRE) and leverages an obscure Java image format to fly under the radar.

The threat actors behind Tycoon were observed using highly targeted delivery mechanisms to infiltrate small to medium sized companies and institutions in education and software industries, where they would proceed to encrypt file servers and demand a ransom. However, due to the reuse of a common RSA private key it may be possible to recover data without the need for payment in earlier variants.

Post-incident analysis of the Internet-facing RDP server could not be performed as it had already been restored. However, our analysis of the victim machines revealed that some of the techniques used by the attacker were unusual and noteworthy:

3a8082e126