The Black Art of Blackberry Surveillance

Little is known about how BlackBerry surveillance works and yet a small number of companies sell their commercial surveillance software to anyone willing to part with a couple of hundred dollars. Whether you are part of an organization that wishes to retain full supervision on your employee smartphone usage habits or are a part of law enforcement looking to fast-track your surveillance activities, knowing exactly how to monitor information on a handheld is invaluable. Given how the convergence of technology has rapidly escalated, handhelds see a signi!cant increase in usage and with it, a large amount of con!dential information is stored on them. Because of it’s dynamic, users typically tend to believe that a smartphone is still a phone and do not pay much attention to the fact that most of the data on a handheld is the same as what is found on the typical office computer. Learning how to monitor this information is the !rst step in Information Risk Management.

This course is designed by the author of PhoneSnoop, the proof-of-concept phone monitoring software, bringing his experience and knowledge in BlackBerry surveillance and countersurveillance to address this emerging concern for information privacy and data loss prevention. While the software is not inherently malicious, a malicious person may target an unsuspecting user’s BlackBerry and effectively turn the smartphone into a remote “bug” allowing the interception of ambient sounds. This prompted The Department of Homeland Security’s U.S. Computer Emergency Readiness Team (US-CERT) to issue a warning to all BlackBerry users regarding PhoneSnoop. This course will feature the analysis and workings of PhoneSnoop along with other popular surveillance software. It will also teach students how to develop similar applications for use within their organizations and will provide them with an insight into how common spyware software works.

At the conclusion of the course, the students will be able to develop their own surveillance software for execution on the BlackBerry handheld and will have an in-depth understanding of which BlackBerry API’s are most useful in achieving their goals.

The class will be taught in a hands-on lab style with practical work being done at least 60% of the time. Pre-prepared development environments will be provided to minimize setup time. While in-depth knowledge of Java is not required, student will best bene!t if they are already familiar with Java and Object Oriented programming concepts.

Target Audience:

• Security Consultants
• Security Software Developers
• Security & Software Architects
• Security Administrators

Student Pre-requisites:

• Laptop is essential
• Students should have a fundamental understanding of software development concepts
• Students should have a basic understanding of the Java and Object Oriented programming languages
• Knowledge of Java Micro Edition or Mobile Development is an advantage

Software Requirements:

For running native:
Windows XP, Vista or 7
Otherwise, a VMWare image containing a pre-prepared development environment will be provided

Hardware Requirements:

For running a VMWare Image:

• Minimum 1GB of RAM
• Minimum 5GB free storage space

For running native:

• Minimum 1GB RAM
• Minimum 700MB storage space

Course Outline:

Day 1

• Fundamentals of Mobile Application Development
• Overview of developing for the BlackBerry smartphone
• The BlackBerry API
• Writing your !rst BlackBerry "Hello World" application
• Developing your !rst Client / Server framework
• Decompilation and Analysis of the "Etisalat Spyware"
• Things not to do when designing surveillance applications for mobiles
• Types of data that can be monitored
• APIs and code to monitor email messages
• Safely transporting captured data to a remote server

Day 2

• APIs and code to monitor SMS messages
• APIs and code to track a GPS equipped phone
• APIs and code to track call log data
• Analysis of PhoneSnoop - Remote Bugging Application
• How to turn the BlackBerry into a remote listening device or "bug"
• Poor man's phone-taps; how to listen in on a phone conversation
• Techniques for deploying onto the client handheld
• Tying in to corporate policy
• Typical corporate solution architecture
• Legal implications and admissibility in court