Thursday, October 24, 2013

How Secure BBM (Android) ID Creation Is

This is some morning brain distraction I had. The queue for my Android's BBM ended this morning, and throughout the process, some ideas came into my mind.

So, BBM ID takes 8 characters, digit and letters.That would make 31 possible characters per position. Thus, the number of possible BBM ID is 31^8, or ~850 billion IDs, ignoring possibility of error checking character which would make it much less than that.

Now, from my experience this morning, it seems that the process of ID creation happens in the device. My friend also told me that if you want to bypass the queue for the email signups, you could use someone else's email who is already dequeued, for example my email, then just make new BB user ID or sign in if you already have one (apparently I have one since I signed up as BB App Vendor long ago).

My question is, since Android is so open source, how secure is BBM ID creation? I am no hacker, but here is a possible attack I thought of:

You could reverse engineer Android apps by decompiling the APK (never tried to decompile, but read about it before; on the other hand, extracting APK is very easy with the many file explorers available). So, we could reverse engineer BBM APK, then look for the function that calls the ID creation. Then, we make a dummy application which function is to keep calling that ID creation. This would exhaust BBM IDs for no users.

Let's now look at how long this process would take to exhaust all possible IDs, which worst case is 850 billion in numbers. From this morning, ID request takes around 3 minutes for me on WiFi. So for one hour, I could exhaust 20 IDs and for one day, I could exhaust 480 IDs. It would then take 850 billion/480 = ~1.8 billion days. So, BB could still fix it if possible! Really? Let's make a better approximation. Typically, an Android developer has more than one device to work on. Assume each attacker has 10 devices. Assume again, there are around 100 attackers per group, and there are 4 groups. The attack would then last for 850 billion/(480 * 10 * 100 * 4) = ~440 thousand days or ~1000 year. Fiuh! Still safe!

Yes, this is the kind of thoughts that go through my mind when I start thinking. I am not BB hater. I think BB is awesome with their QWERTY phones (I would use them if they don't lag when I open WhatsApp). I am just curious how would the BB engineers protect their system from such possible attack. Well, good day, folks.

1 comment: