Page 5 of 5

iStake Released for BlackBerry

Posted: Mon Feb 22, 2010 11:38 am
by michael.d.benton
Got this email about four days ago...sorry I didn't post it sooner. So far it works great on my Storm.

Michael

Greetings,

Great news.. I'm sending you this email because a while back, you asked about a Blackberry version of iStake.

I'm happy to announce that iStake for the Blackberry is now available!! The Blackberry version includes all of the same features you're used to on the iPhone side -- including one additional treat: You can copy ward and stake events straight to your Blackberry calendar (no need to use google or other third party services).

If you've got a touch-screen Blackberry Storm, you'll be thrilled to know that iStake for Blackberry looks and feels nearly identical to the iPhone version. If you've got a traditional Blackberry, you'll find the app super intuitive and easy to use.

Please visit http://www.avikey.com/blackberry/ to purchase the app. Installation is easy, and you can be up and running in a few short minutes.

Thanks!

Brian

Posted: Mon Feb 22, 2010 1:36 pm
by RossEvans
michael.d.benton wrote:Got this email about four days ago...sorry I didn't post it sooner. So far it works great on my Storm.

Michael


I wonder how the LDS Account login, data flow and processing are being handled on the Blackberry version, and if those methods are any different from the flawed methods used for the iPhone and described upthread.

Interestingly, Avikey's website uses different language in its claims about that subject for the Blackberry and iPhone versions. The relevant language for the Blackberry is:

  • None of your ward / stake information is stored or passed through "third party servers", in accordance with church policy.
  • All communications between your phone and LDS.org are encrypted.
  • Fully compliant with church policy regarding data protection, privacy, and the handling of member information.
For the iPhone, the comparable language still reads this way:
  • Your confidential information is not stored on "third party servers", in accordance with church policy.
  • All communications between your phone and LDS.org are encrypted.
That does not give me any confidence that the security problems for the iPhone version have been cured. But perhaps the Blackberry version is different in the way it processes the content.

From the website, I am unsure about the critical point of whether the LDS Account login to secure.lds.org is made directly and end-to-end from the user's device. The descriptions for the Blackberry and iPhone versions are very similar:

iStake for Blackberry retrieves your ward and stake directories from the LDS.org web-site using your LDS.org username and password.

and for the iPhone:

iStake retrieves your ward and stake directories from the lds.org web-site using your LDS.org username and password.


So without some explicit statement to the contrary, I have to assume that the LDS Account password is still captured, however briefly, by the iPhone version. The Blackberry version may be different. In any case, I would not believe anything without an empirical test.

Posted: Tue Feb 23, 2010 10:42 am
by jbh001
boomerbubba wrote:I wonder how the LDS Account login, data flow and processing are being handled on the Blackberry version, and if those methods are any different from the flawed methods used for the iPhone and described upthread.
I'm curious if this changed for the iPhone too because they recently upgraded the iPhone app to version 2.1. But I have no way to test to see if it is still using its previous method to get the data from the LUWS to the iPhone.

Posted: Tue Feb 23, 2010 11:26 am
by RossEvans
jbh001 wrote:I'm curious if this changed for the iPhone too because they recently upgraded the iPhone app to version 2.1. But I have no way to test to see if it is still using its previous method to get the data from the LUWS to the iPhone.


As far as I am concerned, the vendor has an affirmative obligation to disclose the facts, and should have disclosed the facts all along. You previously quoted from release notes, which are apparently provided to you as a customer or iPhone user. Do the release notes for version 2.1 say the flawed practice has been discontinued? Have you asked Avikey?

The Avikey developer conceded in his Jan. 6 email that the iPhone app's method was not compliant with Church policy, and asserted that it would be made compliant at some point in the future. In my own correspondence with the vendor, I did underscore that I thought they should inform us all if and when that happens.

As of today, the vendor does not even make the same claim for its iPhone product that it does for the Blackberry product: "Fully compliant with church policy regarding data protection, privacy, and the handling of member information." (I'm not even sure if that Blackberry language precludes the LDS Account password being captured anwhere but in the client app or the SSL terminus at secure.lds.org. A Philadelphia lawyer might always argue otherwise because the PR statement does not expressly include that element.)

Absent some express claim that the flaws in the iPhone product have now been cured -- which, given this vendor's history, still would need verification by testing to convince me -- I think the presumption must be that the iPhone version remains non-compliant today. If it ever becomes compliant, the burden is on the vendor to say so.