The Security Advantage of BlackBerry Devices Is Fading
14 January 2013

The Security Advantage of BlackBerry Devices Is Fading

The competition is getting closer to eliminating the security advantage of RIM devices.

The competition is getting closer to eliminating the security advantage of RIM devices. iOS and Android devices are becoming more secure, and may in fact be reaching BlackBerry's levels of security. RIM also has Microsoft tablets and smartphones to contend with. Microsoft has a loyal corporate following with tight security inside all their devices.

To make matters worse, on 2 November 2012 the Pentagon dropped RIM exclusivity. U.S. Immigration and Customs Enforcement (ICE) agency, a division of the U.S. Homeland Security, said it was looking to ditch the BlackBerry smartphone from its employees hands in favour of Apple's iPhone, the Pentagon had similar plans and quietly issued their warning to the Canadian smartphone maker.

The Pentagon will retain BlackBerrys in its department for some secure communications. While Apple and Google are open to submit proposals to support their iOS and Android devices. Rival smartphone makers continue to work towards government certification to prove that their devices can be managed in a secure enterprise environment and used for official government communications.

There are a few ways in which a BlackBerry could be considered more secure than iOS and Android:

Email sent to your BlackBerry via BlackBerry Enterprise Server (BES) is encrypted using an end-to-end protocol that is completely independent of the public certificate authority system.

  • Attackers with access to the mobile phone network and legitimately signed subordinate CAs can easily intercept all of your ActiveSync mail sent to your iOS and Android devices. This is not possible with BlackBerry mail.
  • In theory, even RIM itself cannot break into communications between your phone and BES server after provisioning, which is the root of their disagreements with the United Arab Emirates and India.

BES provides a much greater granularity to their security controls than is available on iOS and Android

  • This gap is closing thanks to the efforts by companies such as 3LM.
  • "Classic" BlackBerry applications are written in Java against the J2ME APIs
  • This greatly reduces the attack surface against the operating system when compared to iOS and Android.

RIM tightly integrates their hardware and software encryption mechanisms

  • This provides a level of data protection on a lost device that is currently unavailable on iOS and Android.

There are some significant ways in which the common wisdom about BlackBerry security is false:

Blackberry-Blackberry messaging is secure from interception-  False

  • These messages are encrypted with a shared symmetric key that is installed on every Blackberry. This key has been handed over to governments by RIM, and even if it hadn't been,  most intelligence services would be able to reverse engineer it out of the BlackBerry OS.
  • It is completely possible for adversaries with the ability to sniff the mobile network to read BBM messages. It is highly likely that most first-world and some developing law enforcement agencies already do this regularly.

BlackBerries cannot be hacked- False

  • This was proven to be false when a BlackBerry Torch fell victim to a WebKit exploit during the Pwn2Own challenge at CanSecWest this year.
  • BBOS is written in C++, as well as most of it's applications, and traditional memory management flaws are even more exploitable on BlackBerrys than on the latest versions of iOS and Android.

BlackBerries cannot be infected by malicious applications- False

  • This used to be partially true in the J2ME days where BlackBerry applications were very limited in their capabilities. RIM now offers a Native Development Kit that empowers developers to create applications that run outside of the JVM.