This is the first post in a three-part series on smartphones and information security. The series will discuss overall security of the BlackBerry, Apple and Android mobile operating systems.
Today, it seems like everyone has, or is planning to get, a smartphone. From recent buzz surrounding the much-anticipated Verizon iPhone, to speculations on the staying power of the Android’s market dominance, the focus has been on smartphones and their presumed takeover of the mobile market.
The Basics of Smartphones
A smartphone combines the elements of a normal mobile phone with the additional features of a personal digital assistant (PDA). The convenience provided by the marriage of these technologies is huge, especially for those needing constant connection to personal or professional communication systems. For more information, read Liane Cassavoy’s article: What Makes a Smartphone Smart?
Be it the stalwart BlackBerry, the utopian Apple iOS, or the Swiss army knife Android platform, increasing numbers of corporate users — from the C-level to the mail room clerk — are becoming enamored, if not attached at the hip, to their mobile devices.
Not only are they used for personal communications, such as calls, texting, email and web browsing, but we have also grown to rely on them for work. If your business information is being shared via smartphone, it’s important that you understand the security models of the leading smartphones.
BlackBerry - Apparent Strengths can Become Weaknesses
The BlackBerry OS (BBOS)/BlackBerry Enterprise Server (BES) system implements an exquisitely fine-grained security layer that allows administrators to define hundreds of configuration settings. For example, you can set the encryption of the device contents down to the level of the key length and algorithm to use. On other devices, “whole device encryption” or “application encryption” is either on or off and the device maker has chosen the algorithm and key lengths. BlackBerry’s placing this control in the hands of the users results in an embarrassment of riches of sorts because when a configuration setting can be controlled, there is a tendency to change the default to something “more secure.” But as a consequence, going forward, the complexity of dozens of such choices must be managed. Managed in the sense of brought forward to hardware models, tested on new versions of the BB OS, etc. For the customer this is a potentially huge time sink. For the device and OS maker it creates an enormous burden of legacy compatibility. We have seen this sort of phenomena occur with MS Windows.
In BlackBerry’s defense, they have tried to control management complexity. For example, these customizations can be bundled into named configurations (e.g., “Sales Config”, “IT Config”, etc.) and distributed to the BlackBerry population based on job role. But remember, BlackBerry has been playing hardware catch up with touchscreen phones, and now tablets, and has re-versioned it's operating system through from 4.x to 6.x in the space of 36 months. Bringing the aforementioned custom configurations forward though revisions of the BBOS,BES and dozens of new device models is quite challenging. Moreover, over the next couple years, RIM is moving new devices entirely from the proprietary BBOS to QNX, a real-time microkernel OS!
In general BlackBerry has been a very robust and reliable platform although they have had some bobbles (not surprising due to their long lived number one smartphone position).
As with any device, you run the risk of experiencing system failures and service blackouts, which can result in serious problems for highly dependent users. For some BlackBerry customers, this dreaded occurrence became a reality in late January 2011, as the BlackBerry Internet Service experienced a brief outage.
Another source of potential concern over availability and security is that much of the comfort and control/monitoring behind BlackBerry use resulted from the fact that all network traffic to and from the device was forced to loop all the way back through the corporate LAN (one of the main functions of the MDS service that runs in the BES) before going, say out to the Internet. The upside was that all of your corporate safeguards put in place for email and web filtering were automatically in place for the BB traffic. However, newer BB models have to some extent shot this model in the foot by including Wi-Fi which supports direct attachment to the Internet (if the corporate admins permit it) which of course means that the BB can make direct connections to potentially infected web sites.
What has your experience been?
We’d like to hear about any security issues you’ve faced with your BlackBerry, or concerns with the BBOS that have swayed you to consider an alternative smartphone system.
Stay tuned for the next two posts on information security with the leading smartphone operating systems:
- Apple iOS
- Google Android
John Brady is Information Security Architect Engineer at Westfield Insurance.
Photo - Cheon Fong Liew