BlackBerry 10 Security Overview

Security OverviewBlackBerry 10

Published: 2014-09-24SWD-20140924154722506

ContentsForeword..........................................................................................................................5

Introduction..................................................................................................................... 6Key security features and benefits.....................................................................................................................................6

End-to-end solution.......................................................................................................... 9Our mitigation strategies for security threats....................................................................................................................10

Platform security............................................................................................................ 11Hardware root of trust..................................................................................................................................................... 11

The BlackBerry 10 OS.....................................................................................................................................................11

BlackBerry 10 device architecture.................................................................................................................................. 12

The BlackBerry 10 file system......................................................................................................................................... 14

Bootloader code security................................................................................................................................................ 14

Verifying the OS and its file system.................................................................................................................................. 15

Secure device management........................................................................................... 17Exchange ActiveSync......................................................................................................................................................18

BlackBerry Balance........................................................................................................................................................ 18

Benefits of BlackBerry Balance................................................................................................................................18

How BlackBerry Balance separates work and personal spaces................................................................................. 19

What BlackBerry Balance allows users to do............................................................................................................ 20

Regulated BlackBerry Balance........................................................................................................................................21

Work space only..............................................................................................................................................................21

Data in transit security.................................................................................................... 23Encryption methods for data in transit............................................................................................................................. 23

BlackBerry Infrastructure connections............................................................................................................................ 24

BES10 connections........................................................................................................................................................ 24

Work Wi-Fi connections.................................................................................................................................................. 24

Wi-Fi authentication................................................................................................................................................ 25

Wi-Fi encryption...................................................................................................................................................... 25

VPN................................................................................................................................................................................26

VPN encryption....................................................................................................................................................... 26

App security................................................................................................................... 27Application sandboxing...................................................................................................................................................27

App access permissions..................................................................................................................................................28

App vetting..................................................................................................................................................................... 29

Data at rest protection.................................................................................................... 30Password authentication.................................................................................................................................................30

Two-factor authentication............................................................................................................................................... 30

Data encryption.............................................................................................................................................................. 30

BBM.............................................................................................................................. 32BBM Protected...............................................................................................................................................................32

BlackBerry Protect......................................................................................................... 34

Conclusion..................................................................................................................... 35

Glossary......................................................................................................................... 37

Legal notice....................................................................................................................39

Foreword

Today’s threats to mobile security have reached crisis proportions. Every day I read a news article about another hacker attack, malware epidemic, million-dollar data breach, or explosive spying report. At BlackBerry, security is integral to everything we do. It’s not just an offering we provide – security is a philosophy we embody. We have the know-how, patents, and heritage to deal with these threats.

We build security into every layer of our products, from software, hardware, infrastructure and devices. These layers all work together on our proprietary network to create scalable security solutions that are the only ones trusted enough for global financial services companies, top law firms, health care providers, law enforcement, defense departments and the Oval Office. BlackBerry has over 50 security certifications and approvals, more than any other mobile vendor, including the only “Full Operational Capability” approval to run on U.S. Department of Defense networks.

At BlackBerry, our entire focus is on making workers more productive and organizations more secure. After reading this guide, you'll understand why we're the gold standard and why you can trust us to be your mobile security solution.

John Chen

CEO, BlackBerry

1

Foreword

5

Introduction

BlackBerry has an extensive legacy of placing security at the forefront of all our products. Our emphasis on security and privacy are two of the key strengths of all our products, whether hardware, OS, or apps.

Our products work together to create an end-to-end mobile security solution that is designed to meet the needs of all organizations, including organizations that operate in heavily regulated environments and organizations that have BYOD policies. Our security solution lets you keep your data safe and private while it is in transit on your network and when it is at rest on a mobile device.

This guide describes the unique qualities of BlackBerry 10 that help make security-conscious organizations successful in the mobile space. BlackBerry 10 devices build on the QNX OS qualities of security, reliability, and resiliency. These qualities make the QNX OS ideal for use in the critical systems found in cars, nuclear plants, and hospitals. These qualities also make our products ideal for the developing Internet of Things.

In this guide, you will learn about BlackBerry 10 security, including:

• The value of an end-to-end security model that protects your data in transit and at rest on the device

• The exceptional security of the BlackBerry 10 OS and its file system that separates and protects your apps and data

• The flexibility of various management options that allow you to secure devices regardless of who owns them and which network they are on

• The unique benefits of the secure technology that we use to set up and control a separate work space for your apps and data

This guide is intended to provide a high-level overview. If you require more detail, see the BlackBerry Enterprise Service 10 Security Technical Overview.

Key security features and benefitsThe following table describes some of the key security features and benefits for BlackBerry 10. This guide describes each feature in more detail.

Feature Description Benefit

End-to-end solution We have a full end-to-end security solution, which includes BES10, devices, the BlackBerry Infrastructure, manufacturing, and supply chain. We can make sure everything works securely because we control everything.

You can use all or some of our end-to-end solution to meet the security needs of your organization. You can trust that we have built security into all aspects of the solution.

2

Introduction

6


Platform security We verify the authenticity of the BlackBerry 10 OS and software every time any BlackBerry 10 device in the world boots up.

The BlackBerry 10 OS is based on QNX Neutrino RTOS. Its resilience and security protects against malware, tampering, and data leakage.

Your data and apps are secure because they are stored and used on devices that have proven their integrity.

You can add your own apps and manage your data on a resilient foundation that has proven its trustworthiness in numerous mission-critical situations.

Secure device management BlackBerry 10 allows for the full range of security needs, up to the highest levels of security control. With BlackBerry Balance technology, users can have a space for their personal use, without sacrificing your security needs. BlackBerry Hub allows easy access to all work and personal accounts and maximizes productivity while seamlessly protecting your data.

Your users can maintain their privacy, enjoy friendly UIs, and have fun, without negatively impacting your security needs. Mobile devices can achieve their maximum potential for your organization.

Data in transit security BlackBerry 10 supports a full range of authentication and encryption methods, allowing you to securely connect devices to your network using the BlackBerry Infrastructure, Wi-Fi, and VPN.

In addition, you can control how BlackBerry 10 connects using Bluetooth and NFC.

Devices can connect seamlessly and securely to your network. You can easily extend your network security protocols to devices, without negatively impacting user experience.

App security We place all apps in their own sandboxes to protect against malware and data leakage.

We scans all apps for malware or privacy violations before the apps are added to BlackBerry World.

You can trust the apps that are running on the device. To enhance your users’ productivity, you can select the mobile apps that would be most beneficial to their roles.

Data at rest protection BlackBerry 10 supports a variety of ways to keep data private, including passwords, two-factor authentication, data encryption, and more.

You can rest assured that your data is kept private and is unlikely to leak. For devices that use BlackBerry Balance, users are assured that their personal data, apps, and details are private from everyone, including you.

Introduction

7


Additional security apps BlackBerry 10 devices integrate with a number of apps that extend security:

• BBM and BBM Protected so that users can have a secure and useable mobile IM app.

• BlackBerry Protect allows users to protect data when devices are lost or stolen

Your users can use BBM for work communication without compromising your data.

You and your users can safely back up data and protect devices.

Introduction

8

End-to-end solution

We offer a complete end-to-end solution that allows you to securely manage BlackBerry 10 devices in your organization. The following diagram and table describe the components that make up the solution.

Component Description

BlackBerry 10 devices BlackBerry 10 devices have a carefully controlled manufacturing process, and security applied to each level of the product, such as bootloader checks, OS checks, app authorization, and access control.

Wireless network The wireless network provides the conduit for data flow between devices and your organization. Devices can use mobile, Wi-Fi, or VPN networks. Devices encrypt all data using AES encryption.

BlackBerry Infrastructure The BlackBerry Infrastructure is the name for our network. It authenticates and authorizes devices and BES10 instances.

Your organization’s firewall The BlackBerry end-to-end solution uses default port 3101 through your organization’s firewall. Your administrator can set up the BlackBerry Router or TCP proxy in the DMZ, if required for additional security.

BES10 The BES10 is our EMM solution. It allows you to activate and manage devices, manage apps, and control access to content. The connection between devices and BES10 is secured using TLS.

Third-party servers The third-party servers are the content servers, mail servers, CAs, or other servers that host your organization’s data or enhance your organization’s security.

3

End-to-end solution

9

Our mitigation strategies for security threatsThe following table provides a brief summary of the security threats that the various components in an end-to-end solution can face, and how we’ve mitigated those threats for you.

Component Threats against the component Our mitigation strategies

Devices • Insecure configuration

• Vulnerable OS

• Unauthorized access

• Viruses and malware

• Loss of sensitive data

• Device loss or theft

• Device provisioning and management

• Hardware root of trust (device integrity)

• Passwords and two-factor authentication to unlock device

• Allowed and disallowed app lists

• Encryption of data at rest that meets FIPS 140-2 criteria

• Remote wipe of apps and device

Apps • Malware

• Exploitation of vulnerable apps

• Compromised apps

• Data or information leakage

• App management and monitoring

• Allowed and disallowed app lists

• Secure app development processes

• App vetting and certification

BlackBerry Infrastructure

• Unauthorized access

• Viruses and malware

• Compromised data

• Compromised apps

• Insecure coding

• PIV-based user authentication on the device

• Device malware scans, integrity checks, and monitoring

• Device authentication

• Signed apps and app verification

• Secure app development and vetting

Your network • Eavesdropping, data interception

• Wireless voice or data collection

• Drive-by downloads

• Location tracking using GPS

• Behavior tracking

• Encryption of data in transit

• VPN support

• Ability to disable split tunneling and tethering

• Configurable profiles

• Mobile network license agreements

End-to-end solution

10

Platform security

We use various security measures to protect the BlackBerry 10 hardware and OS and to establish root of trust. BlackBerry encryption and authentication processes then use the root of trust to create encryption and signing keys that protect your apps and data.

Hardware root of trustYou need to know that the mobile devices that connect to your organization’s network are trustworthy and not counterfeit or spoofed devices. Trustworthiness needs a solid foundation, which for computers or mobile devices ultimately means the hardware itself should be the foundation, or root, of trust.

Our approach to establishing hardware root of trust has two main pillars:

• Our manufacturing process

• Our BlackBerry Infrastructure that checks whether devices are authentic when they connect

We use a unique manufacturing security model that integrates security into every major component of product design. We have enhanced our end-to-end manufacturing model to securely connect the supply chain, BlackBerry manufacturing partners, our network, and devices, which allows us to build trusted devices anywhere in the world.

To prevent counterfeit devices from operating on our network or using our services, we do the following:

• During manufacturing, we use the device’s hardware-based keys to track, verify, and provision each device as it goes through the manufacturing process.

• During the device life cycle, we use device authentication that cryptographically proves the identity of any BlackBerry device that tries to register with our network.

The way we establish root of trust means that only devices that have demonstrated authenticity can connect to your organization’s network.

The BlackBerry 10 OS

4

Platform security

11

A typical operating system has a kernel space and a user space. The kernel space includes software that controls processes, devices, interprocess communication, and the file system. All this code means that the typical operating system is exposed to a wide variety of vulnerabilities and can get difficult to update and maintain.

In contrast, the BlackBerry 10 OS is a microkernel operating system that is based on the QNX Neutrino RTOS. Unlike typical operating systems, microkernel operating systems implement the minimum amount of software in the kernel and run other processes in the user space that is outside the kernel. Because there is less code in the kernel, it has less exposure to vulnerabilities and it’s easier to verify.

The BlackBerry 10 OS is tamper resistant, resilient, and secure. Its kernel performs the following key actions to protect the device:

• When it starts, it performs an integrity test. If the integrity test detects damage to the kernel, the device does not start.

• If a process stops responding, it isolates a process in its user space and restarts the process without negatively affecting other processes.

• It uses adaptive partitioning to prevent apps from interfering with or reading the memory used by another app.

• It validates requests for resources and controls how apps access the capabilities of the device, such as access to the camera, contacts, and device identifying information.

For more information about the benefits of QNX Neutrino RTOS, see http://www.qnx.com/download/group.html?programid=21503.

BlackBerry 10 device architectureThe following diagram shows the components of the BlackBerry 10 device architecture. These components work together to protect the privacy, integrity, and confidentiality of your apps and data.

Platform security

12

http://www.qnx.com/download/group.html?programid=21503

http://www.qnx.com/download/group.html?programid=21503


CPU embedded bootloader The CPU bootloader verifies the digital signature of the bootloader code before it can run.

Bootloader The bootloader verifies the digital signature of the OS before it can run.

Microkernel The microkernel is the minimal amount of software that the OS requires to run.

Radio The radio includes the drivers, stacks, and services required to support the radio subsystems for voice, data, and other services.

Drivers and BSP The drivers and BSP include the drivers and board ring up logic to support the device hardware.

OS The OS processes that exist outside of the kernel.

Platform and application services Platform and application services include security management, software installation and management, background services for applications, media services, and more. Platform and application services are required because apps

Platform security

13


can't run services in the background or gain access to protected system components and services.

Application runtimes Runtimes include virtual machines, libraries, services, mapping layers, and more. All applications run in isolated sandboxes. BlackBerry 10 devices support apps built with the native SDK, Android, and HTML5.

App The apps that are preloaded, user-installed, or deployed by your organization.

The BlackBerry 10 file systemThe BlackBerry 10 file system runs outside of the kernel and keeps your data secure and, depending on your activation choice, separate from personal data. The BlackBerry 10 OS divides the file system into the following areas:

• Base file system

• Work file system

• Personal file system (BlackBerry Balance activation types only)

The base file system is read-only and contains system files. Because the base file system is read-only, the BlackBerry 10 OS can check the integrity of the base file system and mitigate the damage that an attacker who changes the file system can cause.

The work file system contains work apps and data. The device encrypts the files stored in the work space.

If you activate devices to have both personal and work spaces, the personal file system contains the user’s personal data and apps. Apps that a user installs on the device from the public BlackBerry World storefront are located in the personal file system. The device can encrypt the files stored in the personal file system.

Bootloader code security

Platform security

14

The bootloader is the program that loads the BlackBerry 10 OS when a user turns on a device. It’s important to verify that the bootloader hasn’t been tampered with before it runs.

During manufacturing, we perform the following actions that provide the basis of trust for the bootloader:

• The bootloader is installed into flash memory.

• The BlackBerry signing authority uses its private signing key to sign the bootloader.

• The public verification key of the BlackBerry signing authority is installed into the processor.

When a user turns on a device, the processor reads the bootloader from flash memory and uses the stored public key to verify the digital signature of the bootloader code. If the verification process completes, the bootloader is permitted to run on the device. If the verification process cannot complete, the device stops running.

Verifying the OS and its file system

Platform security

15

After the bootloader is verified, the bootloader verifies that the BlackBerry 10 OS has not been tampered with. As part of our development process, we sign the OS using ECC 521 with a series of private signing keys. The bootloader uses the corresponding public verification keys to verify that the digital signature is correct. If it is correct, the bootloader runs the OS.

One of the first actions the OS performs is to mount the read-only base file system (so that it can access its executables and data files). Before it mounts the base file system, it checks whether the file system has been tampered with.

Platform security

16

Secure device management

To manage a device, you connect it to your organization’s network so that it can access your content and so that you can control the device. There are a number of different options for managing devices, depending on your mobile security needs. You determine which management option a device should have when you choose its activation type.

The following table describes the activation types.

Activation type Description Use case

Exchange ActiveSync Devices have a personal space only. You have basic device management using the Exchange ActiveSync protocol.

This option is designed for small businesses that don't have a dedicated IT staff but still require basic management options for devices.

Work and personal - Corporate Devices have a personal space and a work space. You have control of the work space only.

This option is designed for BYOD situations, where employees have the freedom to use personal apps, including games and social media, in the personal space, without compromising work data and apps in the work space.

Work and personal - Regulated Devices have a personal space and a work space. You have control of both the personal space and the work space.

This option is designed for COPE situations, where employees are allowed to use devices for personal use, and you want to maintain control of all aspects of the device.

Work space only Devices have a work space only. You have full control of devices.

This option is designed for COBO situations, where you don't want employees to be able to use devices for anything other than work purposes.

Note: You need different licenses for the different activation types. See the BlackBerry Enterprise Service 10 Licensing Guide for more information.

5


17

Exchange ActiveSyncYou can connect BlackBerry 10 devices to your organization’s network using Exchange ActiveSync. Exchange ActiveSync is a Microsoft product that allows mobile devices such as BlackBerry 10 to synchronize data with Microsoft Exchange mailboxes. To connect devices to Exchange ActiveSync, users need to add their work email account to their devices.

When you use Exchange ActiveSync, devices have a personal space only, and you have basic management capabilities through Exchange ActiveSync tools. For more information about Exchange ActiveSync, see the Microsoft documentation.

BlackBerry BalanceBlackBerry Balance technology controls how devices protect your apps and data by setting up a work space that's separate from the existing personal space. By default, devices don't have a separate work space. When you activate a device to use BlackBerry Balance, the activation process creates a work space on the device that will host your apps and data.

One of the key features of BlackBerry Balance is its even-handed approach to the data privacy needs of both you and your users. It lets you keep work data and applications secure and separate from personal data, avoiding data leakage through devices that your employees use for both work and personal needs. It also keeps your user's personal apps, email messages and personal details private from everyone, including you. BlackBerry Balance provides the privacy assurance that both you and your users need.

There are two types of BlackBerry Balance that align with the work and personal activation types.

Activation type BlackBerry Balance type Description

Work and personal – Corporate BlackBerry Balance • You control the work space only.

• The user controls the personal space.

Work and personal – Regulated Regulated BlackBerry Balance • You control the work space.

• You have some management options that apply to the entire device.

• The user controls the personal space.

Benefits of BlackBerry BalanceBlackBerry Balance is unique in the industry in what it can do to help you balance your security requirements with user needs.


18

BlackBerry Balance is designed to prevent your data from being compromised and lets you control what happens to your data. It includes the following management options:

• Access controls to your apps and data

• App management

• Ability to wipe your data and apps from personal devices

• Control over network connections for apps

At the same time, BlackBerry Balance presents a unified UI called "BlackBerry Hub" to users for core apps such as email and calendar. BlackBerry Hub allows users to focus on getting the most out of their device from both a personal and work standpoint.

The following graphic provides a high-level overview of what BlackBerry Balance looks like on a device.

How BlackBerry Balance separates work and personal spaces


19

BlackBerry Balance separates and secures work and personal information on devices by creating spaces on the device to separate work and personal activities. Spaces have the following characteristics:

• They are located in distinct areas of the device to separate them.

• They allow separate management of different types of apps, data, and network connections.

• They can have different rules for data storage, app permissions, and network routing.

The purpose of the separate spaces is to make sure users can’t copy work data into a personal app or leak sensitive data using other methods (such as BBM Video).

To protect your apps and data, BlackBerry Balance encrypts the work space during activation. The personal space isn’t affected by the activation process, though you can force the device to also encrypt the personal space.

What BlackBerry Balance allows users to doBlackBerry Balance allows users to cut, copy, or paste text from personal apps to work apps.

BlackBerry Balance doesn’t allow users to:

• Move files from the personal space to the work space or from the work space to the personal space

• Cut, copy, or paste text from work space apps to personal space apps

Devices store data that users copy from work apps in the work space only and data that users copy from personal apps in the personal space only.


20

Regulated BlackBerry BalanceRegulated BlackBerry Balance builds on regular BlackBerry Balance. It gives you more control over device features while your users can still use devices for both work and personal use.

Regulated BlackBerry Balance lets you perform the following additional management tasks:

• Disable device features across the work and personal space

• Prevent users from having personal accounts on the device

• Log or block communication paths for phone calls, SMS, BBM, and so on

• Block communication paths such as Wi-Fi, Bluetooth, and NFC

• Audit personal data on devices (for privacy reasons, you may need to let your users know about this by sending an organizational notice to the device)

The following graphic provides a high-level overview of what Regulated BlackBerry Balance looks like on a device.

Work space onlyWhen you activate BlackBerry 10 devices using the work space only option, devices have only one space that is considered a work space. All data and apps on these devices are classified as work resources.


21

With this activation option, you have full control over devices and you can:

• Approve all apps and services on devices

• Log communication paths for phone calls or SMS messages

• Disable device features such as the camera or GPS

• Block communication paths such as Wi-Fi, Bluetooth, and NFC

• Control what apps users can download

• Prevent users from having personal accounts on the device

• Audit all data on devices

To secure work data on these devices, users must set a device password during activation.

The following graphic provides a high-level overview of what work space only looks like on a device.


22

Data in transit security

Because many of your employees work outside the office, any mobile solution you use must protect data in transit across your entire network.

The following table describes the three main paths BlackBerry 10 devices can use to access your organization's network.

Communication Path Description

BlackBerry Infrastructure A device connects to your organization's network using the BlackBerry Infrastructure.

Work Wi-Fi A device connects to your organization’s network using a work Wi-Fi connection that an administrator sets up.

VPN A device connects to your organization’s network using any wireless access point or a mobile network, your organization’s firewall, and your organization’s VPN server.

No matter how devices connect to your organization’s network, they can send data securely. Each connection has multiple options available to authenticate the connection and encrypt the data in transit, including multiple methods that use certificates.

We also secure data sent using other methods like NFC, Bluetooth wireless technology, and BlackBerry Work Drives. For more information, see the BlackBerry Enterprise Service 10 Security Technical Overview.

Encryption methods for data in transitBlackBerry 10 devices encrypt data that is sent to your organization's network. The type of encryption used depends on the server the device is connecting to or the network the device is using.

Server or network Encryption type

BlackBerry Infrastructure TLS encryption

BES10 AES encryption

Wi-Fi Wi-Fi encryption (IEEE 802.11)

VPN VPN encryption

Content servers, web servers, or mail servers SSL/TLS encryption

6


23

BlackBerry Infrastructure connections

Devices can connect to your organization's network and resources using the BlackBerry Infrastructure.

Devices and the BlackBerry Infrastructure encrypt all data that they send to each other using AES-256 encryption. The connection is designed so that an attacker cannot use it to send or receive data from a device.

After managed devices connect to the BlackBerry Infrastructure, the BlackBerry Infrastructure can securely connect them to the appropriate BES10 instance that’s running on your network.

BES10 connectionsBlackBerry 10 devices can connect to the BES10 instance running in your network using the BlackBerry Infrastructure, Wi-Fi networks, or VPN networks.

Devices encrypt the data sent to BES10 using AES-256 encryption. This type of encryption encrypts the message keys with a second key that we call the device transport key. The device transport key is known only to the device and BES10, and is not sent over the network.

Work Wi-Fi connectionsBlackBerry 10 devices can connect to work Wi-Fi networks securely after an admin sets up the access points to require authentication and encryption. Devices can use industry-standard Wi-Fi protocols, including WPA2-Enterprise. BlackBerry 10 devices support multiple encryption and authentication methods including:

• WEP encryption (64-bit and 128-bit)


24

• IEEE 802.1X standard and EAP authentication using EAP-FAST, EAP-TLS, EAP-TTLS, and PEAP

• TKIP and AES-CCMP encryption for WPA-Personal, WPA2-Personal, WPA-Enterprise, and WPA2-Enterprise

To connect devices to your Wi-Fi network, an admin can configure profiles that send sensitive Wi-Fi information such as encryption keys and passwords to the device. Devices stores the encryption keys and passwords on the device in an encrypted form.

To connect to a Wi-Fi network, BlackBerry 10 devices first authenticate and then send data in an encrypted form using the authenticated connection.

Wi-Fi authenticationWhen BlackBerry 10 devices authenticate with the network, they use a dual-layered connection, which gives the credentials an extra layer of protection. The EAP outer method protects the connection tunnel. Device credentials are sent within the tunnel and protected with the EAP inner method.

When BlackBerry 10 devices open a Wi-Fi connection using WPA-Enterprise or WPA2-Enterprise security, they can use the following authentication methods:

Cryptographic protocol Encryption EAP outer method EAP inner method

WPA2 TKIP, AES-CCMP PEAP, EAP-TTLS, EAP-FAST, EAP-TLS, EAP-AKA, EAP-SIM

MS-CHAPv2, EAP-GTC, PAP

Wi-Fi encryptionBlackBerry 10 devices connect to your organization’s resources through a work Wi-Fi connection that an administrator sets up.


25

VPNA VPN provides an encrypted tunnel between a device and your organization’s network over unsecured networks. Organizations can therefore use VPNs to increase the scope of their networks and reduce operational costs without compromising security. If your organization’s environment includes VPNs, you can configure BlackBerry 10 devices to authenticate with the VPN so that they can access your organization's network.

BlackBerry 10 supports both IPSec VPN and SSL VPN methods. Both IPSec and SSL VPN methods provide the same security capabilities:

Security capability Description

Mutual authentication Verifies the identity of each participating entity.

Data integrity Verifies that the data has not been altered.

Data privacy Makes sure that data is not viewable by anyone other than the intended recipient.

Nonrepudiation Proves who the data actually came from

To connect to a VPN network, BlackBerry 10 devices first authenticate and then send data in an encrypted form using the authenticated connection.

VPN encryptionThe following diagram shows how data is encrypted when BlackBerry 10 devices use VPN.


26

App security

There are two main types of apps that BlackBerry 10 devices can run, depending on the activation type you choose. Personal apps are available in the personal space of BlackBerry Balance and regulated BlackBerry Balance devices. Work apps are available in the work space.

A work app can be either an internal app you send to the device or a public app available from the public BlackBerry World storefront that you have added to your allowed list. To make sure that you maintain control of the work apps, you need to approve them before users can add them to the work space.

Some apps can be useful for both personal and work purposes (for example, an IM app). In this situation, the user can install one instance of the app in the personal space using the public BlackBerry World, and you can allow a separate instance of the app in the work space using BlackBerry World for Work. The instances are controlled independently, and changes to one instance have no effect on the other instance. For example, you can restrict a personal IM app from adding work contacts, but the work IM app won’t have that restriction.

You can control what data apps can access and how they run. BlackBerry 10 devices use sandboxing, permissions, and allowed lists to protect both your apps and data from attacks.

Application sandboxing

7

App security

27

In a traditional OS scenario, apps have direct access to all documents and system resources on a device. Therefore, a successful attack aimed at a single app can compromise all the data on a device or cause the device to be bricked (that is, rendered useless).

In contrast, BlackBerry 10 uses app sandboxing. Sandboxing separates and restricts the capabilities and permissions of apps to their own area on the device. Sandboxes are virtual containers in memory and part of the file system that an app process has access to.

Sandboxing has two main security benefits:

• It protects apps from each other. This improves stability and preserves the privacy and integrity of user data.

• It protects your data from access by apps that don’t need to have access. This prevents data leakage and protects against malware.

On BlackBerry 10 devices, each app process runs in its own sandbox. For apps that can run in both personal and work spaces, BlackBerry Balance creates separate sandboxes for the processes. Each sandbox is isolated from the other sandbox.

The OS approves the requests that an app process makes for memory outside of its sandbox. If a process tries to access memory outside of its sandbox without approval from the OS, the OS ends the process, reclaims all of the memory that the process is using, and restarts the process. Because the OS is based on QNX Neutrino RTOS, other processes are not negatively affected.

By default, each app can store its data in its own sandbox and the public folder that's located in its space. The OS prevents apps from accessing file system locations that are not associated with the app.

App access permissions

App security

28

The access permissions for apps are designed so that users can control the information that work and personal apps can access. For example, work apps can access personal files and personal apps can access work contact data only if the user allows it. Users can set the application permissions when they install an app, or sometimes after.

Application permissions also let users control whether information can be transferred from their device, such as over an Internet or Bluetooth connection.

App vettingYou need to know how apps collect data, how they use and store it, and who can access it. Our app vetting processes and privacy notices play a key role in protecting your data and securing users’ identities.

To vet apps, we use BlackBerry Guardian, a program that combines automated and manual analysis with Trend Micro Mobile App Reputation Service. BlackBerry Guardian continuously monitors apps submitted to BlackBerry World to help protect you from malware and privacy issues.

BlackBerry Guardian checks for apps that do not adequately inform users how they access and use personal data. Personal data can include highly sensitive information such as account details, unique device information, geolocation data, and user-generated content.

When BlackBerry Guardian identifies a suspicious app, we investigate and take whatever action is needed to protect you. We can deny the app or remove it from BlackBerry World and issue a privacy notice.

In BlackBerry 10 OS version 10.3.0 and later, BlackBerry Guardian automatically checks all Android apps that customers install. This includes apps from the Amazon Appstore and apps installed from other sources. If a suspicious app is detected, the user can choose to proceed or cancel the installation.

App security

29

Data at rest protection

BlackBerry 10 supports various methods that you can use to keep data private and secure while it is stored on the device. Some of those methods are:

• Password authentication

• Two-factor authentication

• Data encryption

Password authenticationBlackBerry 10 devices allow you and your users to set passwords to protect work and personal data. Users with BlackBerry Balance devices can have both device and work space passwords, and any users who employ personal data encryption must have a device password.

In an end-to-end BlackBerry solution, you have multiple options to enforce stronger password use. Your options include requiring that the device and work space passwords are different and that passwords meet minimum complexity and expiration requirements. You also have management options for lost devices including locking a device remotely and forcing a password reset.

Two-factor authenticationBlackBerry 10 devices support the use of smart cards for two-factor authentication. Two-factor authentication requires users to prove their identities by demonstrating two factors:

• Something they have (the smart card)

• Something they know (the smart card password)

After a smart card is paired with a device, a user can use it to unlock the device and access data. On regulated BlackBerry Balance and work space only devices, you can control whether two-factor authentication is required to access the work space.

Data encryptionIn addition to encryption of data in transit, BlackBerry 10 can encrypt data at rest on the device. The device uses a private key to encrypt data as it is stored on the device and decrypts data as the user accesses it. Data is encrypted using AES-256, a symmetrical encryption algorithm that we also use to encrypt data in transit.

8


30

On a BlackBerry Balance device, work space data must be encrypted. Users can choose to encrypt both the personal space and media card data. If you use BlackBerry Balance technology, you can require that the personal space and the media card data be encrypted.


31

BBM

BBM is a messaging app that uses your wireless service plan or Wi-Fi network. Users can use BBM to chat and share files in real-time with other people who have the BBM app installed on their devices. To connect with more people at the same time, users can collaborate on task lists, appointments, and pictures using a BBM group, or join a BBM channel to share data and comments.

In addition to being cost-effective, BBM has security built into it, which makes it an ideal IM app for organizations concerned with data leaks or attacks.

We protect BBM using authentication and encryption:

• Users must authenticate using a valid BlackBerry ID before they can use BBM

• Communication is encrypted using TLS, regardless of whether the recipient device is a BlackBerry 10 or a BlackBerry 7.1 and earlier

• Communication between BlackBerry devices is additionally encrypted by a BBM encryption key (a Triple DES 168-bit key)

If your organization needs to comply with regulations that require you to monitor BBM messages, you can activate regulated BlackBerry Balance or work space only devices.

For more information about the security of BBM, see the BBM Security Note.

BBM ProtectedBBM Protected provides an additional layer of security to your organization that's transparent to your users. BBM uses BBM Protected encryption when sending messages to other devices that have BBM Protected installed, and uses default BBM encryption for all other devices.

Because BBM Protected uses FIPS 140-2 validated cryptographic libraries and advanced ECC encryption, it’s ideal for organizations in highly regulated environments that still want to allow their employees to keep in touch using an IM app. You can install BBM Protected on BlackBerry Balance, regulated BlackBerry Balance, and work space only devices.

9

BBM

32

For more information about the security of BBM Protected, see the BBM Protected Security Note.

BBM

33

BlackBerry Protect

Data isn’t private if it can walk away in someone’s back pocket. BlackBerry Protect allows users to safeguard their device and data in situations where the device is lost or stolen. A user who chooses to use BlackBerry Protect has several options to locate the device. If the user cannot locate the device, stronger steps can keep the data safe from an unauthorized user.

To locate a lost device, BlackBerry Protect allows a user to:

• View the current location of the device on a map

• Make the device ring even if it's in silent mode

• Display a custom message on the locked device to provide contact instructions

To protect a stolen device, a user can perform the following actions:

• Remotely lock it

• Change the password

• Delete all of the data from the device

If devices are lost or stolen, administrators can also perform many of these tasks using BES10.

10

BlackBerry Protect

34

Conclusion

Because so many people are using mobile devices for business communication and to share sensitive data, mobile security is a vital concern for all organizations. We’ve produced a mobile platform that can meet and exceed your security requirements and be an important tool in your success.

The following table provides a summary of the security benefits we’ve added to different components of our solution.

Solution component Security benefits

Supply chain BlackBerry 10 devices use hardware-based keys (that is, keys burned into the device silicon) that allow for:

• Tracking, verifying, and provisioning devices during the manufacturing process

• Establishing a secure hardware root of trust

• Authenticating with our network for device authenticity

Hardware • BlackBerry 10 hardware is hardened with no test points available and hardware traces buried.

• The bootloader verification process uses digital signatures that are installed during the manufacturing process.

• The base file system is read only.

Operating system • The microkernel OS protects against memory corruption, limits root processes, and separates processes.

• The bootloader completes integrity tests on the OS when the device starts.

• The OS includes strong cryptographic libraries that are FIPS 140-2 certified.

• BlackBerry Balance provides data separation and allows hybrid applications.

BlackBerry Infrastructure • Device authentication with the BlackBerry Infrastructure uses keys that are created during manufacturing.

• The connection between devices and your network uses AES-256 encryption.

• The BlackBerry Infrastructure creates a single, outbound-initiated connection no matter how many devices are connected.

BES10 • BES10 provides a secure connection into your network.

11

Conclusion

35

Solution component Security benefits

• BES10 includes a hierarchy of control capabilities from BlackBerry Balance to work space only.

• The device authenticates all administration commands.

• You have control over which apps can access your information.

Conclusion

36

Glossary

AES Advanced Encryption Standard

AES-CCMP Advanced Encryption Standard Counter Mode CBCMAC Protocol

BSP board support package

BYOD bring your own device

CA certification authority

certificate A certificate is a digital document that binds the identity and public key of a certificate subject. Each certificate has a corresponding private key that is stored separately. A certificate authority signs the certificate to indicate that it is authentic and can be trusted.

COBO corporate-owned, business only

COPE corporate-owned, personal enabled

EAP Extensible Authentication Protocol

EAP-AKA Extensible Authentication Protocol Authentication and Key Agreement

EAP-FAST Extensible Authentication Protocol Flexible Authentication via Secure Tunneling

EAP-GTC Extensible Authentication Protocol Generic Token Card

EAP-SIM Extensible Authentication Protocol Subscriber Identity Module

EAP-TLS Extensible Authentication Protocol Transport Layer Security

EAP-TTLS Extensible Authentication Protocol Tunneled Transport Layer Security

ECC Elliptic Curve Cryptography

EMM Enterprise Mobility Management

FIPS Federal Information Processing Standards

GPS Global Positioning System

IEEE Institute of Electrical and Electronics Engineers

IPsec Internet Protocol Security

LDAP Lightweight Directory Access Protocol

MS-CHAP Microsoft Challenge Handshake Authentication Protocol

NFC Near Field Communication

PEAP Protected Extensible Authentication Protocol

PIV Personal Identity Verification

12

Glossary

37

RTOS real-time operating system

SMB small medium business

SMS Short Message Service

SSL Secure Sockets Layer

TKIP Temporal Key Integrity Protocol

TLS Transport Layer Security

Triple DES Triple Data Encryption Standard

VPN virtual private network

WEP Wired Equivalent Privacy

WPA Wi-Fi Protected Access

Glossary

38

Legal notice

©2014 BlackBerry. All rights reserved. BlackBerry® and related trademarks, names, and logos are the property of BlackBerry Limited and are registered and/or used in the U.S. and countries around the world.

Android is a trademark of Google Inc. Bluetooth is a trademark of Bluetooth SIG. Cascades is a trademark of The Astonishing Tribe. IEEE, 802.1X, and 802.11 are trademarks of the Institute of Electrical and Electronics Engineers, Inc. Microsoft and ActiveSync are trademarks of Microsoft Corporation. QNX and Neutrino are trademarks of QNX Software Systems GmbH & Co. KG. Wi-Fi, WPA, and WPA2 are trademarks of the Wi-Fi Alliance. All other trademarks are the property of their respective owners.

This documentation including all documentation incorporated by reference herein such as documentation provided or made available at www.blackberry.com/go/docs is provided or made accessible "AS IS" and "AS AVAILABLE" and without condition, endorsement, guarantee, representation, or warranty of any kind by BlackBerry Limited and its affiliated companies ("BlackBerry") and BlackBerry assumes no responsibility for any typographical, technical, or other inaccuracies, errors, or omissions in this documentation. In order to protect BlackBerry proprietary and confidential information and/or trade secrets, this documentation may describe some aspects of BlackBerry technology in generalized terms. BlackBerry reserves the right to periodically change information that is contained in this documentation; however, BlackBerry makes no commitment to provide any such changes, updates, enhancements, or other additions to this documentation to you in a timely manner or at all.

This documentation might contain references to third-party sources of information, hardware or software, products or services including components and content such as content protected by copyright and/or third-party websites (collectively the "Third Party Products and Services"). BlackBerry does not control, and is not responsible for, any Third Party Products and Services including, without limitation the content, accuracy, copyright compliance, compatibility, performance, trustworthiness, legality, decency, links, or any other aspect of Third Party Products and Services. The inclusion of a reference to Third Party Products and Services in this documentation does not imply endorsement by BlackBerry of the Third Party Products and Services or the third party in any way.

EXCEPT TO THE EXTENT SPECIFICALLY PROHIBITED BY APPLICABLE LAW IN YOUR JURISDICTION, ALL CONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS, OR WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION, ANY CONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS OR WARRANTIES OF DURABILITY, FITNESS FOR A PARTICULAR PURPOSE OR USE, MERCHANTABILITY, MERCHANTABLE QUALITY, NON-INFRINGEMENT, SATISFACTORY QUALITY, OR TITLE, OR ARISING FROM A STATUTE OR CUSTOM OR A COURSE OF DEALING OR USAGE OF TRADE, OR RELATED TO THE DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NON-PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES REFERENCED HEREIN, ARE HEREBY EXCLUDED. YOU MAY ALSO HAVE OTHER RIGHTS THAT VARY BY STATE OR PROVINCE. SOME JURISDICTIONS MAY NOT ALLOW THE EXCLUSION OR LIMITATION OF IMPLIED WARRANTIES AND CONDITIONS. TO THE EXTENT PERMITTED BY LAW, ANY IMPLIED WARRANTIES OR CONDITIONS RELATING TO THE DOCUMENTATION TO THE EXTENT THEY CANNOT BE EXCLUDED AS SET OUT ABOVE, BUT CAN BE LIMITED, ARE HEREBY LIMITED TO NINETY (90) DAYS FROM THE DATE YOU FIRST ACQUIRED THE DOCUMENTATION OR THE ITEM THAT IS THE SUBJECT OF THE CLAIM.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, IN NO EVENT SHALL BLACKBERRY BE LIABLE FOR ANY TYPE OF DAMAGES RELATED TO THIS DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NON-

13

Legal notice

39

http://www.blackberry.com/go/docs

PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES REFERENCED HEREIN INCLUDING WITHOUT LIMITATION ANY OF THE FOLLOWING DAMAGES: DIRECT, CONSEQUENTIAL, EXEMPLARY, INCIDENTAL, INDIRECT, SPECIAL, PUNITIVE, OR AGGRAVATED DAMAGES, DAMAGES FOR LOSS OF PROFITS OR REVENUES, FAILURE TO REALIZE ANY EXPECTED SAVINGS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, LOSS OF BUSINESS OPPORTUNITY, OR CORRUPTION OR LOSS OF DATA, FAILURES TO TRANSMIT OR RECEIVE ANY DATA, PROBLEMS ASSOCIATED WITH ANY APPLICATIONS USED IN CONJUNCTION WITH BLACKBERRY PRODUCTS OR SERVICES, DOWNTIME COSTS, LOSS OF THE USE OF BLACKBERRY PRODUCTS OR SERVICES OR ANY PORTION THEREOF OR OF ANY AIRTIME SERVICES, COST OF SUBSTITUTE GOODS, COSTS OF COVER, FACILITIES OR SERVICES, COST OF CAPITAL, OR OTHER SIMILAR PECUNIARY LOSSES, WHETHER OR NOT SUCH DAMAGES WERE FORESEEN OR UNFORESEEN, AND EVEN IF BLACKBERRY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, BLACKBERRY SHALL HAVE NO OTHER OBLIGATION, DUTY, OR LIABILITY WHATSOEVER IN CONTRACT, TORT, OR OTHERWISE TO YOU INCLUDING ANY LIABILITY FOR NEGLIGENCE OR STRICT LIABILITY.

THE LIMITATIONS, EXCLUSIONS, AND DISCLAIMERS HEREIN SHALL APPLY: (A) IRRESPECTIVE OF THE NATURE OF THE CAUSE OF ACTION, DEMAND, OR ACTION BY YOU INCLUDING BUT NOT LIMITED TO BREACH OF CONTRACT, NEGLIGENCE, TORT, STRICT LIABILITY OR ANY OTHER LEGAL THEORY AND SHALL SURVIVE A FUNDAMENTAL BREACH OR BREACHES OR THE FAILURE OF THE ESSENTIAL PURPOSE OF THIS AGREEMENT OR OF ANY REMEDY CONTAINED HEREIN; AND (B) TO BLACKBERRY AND ITS AFFILIATED COMPANIES, THEIR SUCCESSORS, ASSIGNS, AGENTS, SUPPLIERS (INCLUDING AIRTIME SERVICE PROVIDERS), AUTHORIZED BLACKBERRY DISTRIBUTORS (ALSO INCLUDING AIRTIME SERVICE PROVIDERS) AND THEIR RESPECTIVE DIRECTORS, EMPLOYEES, AND INDEPENDENT CONTRACTORS.

IN ADDITION TO THE LIMITATIONS AND EXCLUSIONS SET OUT ABOVE, IN NO EVENT SHALL ANY DIRECTOR, EMPLOYEE, AGENT, DISTRIBUTOR, SUPPLIER, INDEPENDENT CONTRACTOR OF BLACKBERRY OR ANY AFFILIATES OF BLACKBERRY HAVE ANY LIABILITY ARISING FROM OR RELATED TO THE DOCUMENTATION.

Prior to subscribing for, installing, or using any Third Party Products and Services, it is your responsibility to ensure that your airtime service provider has agreed to support all of their features. Some airtime service providers might not offer Internet browsing functionality with a subscription to the BlackBerry® Internet Service. Check with your service provider for availability, roaming arrangements, service plans and features. Installation or use of Third Party Products and Services with BlackBerry's products and services may require one or more patent, trademark, copyright, or other licenses in order to avoid infringement or violation of third party rights. You are solely responsible for determining whether to use Third Party Products and Services and if any third party licenses are required to do so. If required you are responsible for acquiring them. You should not install or use Third Party Products and Services until all necessary licenses have been acquired. Any Third Party Products and Services that are provided with BlackBerry's products and services are provided as a convenience to you and are provided "AS IS" with no express or implied conditions, endorsements, guarantees, representations, or warranties of any kind by BlackBerry and BlackBerry assumes no liability whatsoever, in relation thereto. Your use of Third Party Products and Services shall be governed by and subject to you agreeing to the terms of separate licenses and other agreements applicable thereto with third parties, except to the extent expressly covered by a license or other agreement with BlackBerry.

Certain features outlined in this documentation require a minimum version of BlackBerry Enterprise Server, BlackBerry Desktop Software, and/or BlackBerry Device Software.

The terms of use of any BlackBerry product or service are set out in a separate license or other agreement with BlackBerry applicable thereto. NOTHING IN THIS DOCUMENTATION IS INTENDED TO SUPERSEDE ANY EXPRESS WRITTEN AGREEMENTS OR WARRANTIES PROVIDED BY BLACKBERRY FOR PORTIONS OF ANY BLACKBERRY PRODUCT OR SERVICE OTHER THAN THIS DOCUMENTATION.

Legal notice

40

BlackBerry Limited2200 University Avenue EastWaterloo, OntarioCanada N2K 0A7

BlackBerry UK Limited200 Bath RoadSlough, Berkshire SL1 3XEUnited Kingdom

Published in Canada

Legal notice

41

Technology

BlackBerry 10 Security Overview