Overview

The BlackBerry® Security Knowledge Base contains a wealth of information on all aspects of BlackBerry Security.

FAQ
Answers to the most common Security questions

White Papers
Detailed Security technical overviews and best practices

Articles
Short, informational articles on various Security topics

How To Guides
Step-by-step guides to configuring and activating common Security settings and functions

Support Issues
Detailed information on common Security support issues

FAQ

• Is it necessary to use S/MIME or PGP® to make the BlackBerry® Enterprise Solution secure?
• What are the differences between S/MIME and PGP? Which one should we invest in?
• Does my BlackBerry® smartphone need anti-virus software?
• Can the security settings on the BlackBerry smartphone be customized?
• What happens if a BlackBerry smartphone is lost or stolen?
• What if someone steals a BlackBerry smartphone, changes the software and then returns it?
• Why are BlackBerry messages routed through the BlackBerry® Infrastructure?
• Are BlackBerry smartphones NSA Suite B ready?

Is it necessary to use S/MIME or PGP to make the BlackBerry Enterprise Solution secure?

All messages sent between BlackBerry smartphones and the BlackBerry® Enterprise Server are encrypted. However, once a message goes to the mail server outside the corporate firewall, it is sent over the Internet. This is exactly what happens when you send an unencrypted message from a desktop or laptop computer.

The S/MIME and PGP solutions provide sender-to-recipient security, from the moment a message leaves a BlackBerry smartphone to the moment it reaches its destination. This ensures that the message cannot be read or modified anywhere along the way.

Top

What are the differences between S/MIME and PGP? Which one should we invest in?

S/MIME and PGP both allow you to sign and encrypt messages to ensure confidentiality, integrity and authentication. The key difference is that they use different trust models. A trust model is a way of representing whether or not someone should be trusted, based on their relationships with other trusted entities.

S/MIME uses a hierarchical "tree" trust model based on an existing Public Key Infrastructure (PKI). Root Certificate Authorities issue certificates to other Certificate Authorities (CAs) as well as to individuals. Those CAs in turn can issue their own certificates to other CAs and individuals. A person or group is trusted only if the Root CA is trusted.

PGP uses a planar "web of trust" model. Root CAs issue PGP keys to other CAs and individuals. However, a key does not need to be traceable to a trusted Root CA in order to be trusted. For instance, a key can be trusted based on its relationship with an intermediary CA or with other individuals.

Each trust model has its benefits and drawbacks. The biggest factor in deciding whether to invest in S/MIME or PGP security is your company standards (i.e., what you use on your desktop) and those of your partners and close contacts. Currently, a person using S/MIME cannot send an encrypted message to someone using PGP and vice-versa.

Top

Does my BlackBerry smartphone need anti-virus software?

Preventing malicious programs such as viruses, trojans, worms and spyware (collectively referred to as "malware") consists of two parts: detection and containment.

Detection is the process of determining whether a program is malicious (i.e., malware). Effectively detecting malware is very difficult. It requires a large, frequently updated, local database or a constant connection to an online database. While desktop computers can satisfy these requirements, mobile devices cannot. Mobile devices do not have enough storage space to hold a malware database and a constant connection to the Internet cannot be guaranteed.

Containment is the process of preventing a malicious program from causing damage once it has appeared. Containment is relatively easy. It simply requires controlling access to the device software and other applications on the device.

The BlackBerry solution focuses on containing malicious programs. The BlackBerry software and all of the core applications are digitally signed to ensure integrity and control access to the Application Programming Interfaces (APIs). Thus, the core BlackBerry functionality cannot be directly accessed by other applications.

In addition, BlackBerry Enterprise Server comes with 19 application control policies that allow the administrator to limit which applications can access internal or external domains, make network connections, access the phone, access email messages, etc. The administrator can also prevent the downloading of third-party applications, the use of the device ports or the storing of data on the device.

Top

Can the security settings on the BlackBerry smartphone be customized?

Yes, the BlackBerry Enterprise Server comes with over 200 IT policies that allow administrators to customize and enforce device-side security settings. IT policies are delivered and enforced wirelessly. They are digitally signed to ensure integrity and cannot be changed or disabled by BlackBerry smartphone users. For more information, see the BlackBerry Enterprise Server Policy Reference Guide (PDF).

Top

What happens if a BlackBerry smartphone is lost or stolen?

We recommend that all users protect their BlackBerry smartphones with a password that must be entered to unlock and use the smartphone. This can be enabled by the user through the Security Options menu on the smartphone or enforced with the "Password Required" IT policy on the BlackBerry Enterprise Server. The smartphone can be set to automatically lock at specified time intervals (e.g., every 30 minutes) and can also be set to lock whenever it is holstered.

If Content Protection is enabled on the smartphone, then user data on the smartphone is stored encrypted using AES-256. Thus, even if someone reads the user data directly from the device hardware, there is no way to decrypt the data without the smartphone password.

Users with the BlackBerry® Smart Card Reader enjoy an extra level of protection. The smartphone can be configured to automatically lock when the BlackBerry Smart Card Reader is outside of Bluetooth® communication range (normally around 30 feet). This gives proximity access control for the BlackBerry smartphone.

A lost or stolen BlackBerry smartphone can also be remotely locked or even erased by the BlackBerry Enterprise Server administrator*, provided that the server can communicate with the smartphone. The administrator can also remotely change the smartphone password and delete applications from the smartphone.

Top

What if someone steals a BlackBerry smartphone, changes the software and then returns it?

Each time a BlackBerry smartphone boots up, the Boot ROM checks the authenticity of the Java® Virtual Machine and the Operating System. The Java Virtual Machine then checks the integrity of the BlackBerry software. If any of these checks fail, the smartphone does not boot up.

In order to successfully change the BlackBerry software, an unauthorized user would need to change the Boot ROM, which is non-trivial and requires access to the device hardware. Thus, the device software cannot be changed without access to the hardware. In addition to requiring proprietary knowledge, accessing the hardware leaves behind evidence that the smartphone has been tampered with.

Top

Why are BlackBerry messages routed through the BlackBerry Infrastructure?

All messages sent to and from BlackBerry smartphones are routed through the BlackBerry Infrastructure. This helps to amortize the cost of multiple redundant connections to carriers of the BlackBerry Enterprise Server around the world. It also helps to simplify wireless for customers and optimize protocols for wireless environments.

Some customers are not comfortable with the idea of their messages going through the BlackBerry Infrastructure. It is important to remember that all messages sent through the Infrastructure are encrypted using state-of-the-art and industry-certified Triple DES or AES-256 encryption. All messages are encrypted with the customers' own keys, which are stored only in the BlackBerry Enterprise Server and the BlackBerry smartphone. The operators of the BlackBerry Infrastructure do not have access to the customer keys and therefore cannot see the content of any of the messages.

Top

Are BlackBerry smartphones NSA Suite B ready?

Yes, all in-market BlackBerry smartphones support the NSA Suite B algorithms.

Top

*Certain features outlined herein require a minimum version of BlackBerry Enterprise Server software.

White Papers

The following is a list of Security White Papers available on our website. All of the resources listed below are found in the BlackBerry® Technical Solution Center.

Technical Overviews

• BlackBerry® Enterprise Solution Security (PDF)
• BlackBerry® Smart Card Reader Security (PDF)
• S/MIME Support Package Security (PDF)
• PGP® Support Package Security (PDF)

White Papers

• BlackBerry Enterprise Server IT Policy and Administration (PDF)
• BlackBerry Wireless Enterprise Activation (PDF)
• Security for BlackBerry Devices with Bluetooth® Wireless Technology (PDF)
• BlackBerry Enterprise Solution and RSA SecurID® (PDF)
• Fraunhofer SIT Analysis of BlackBerry Bluetooth Security (PDF)
• BlackBerry Enterprise Solution and RSA SecurID (PDF)

Best Practices

• Protecting the BlackBerry device platform against malware (PDF)
• Placing the BlackBerry Enterprise Solution in a segmented network (PDF)

Articles

The following is a list of Security articles available on our website. All of the resources listed below are found in the BlackBerry® Technical Solution Center.

General

• Wireless network security
• Password security for the BlackBerry device

BlackBerry Enterprise Server

• Comparing BlackBerry® Internet Service and BlackBerry® Enterprise Server features
• Default port security for BlackBerry Enterprise Server connection
• Stages of enterprise activation
• BlackBerry Enterprise Server management of user information when a user is moved or removed
• BlackBerry® Mobile Data System security
• SRP Identifier and SRP Authentication Key
• SRP Identifier and SRP Authentication key location

BlackBerry Internet Service

• Comparing BlackBerry Internet Service and BlackBerry Enterprise Server features
• BlackBerry Internet Service email security
• What HTTP ports are accessible through BlackBerry Internet Browsing Service?

Encryption

• What are encryption keys?
• Recommendation on the use of Triple DES or AES for BlackBerry transport layer encryption
• Encryption Requirements for BlackBerry® Connect™ and BlackBerry Built-In™
• Lotus Notes® encryption support
• Media card encryption modes using the BlackBerry® 8800 smartphone

IT Policy

• IT Policy tasks available for administrator roles
• Blank IT Policy
• UserCanDisablePassword IT policy
• Valid PasswordRequired and UserCanDisablePassword IT Policy combinations
• Allow Outgoing Call When Locked IT policy
• Disable Wireless Bulk Loads IT policy

How To Guides

The following is a list of Security How To Guides available on our website. All of the resources listed below are found in the BlackBerry® Technical Solution Center.

General

• Generate a new encryption key

BlackBerry Smartphone

• Verify security software
• How to change the password on the BlackBerry device
• How to reset the password on the BlackBerry device
• Clear the Email Messages database
• How to delete all data, or all data and applications on the BlackBerry device
• Prevent Bluetooth® device discovery when within range
• Unlock a BlackBerry device that is using a BlackBerry® Smart Card Reader
• How to enable SIM card security
• Push password prompt to the device during least cost routing

BlackBerry Enterprise Server

• Set the wireless enterprise activation password
• Configure PIN-to-PIN encryption on the BlackBerry® Enterprise Server
• Remove encryption keys from user mailbox
• How to remove encryption keys from the BlackBerry Enterprise Server
• How to turn off messaging server storage of BlackBerry device master encryption keys
• Locate the SRP ID and SRP Authentication Key

IT Policy

• Create, Assign, View and Send IT policies
• Use the Erase Data and Disable Handheld command
• Configure the Duress Notification Policy
• Use Application Control instead of split pipe prevention policy
• Import IT policy rules for BlackBerry® Device Software 4.2

BlackBerry Internet Service

• Obtain your BlackBerry® Internet Service user ID and password

BlackBerry Desktop Manager

• Import the Notes ID to the mail database for Notes native encryption support

Support Issues

The following is a list of BlackBerry® Security support articles available on our website. All of the resources listed below are found in the BlackBerry Technical Solution Center.

BlackBerry Smartphone

• Unable to disable password
• Cannot close the handheld password dialog box
• Device Disabled by Security Violation – Please consult user guide
• Encryption failure: please connect handheld to your PC
• Transaction error – decryption error
• Please enter a valid password

BlackBerry Enterprise Server

• Not prompted to generate encryption key
• Enterprise Activation fails after verifying encryption
• User does not receive an email activation password
• Remove encryption key command is not sent to BlackBerry devices
• Forwarding rule prevents wireless Enterprise Activation and Encryption key regeneration
• Message is encrypted

BlackBerry Internet Service

• User ID and password are invalid
• Receiving SPAM to an integrated email address
• Spam and Virus filtering of BlackBerry® Internet Service email

BlackBerry Desktop Manager

• Prompted for a password by the BlackBerry® Desktop Manager
• Desktop manager prompts to generate encryption keys for an activated handheld

IT Policy

• IT Policies cannot be removed from the device
• IT policy rejected during Enterprise Activation
• Users added to the BlackBerry® Enterprise Server are not added to an IT Policy
• Application Error when removing an IT policy
• IT Policy Error status
• Maximum Password Attempts are decreased by half when Duress Notification Address is enabled