Knowledge Base

Overview

The BlackBerry® security knowledge base contains a wealth of information on all aspects of the security of the BlackBerry solution.

FAQ
Answers to the most common security questions

White Papers
Detailed security technical overviews and best practices

Articles
Short, informational articles on various security topics

How To Guides
Step-by-step guides to configuring and activating common security settings and functions

Support Issues
Detailed information on common security support issues

FAQ

• What steps should I take before buying or selling a previously owned BlackBerry® device?
• Is it necessary to use S/MIME or PGP® to make the BlackBerry® Enterprise Solution secure?
• What are the differences between S/MIME and PGP? Which one should we invest in?
• Does my BlackBerry smartphone need anti-virus software?
• Can the security settings on the BlackBerry smartphone be customized?
• What happens if a BlackBerry smartphone is lost or stolen?
• What if someone steals a BlackBerry smartphone, changes the software and then returns it?
• Why are BlackBerry messages routed through the BlackBerry® Infrastructure?
• Are BlackBerry smartphones NSA Suite B ready?
• Do we need a VPN to secure the BlackBerry Enterprise Solution?

What steps should I take before buying or selling a previously owned BlackBerry device?

Before selling, or after buying, a previously owned BlackBerry smartphone, there are important steps to take to make sure personal information is kept secure and the BlackBerry smartphone will function properly for the purchaser. Learn more about the steps to take before buying or selling a previously owned BlackBerry smartphone

Top

Is it necessary to use S/MIME or PGP to make the BlackBerry Enterprise Solution secure?

All messages sent between BlackBerry smartphones and the BlackBerry® Enterprise Server are encrypted. However, once a message goes to the mail server outside the corporate firewall, it’s sent over the Internet. This is exactly what happens when you send an unencrypted message from a desktop or laptop computer.

The S/MIME and PGP solutions provide sender-to-recipient security from the moment a message leaves a BlackBerry smartphone to the moment it reaches its destination. This ensures the message cannot be read or modified anywhere along the way.

Top

What are the differences between S/MIME and PGP? Which one should we invest in?

Both S/MIME and PGP allow you to sign and encrypt messages to ensure confidentiality, integrity and authentication. The key difference is they use different trust models. A trust model is a way of representing whether or not someone should be trusted, based on their relationships with other trusted entities.

S/MIME uses a hierarchical tree trust model based on an existing Public Key Infrastructure (PKI). Root Certificate Authorities issue certificates to other Certificate Authorities (CAs) as well as to individuals. Those CAs in turn can issue their own certificates to other CAs and individuals. A person or group is trusted only if the Root CA is trusted.

PGP uses a planar web of trust model. Root CAs issue PGP keys to other CAs and individuals. However, a key doesn’t need to be traceable to a trusted Root CA to be trusted. For instance, a key can be trusted based on its relationship with an intermediary CA or other individuals.

Each trust model has its benefits and drawbacks. The biggest factor in deciding whether to invest in S/MIME or PGP security is your company standards (i.e., what you use on your desktop) and those of your partners and close contacts. Currently, a person using S/MIME can’t send an encrypted message to someone using PGP and vice-versa.

Top

Does my BlackBerry smartphone need anti-virus software?

Preventing malicious programs such as viruses, trojans, worms and spyware (collectively referred to as malware) consists of two parts: detection and containment.

Detection is the process of determining whether a program is malicious (i.e., malware). Effectively detecting malware is very difficult. It requires a large, frequently updated, local database or a constant connection to an online database. While desktop computers can satisfy these requirements, mobile devices can’t. Mobile devices don’t have enough storage space to hold a malware database and a constant connection to the Internet can’t be guaranteed.

Containment is the process of preventing a malicious program from causing damage once it has appeared. Containment is relatively easy. It simply requires controlling access to the device software and other applications on the device.

The BlackBerry solution focuses on containing malicious programs. The BlackBerry software and core applications are digitally signed to ensure integrity and control access to the Application Programming Interfaces (APIs). Thus, the core BlackBerry functionality can’t be directly accessed by other applications.

In addition, BlackBerry Enterprise Server comes with 19 application control policies that allow the administrator to limit which applications can access internal or external domains, make network connections, access the phone, access email messages, etc. The administrator can also prevent the downloading of third-party applications, the use of the device ports or the storing of data on the device.

Top

Can the security settings on the BlackBerry smartphone be customized?

Yes, the BlackBerry Enterprise Server comes with over 400 IT policies that allow administrators to customize and enforce device-side security settings. IT policies are delivered and enforced wirelessly. They’re digitally signed to ensure integrity and can’t be changed or disabled by BlackBerry smartphone users. View the BlackBerry Enterprise Server Policy Reference Guide (PDF)

Top

What happens if a BlackBerry smartphone is lost or stolen?

We recommend all users protect their BlackBerry smartphones with a password that must be entered to unlock and use the smartphone. This can be enabled by the user through the Security Options menu on the smartphone or enforced with the Password Required IT policy on the BlackBerry Enterprise Server. The smartphone can be set to automatically lock at specified time intervals (e.g., every 30 minutes) and can also be set to lock whenever it’s holstered.

If Content Protection is enabled on the smartphone, then user data on the smartphone is stored encrypted using AES-256. Thus, even if someone reads the user data directly from the device hardware, there’s no way to decrypt the data without the smartphone password.

Users with the BlackBerry® Smart Card Reader enjoy an extra level of protection. The smartphone can be configured to automatically lock when the BlackBerry Smart Card Reader is outside of Bluetooth® communication range (normally around 30 feet). This gives proximity access control for the BlackBerry smartphone.

A lost or stolen BlackBerry smartphone can also be remotely locked or even erased by the BlackBerry Enterprise Server administrator¹, provided the server can communicate with the smartphone. The administrator can also remotely change the smartphone password and delete applications from the smartphone.

Top

What if someone steals a BlackBerry smartphone, changes the software and then returns it?

Each time a BlackBerry smartphone boots up, the Boot ROM checks the authenticity of the Java® Virtual Machine and Operating System. The Java Virtual Machine then checks the integrity of the BlackBerry software. If any of these checks fail, the smartphone doesn’t boot up.

To successfully change the BlackBerry software, an unauthorized user would need to change the Boot ROM, which is non-trivial and requires access to the device hardware. Thus, the device software can’t be changed without access to the hardware. In addition to requiring proprietary knowledge, accessing the hardware leaves behind evidence the smartphone has been tampered with.

Top

Why are BlackBerry messages routed through the BlackBerry Infrastructure?

All messages sent to and from BlackBerry smartphones are routed through the BlackBerry Infrastructure. This helps amortize the cost of multiple redundant connections to carriers of the BlackBerry Enterprise Server around the world. It also helps simplify wireless for customers and optimize protocols for wireless environments.

Some customers aren’t comfortable with the idea of their messages going through the BlackBerry Infrastructure. It’s important to remember all messages sent through the BlackBerry Infrastructure are encrypted using state-of-the-art and industry-certified Triple DES or AES-256 encryption. All messages are encrypted with the customers' own keys, which are stored only in the BlackBerry Enterprise Server and BlackBerry smartphone. The operators of the BlackBerry Infrastructure don’t have access to the customer keys and therefore cannot see the content of any of the messages.

Top

Are BlackBerry smartphones NSA Suite B ready?

Yes, all in-market BlackBerry smartphones support the NSA Suite B algorithms.

Top

Do we need a VPN to secure the BlackBerry Enterprise Solution?

BlackBerry smartphones use mutual authentication and transport encryption to secure the connection to the BlackBerry Enterprise Server. These features provide the confidentiality, integrity and authentication of a Virtual Private Network (VPN).

Top

Learn More

• Read white papers
• View security-related articles
• Read how to guides
• View support issues

¹ Certain features outlined herein require a minimum version of BlackBerry Enterprise Server software.

White Papers

Best Practices

• Placing the BlackBerry® Enterprise Solution in a segmented network (PDF)
• Protecting the BlackBerry device platform against malware (PDF)

Policy Reference Guides

• BlackBerry® Enterprise Server (PDF)

Security Feature Overviews

• BlackBerry® Internet Service (PDF)

Security Technical Overviews

• BlackBerry Devices with Bluetooth® Technology(PDF)
• BlackBerry Enterprise Solution (PDF)
• BlackBerry® Smart Card Reader (PDF)
• PGP® Support Package for BlackBerry Devices (PDF)
• S/MIME Support Package for BlackBerry Devices (PDF)

Technical Overviews

• Enforcing encryption of internal and external file systems on BlackBerry devices (PDF)
• Erasing file systems on Blackberry Devices (PDF)
• BlackBerry Enterprise Solution and RSA SecurID® (PDF)

Third-party White Papers

• Bluetooth Security: BlackBerry Device Bluetooth Interface Security – Fraunhofer SIT (PDF)

Learn More

• Read FAQ
• View security-related articles
• Read how to guides
• View support issues

Articles

General

• BlackBerry® Enterprise Solution security over the wireless network
• Password security for the BlackBerry smartphone
• Actions the BlackBerry device performs during BlackBerry device wipe processes
• How BlackBerry smartphones respond to SSL/TLS connection requests
• What is anti-virus protection on BlackBerry smartphones

BlackBerry Enterprise Server

• What Is – BlackBerry Support for HTTPS connection
• How To – Verify the BlackBerry® Browser data remains encrypted at all points between the BlackBerry smartphone and BlackBerry® Enterprise Server
• Comparing BlackBerry® Internet Service and BlackBerry Enterprise Server features
• What is the default port security for BlackBerry Enterprise Server connection
• BlackBerry Enterprise Server management of user information when a user is moved or removed
• BlackBerry® Mobile Data System security
• SRP Identifier and SRP Authentication Key
• SRP Identifier and SRP Authentication key location

BlackBerry Internet Service

• Comparing BlackBerry Internet Service and BlackBerry Enterprise Server features
• BlackBerry Internet Service email security
• What HTTP ports are accessible through BlackBerry Internet Browsing Service?

Encryption

• Encryption keys
• Recommendation on the use of Triple DES or AES for BlackBerry transport layer encryption
• Encryption Requirements for BlackBerry® Connect™ and BlackBerry Built-In™
• Pre-requisites for IBM® Lotus Notes® encryption support
• Media card encryption modes

IT Policy

• IT Policy tasks available for administrator roles
• How to create a blank IT policy on the BlackBerry Enterprise Server
• UserCanDisablePassword IT policy
• Valid PasswordRequired and UserCanDisablePassword IT Policy combinations
• What is Allow Outgoing Call When Locked IT policy
• Disable Wireless Bulk Loads IT policy
• How to use IT policy rules to disable browsers on the BlackBerry smartphone

Learn More

• View more articles in the BlackBerry Technical Solution Center
• Read FAQ
• Read white papers
• View how to guides
• View support issues

How To Guides

General

• Generate a new encryption key

BlackBerry Smartphone

• Verify security software
• How to change the password on the BlackBerry® device
• How to reset the password on the BlackBerry device
• How to clear an individual database on the BlackBerry smartphone when a database entry corruption occurs
• How to delete all data, or all data and applications on the BlackBerry smartphone
• Prevent Bluetooth® device discovery when within range
• Unlock a BlackBerry device using a BlackBerry® Smart Card Reader
• How to enable SIM card security
• How to push the password prompt to the BlackBerry smartphone during least cost routing

BlackBerry Enterprise Server

• Set the wireless enterprise activation password
• Configure PIN-to-PIN encryption on the BlackBerry® Enterprise Server
• Remove encryption keys from user mailbox
• How to remove encryption keys from the BlackBerry Enterprise Server
• Turn off messaging server storage of BlackBerry smartphone master encryption keys
• Locate the SRP ID and SRP Authentication Key

IT Policy

• How to remove an IT policy from a BlackBerry smartphone
• Create, assign, view and send IT policies
• Use the Erase Data and Disable Handheld command
• Configure the Duress Notification Policy
• Use Application Control instead of split pipe prevention policy
• How to import IT policy rules for BlackBerry® Device Software v4.2

BlackBerry Internet Service

• Obtain BlackBerry® Internet Service user name and password

BlackBerry Desktop Manager

• Import the Notes ID in to the mail database for IBM® Lotus Notes® native encryption support

Learn More

• View more how to guides in the BlackBerry Technical Solution Center
• Read FAQ
• Read white papers
• View security-related articles
• View support issues

Support Issues

BlackBerry Smartphone

• Unable to disable password
• Cannot close the handheld password dialog box
• Device Disabled by Security Violation – Please consult user guide
• Encryption failure: please connect handheld to your PC
• Transaction error – decryption error
• Please enter a valid password

BlackBerry Enterprise Server

• Not prompted to generate encryption key
• Enterprise activation fails after verifying encryption
• User does not receive an email activation password
• Remove encryption key command is not sent to BlackBerry® devices
• Forwarding rule prevents wireless Enterprise Activation and Encryption key regeneration
• Message is encrypted

BlackBerry Internet Service

• User ID and password are invalid
• Receiving spam email messages to an associated email address
• Spam and Virus filtering of BlackBerry® Internet Service email

BlackBerry Desktop Manager

• Prompted for a password by the BlackBerry® Desktop Manager
• Desktop manager prompts to generate encryption keys for an activated handheld

IT Policy

• IT Policy Rejected
• Users added to the BlackBerry® Enterprise Server are not added to an IT Policy
• Application Error when removing an IT policy
• IT Policy Error status
• Maximum Password Attempts are decreased by half when Duress Notification Address is enabled

Learn More

• View more support articles in the BlackBerry Technical Solution Center
• Read FAQ
• Read white papers
• View security-related articles
• View how to guides