BlackBerry security revisited: How do the BB10’s stack up?

Following the ground up overhaul of the BlackBerry operating system and accompanying launch of their new flagship smartphones last year, we wondered how they really stack up–security wise–against the other smartphones you might already have in your pocket or purse right now. How do new devices running Blackberry 10–as the new OS is called–compare to last generation BlackBerry offerings which you may have found functional, if slightly dated and clunky.

Long lauded among stiff government security office types for being less security-breakable, the last generation of BlackBerry doo-dads garnered top marks from even some of the topmost brass in the U.S., favoring them over (almost) all else.

But that was several years back (practically decades in tech-years), and now even if you HAVE to have the app du jour with the dancing bunnies, will the new BlackBerry Z10/Q10 platforms fulfill your tech lust and yet securely watch your back?

BlackBerry hoped so, in fact they bet the company that a ground up rethink would tantalize the marketplace to jump back on the BlackBerry (er, Crackberry as addicts admit) bandwagon and have the masses singing their praises in short order.

But in the past years, the other folks in the marketplace have gotten little sleep, swarming to close the gap on security, trying to chip away at the perceived BlackBerry lead. So here’s what BlackBerry really did with this forklift overhaul of the stack, and what it means to you.

Ground up Redux

Betting that a ground up rework should start with a ground up OS rethink, the BlackBerry Limited folks (a rebirthed Research In Motion, or RIM) went to bare metal. Reinvisioning the new BlackBerry 10 operating system from experience gained from the older BlackBerry OS versions 1.0 through 7.1 and the acquisition of QNX, a real-time microkernel based Unix-like construct, they set to work.

Reimagining major chunks of the whole stack is not for the faint-at-heart, and certainly not for those who value sleep anytime soon. Still, aiming the company’s future at a newer, more robust (and arguably more secure) OS seemed a necessary, if difficult, way forward for the company attempting to swashbuckle its way back to center stage of the smartphone vanguard, albeit it with a security leaning in hopes of staying true to its core fan base.

Starting with a microkernel, aside from igniting techno-lust from fellow bare metal kernel freaks, is a nice way to isolate processes into tidy containers that can become pseudo-suspicious of each other, and therefore form the foundation for a stack of compartmentalized processes that follow the same model.

And QNX is no slouch here, a long tested real-time OS platform that has performed well for longer than some of BlackBerry’s engineers have probably been alive. And when an OS has had more than a couple decades to sort itself out and still trudges forward, it’s easy to have faith in the tiny, tested platform.

Shiny buttons = market share

In the North American market at least (and probably much of the rest of the markets BB is interested in re-courting), perception is reality. The average visitor to the mobile phone vendor in the mall doesn’t have the slightest idea if their phone has a kernel at all, let alone a micro one. So then BlackBerry would have to apply shiny blinky lights and buttons that felt amazing to even have a chance of getting this pile of technology in your shirt pocket. So while they redesigned the guts, a parallel group of people sat in other buildings working out how a button should “feel” if it is to become considered “elegant” and “pop”, whatever those terms mean to people who understand what “pop” is. But those people are the ones who buy smartphones and to them, texting and tweeting are as important as isolating mutually suspicious system processes is for us security types.

Somewhere there has to be an intersection of tech whiz-bang and shiny buttons if the platform is to succeed, and so BB attempted to join the two. How did they do? The verdict is still out, though slow sales are certainly the bane of corporate bean-counters and harbingers of the long slog that may be involved. Still, when’s the last headline you’ve seen of the BlackBerry 10 (or other BlackBerry platforms) being hacked? Me neither.

Containerizing your life, BlackBerry style

Admitting that many users lead parallel lives, BB containerized a work and non-work walled garden through “BlackBerry Balance”. Here, BlackBerry built it into the OS, so you don’t have to “bolt something on” to make it work. This feels like a more secure construct than an app-based afterthought.

They did this by separating the presentation and data layers, so while you can view both your work and personal emails on the BlackBerry Hub, you can’t cut-and-paste (for example) between your corporate account and personal email, a handy way to narrow down the leak potential between the two. There’s also a remote wipe feature, so if your employees use their own devices and this feature, you can retain control over sensitive corporate data if needed. And if they leave the company, you can wipe company data only, and leave their other “stuff” in place like friends’ endless LOL chatter. Oh, and there’s a pretty button to help end-users understand the boundary between business/personal data.

App Permissions

While most of the friends and family I know simply click on security warnings on their smartphones until they go away, the BB 10 has a fairly granular system of permissions which you can set, revoke, and tune at will. You also can control what information gets transferred across the Internet, or through Bluetooth communication, which could be very helpful.

Security in General

We talk a lot these days about securing the person, not the device. This is because a well-implemented secure-ish device typically has a wide open front door if there’s no password, weak password, or a host of other user-induced security holes. To that end, BB has a quick summary on their website for how to secure the human, which is nicely de-geekified for the average non-geek human. So make sure you set the correct permissions on yourself before setting to work on your BB 10 device.

Will bad guys attack you still?

Maybe, but scammers typically attack the most high value targets with the least amount of effort required on their part. This value proposition skews scammers heavily in favor of other platforms in today’s market. For instance, the adage that thieves want to “steal A car, not YOUR car” certainly applies here. Scammers can buy attack software suites for other platforms, I don’t know of any specifically targeted at BB 10, do you? If so, there are numerically far more for other target platforms.

Will some shady state-sponsored group this new mobile platform? That’s difficult to say, but again, the mobile ecosystem is much more widely studied for other platforms than the BB 10, so it seems likely you’d be at least slightly safer.

Conclusion

While there are a myriad of external (and internal factors) that may control the trajectory of the BB 10 operating system and its handsets’ future adoption, the security stance seems like a good start. While the winds of the market forces will blow where they may, it’s good to know a company like this had the foresight to revamp the whole stack in a thoughtful, security-focused way, and the guts to go for it. Now it’s your turn to decide. Leave us a comment with your thoughts.

Author Cameron Camp, ESET

  • ATInsider

    BB10 and BES10/12 provide superior anti-hacking and security bar none.
    Hopefully John Chen will do a much better job marketing BB10 to the masses. As it stands to date, BB10 is the most innovative superior mobile OS in existence. And the previous management did nothing to promote this basic fact.

    Go John Chen Go,

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

4 articles related to:
Hot Topic
25 Feb 2014
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.