Hacking the Blackberry
A few months ago, my boss plonked a box on my desk and said "see what you can do with that." That's how I was introduced to the Blackberry. I've been interested in all kinds of PDAs and mobile phones for years now, but I'd never come across a Blackberry. I suppose that up until recently, it has been the preserve of key government and corporate employees, not average-Joe software engineers like me. However, the Blackberry is emerging as an ever more popular platform for the general public. In the next few weeks that followed, I noticed a common thread in the architecture and features of the device: security first and functionality second.
What do I mean?
Well, take Bluetooth for example. When you're looking at the box of your shiny new Blackberry and you see that it has Bluetooth support, you might think "great, I can use it with my laptop to go online while on the move." Bzzzt—wrong. Although the Blackberry does have Bluetooth, it only supports the two profiles: “Headset” and “Serial” (needed for headset). So, no TCP/IP networking and no file transfer. In fact, the Blackberry doesn't even have a file system!
What's the point?
In order to understand these design issues it's important to remember Blackberry's roots and realize where RIM (Research In Motion, the company that makes Blackberry) gets its bread and butter from. Historically, a large proportion of Blackberry customers were government agencies and corporations. Any device deployed by these government agencies would have to comply with strict security guidelines and still be simple and effective to use. The Blackberry filled that niche to a “T”. It provided email access on the move that "just worked." It used strong end-to-end encryption on all data traffic and getting back to the point above, it disabled or removed any features deemed too risky, in terms of data security and integrity (for example, Bluetooth networking).
What lies ahead for the Blackberry?
As RIM expands into the consumer market, they are coming to a crucial fork in the road. Do they add features to please consumers (but risk alienating the core client base)? Or, do they maintain a consistent secure platform (and risk being outdone in the consumer market by more feature-rich devices)? It's clear from reading various Blackberry forums that there are rumblings from users who are in favor of both directions and maybe that’s the answer: split the product line. There are already rumors about a Blackberry camera phone in the works, but only time will tell how it pans out for RIM.
Recently, a whitepaper on the security of RIM Blackberry devices was removed from the Symantec Web site. During our testing for this paper, Symantec did not consider the effectiveness of all possible security features that might provide mitigation of the impact of malware and the management of application permissions. Symantec has very high standards that we adhere to whenever we publish information for the security industry. As a result, we felt that more research was required on current versions of the Blackberry in order to provide a more in-depth report before republishing the paper. As always, we will continue to publish cutting edge research that provides valuable insights to the community and public at large.