| || |
- How the BlackBerry 10 OS uses sandboxingto protect app data
The BlackBerry 10 OS uses a security mechanism called sandboxing to separate and restrict the capabilities andpermissions of apps that run on the BlackBerry 10 device. Each application process runs in its own sandbox, which is avirtual container that consists of the memory and the part of the file system that the application process has access to at aspecific time.Each sandbox is associated with both the app and the space that it is used in. For example, an app can have one sandboxin the personal space and another sandbox in the work space; each sandbox is isolated from the other sandbox.The BlackBerry 10 OS evaluates the requests that an application's process makes for memory outside of its sandbox. If aprocess tries to access memory outside of its sandbox without approval from the BlackBerry 10 OS, the BlackBerry 10 OSends the process, reclaims all of the memory that the process is using, and restarts the process without negatively affectingother processes.When the BlackBerry 10 OS is installed, it assigns a unique group ID to each app. Two apps cannot share the same groupID, and the BlackBerry 10 OS does not reuse group IDs after apps are removed. An app's group ID remains the same whenthe app is upgraded.By default, each app stores its data in its own sandbox. The BlackBerry 10 OS prevents apps from accessing file systemlocations that are not associated with the app's group ID.An app can also store and access data in a shared directory, which is a sandbox that is available to any app that has accessto it. When an app that wants to store or access files in the shared directory starts for the first time, the app prompts theuser to allow access.