[Funq]

So I have a question about BBM and its perceived security.

Here's the background story. I was talking to a colleague today about Apple and product launches. He's pretty tech-savvy, so I asked him whether he would be giving BBM a try once it is released on iOS. His answer was a very resolute "NO". Clearly he doesn't need the advanced features of BBM over the likes of WhatsApp, so I asked him about the increased security.

His view on security was the following: "as long as an application is not open source, there is no guarantee that it is secure". He meant that, unless it is open source, you have no method to verify that there is no backdoor access. The possibility to encrypt messages with open-source third-party apps would be the only really secure option. And as far as simple messaging goes, he does not feel the need to secure transmission of messages telling his wife when he'll be home.

Now I am in no way versed in the workings of communication security, but it did get me thinking about BBM and its apparently unsurpassed security. Therefore, I am interested in the opinion of those concerned with secure communication. Do you agree that third-party open-source encryption is the only way to go for guaranteed security and that we shouldn't be concerned with the insecurity of menial messages?

Looking forward to your input!

[qbnkelt]

This question comes up again and again, due to BlackBerry's world class security in Enterprise.

As far as his comments on open source, I think he might have his information a bit turned around. Saying that only open source code is secure because it is the only one that can be verified not to have backdoor access is rather astounding.

BlackBerry Messenger and PIN to PIN messages are NOT encrypted. They are scrambled using a global cryptographic key which EVERY BlackBerry in the world uses. There is no specificity. BES administrators have the option to encrypt the body of PIN messages (but not the PIN itself) using a organisation specific encryption key and that is possible within ultra secure organisations, but that limits users to only be able to send PIN messages within the organisation. RIM sells a S/MIME Package to encrypt PIN to PIN messages but that is really only done by Government organizations.

The only BlackBerry messaging solution that can be deemed secure is BES.

Check BlackBerry's knowledge base:

KB03652-Comparing BlackBerry Internet Service and BlackBerry Enterprise Server features

[Funq]

Thank you for the detailed response! I know the security issue is mainly BES-related, but for some reason I was under the impression that BBM was also encrypted. I will definitely check out the link you provided.

As for your following comment:

As far as his comments on open source, I think he might have his information a bit turned around. Saying that only open source code is secure because it is the only one that can be verified not to have backdoor access is rather astounding.

His main motivation was the use of open-source software such as truecrypt (truecrypt.org). As I said, this is all very new to me, so I am trying to understand the implications of all different approaches.

Again, thanks for the reply.

[emtunc]

Generally speaking, your friend is right when he says "as long as an application is not open source, there is no guarantee that it is secure".

Open source software has the advantage of having more eyes on it which means anyone can look at the code and determine exactly what it does.

Closed source is exactly that - closed. This whole NSA/GCHQ business has pretty much shown that there are companies out there who don't give a a crap about user privacy/security and are willing to bend over for the government by putting in some backdoors or looking the other way when a highly complex exploit is taken advantage of by the gov.