[Blue Hef]

Hi guys.

I have gone through the old blackberrys and the new ones now have the q10 for work purposes, now, very simply, is this blackberry 10 as secure as the classic blackberry like the bold 9790 i had for example? I need it for my work emails and it is very important they remain safe, also does it not also have something to do with the company you use for emailing, i.e gmail outlook etc? please let me know its very important

if not lol i guess ill have to buy one of the old blackberrys again haha

[Sith_Apprentice]

Hi guys.

I have gone through the old blackberrys and the new ones now have the q10 for work purposes, now, very simply, is this blackberry 10 as secure as the classic blackberry like the bold 9790 i had for example? I need it for my work emails and it is very important they remain safe, also does it not also have something to do with the company you use for emailing, i.e gmail outlook etc? please let me know its very important

if not lol i guess ill have to buy one of the old blackberrys again haha

So the device, without BES, is roughly as secure as previous. With BES it is the same security (or higher depending on BES settings). If you use Gmail or another public internet mail provider you are not secure on the mail server side.

[Troy Tiscareno]

Make no mistake: the majority of the "security" on any BB phone, whether BBOS or BB10, comes from that phone being on BES. That's where you get secure emails and BBM, and perhaps secure file access to corporate servers.

Without BES, you're not significantly more secure than any other phone. You're still using ActiveSync for Gmail just like every other device, for example, and BBM is "scrambled" (but not considered securely encrypted) when sending to other BB devices, and in the clear when sent to Android or iOS devices.

Even with BES, texting (SMS/MMS) and phone calls are totally unsecure, as there is no universal protocol to secure those services.

[crackbrry fan]

Make no mistake: the majority of the "security" on any BB phone, whether BBOS or BB10, comes from that phone being on BES. That's where you get secure emails and BBM, and perhaps secure file access to corporate servers.

Without BES, you're not significantly more secure than any other phone. You're still using ActiveSync for Gmail just like every other device, for example, and BBM is "scrambled" (but not considered securely encrypted) when sending to other BB devices, and in the clear when sent to Android or iOS devices.

Even with BES, texting (SMS/MMS) and phone calls are totally unsecure, as there is no universal protocol to secure those services.

There is native encryption on BlackBerry 10 as with Legacy. For both device and storage cards

Posted via CB10

[Omnitech]

Without BES, you're not significantly more secure than any other phone.

I guess I'll be correcting this favorite FUD of yours until the cows come home.

From:

http://us.blackberry.com/content/dam...rity-Works.pdf

---

The Security Benefits of the QNX Microkernel

• It contains less code (about 150,000 lines)
• This small footprint helps eliminate vulnerabilities by making security verification and testing easier and more robust

It’s designed for resiliency

• The Microkernel isolates processes in the user space
• Unresponsive processes are restarted without affecting others, so that applications don’t crash the OS

It minimizes all root processes

• Only the most essential BlackBerry processes run as root
• Root processes are not available to non-BlackBerry parties, which makes the OS less vulnerable to security risks

The QNX Microkernel diagram below illustrates how user processes cannot directly access other processes.

Contained and Constrained: Application and Malware Controls

The best way to protect your enterprise from mobile malware is to use an operating system that’s designed to resist it. BlackBerry 10 uses a ‘contain and constrain’
design strategy to mitigate against malware risks.

By sandboxing the user space, BlackBerry 10 can block malicious behavior:

• Processes are constrained within the user space and the microkernel carefully supervises inter-process communication.
• Memory accessed by the user space is also authorized by the microkernel.
• Any process that attempts to address unauthorized memory is automatically restarted or shut down.

And in the next diagram, you’ll see just a few examples of the security mechanisms that are integrated into the BlackBerry 10 operating system to protect against attacks and arbitrary code execution.

Protection Mechanism	Description
Non-executable stack and heap	Stack and heap areas of memory cannot execute machine code, protecting against buffer overflows
Stack cookies	Buffer overflow protection to prevent arbitrary code execution
Robust heap implementations	A form of protection against heap area of memory corruption that can lead to arbitrary code execution
Address space layout randomization	(ASLR) Random allocation of a process’ address space makes arbitrary code execution more difficult
Compiler-level source fortification	Compiler option replaces insecure code constructs where possible
Guard pages	A form of protection against heap buffer overflow and arbitrary code execution

.

[Troy Tiscareno]

There is native encryption on BlackBerry 10 as with Legacy. For both device and storage cards

There's native encryption on Android too, and just like BB, it is turned OFF by default. Of course, it's simple to turn it on on either phone, and just as effective on either phone, but relatively few people actually use it (I'm one of those few).

[The Big Picture]

Make no mistake: the majority of the "security" on any BB phone, whether BBOS or BB10, comes from that phone being on BES. That's where you get secure emails and BBM, and perhaps secure file access to corporate servers.

Without BES, you're not significantly more secure than any other phone. You're still using ActiveSync for Gmail just like every other device, for example, and BBM is "scrambled" (but not considered securely encrypted) when sending to other BB devices, and in the clear when sent to Android or iOS devices.

Even with BES, texting (SMS/MMS) and phone calls are totally unsecure, as there is no universal protocol to secure those services.

I suppose this dutch criminal had BES?
http://forums.crackberry.com/showthread.php?t=933857

Signature - Google wants your info. What are you gonna do about it?

[web99]

Hi guys.

I have gone through the old blackberrys and the new ones now have the q10 for work purposes, now, very simply, is this blackberry 10 as secure as the classic blackberry like the bold 9790 i had for example? I need it for my work emails and it is very important they remain safe, also does it not also have something to do with the company you use for emailing, i.e gmail outlook etc? please let me know its very important

if not lol i guess ill have to buy one of the old blackberrys again haha

For work devices, the question that you should be asking is what MDM solution can I use to ensure the security of my devices. For BB10 devices, BES 10 would be a good option as it does have a lot of configurable settings. Administrators can restrict what can be done on a device, the apps that can be used and even set up user profiles that correspond to your workplace's security policies.

Posted via CB10 from my spectacular Q10

[Troy Tiscareno]

I suppose this dutch criminal had BES?
Dutch criminal's BlackBerry can't be decrypted. - BlackBerry Forums at CrackBerry.com

Anyone can encrypt their device (few do, though). We're talking about NETWORK security, as in, your data moving around through the carrier's networks and/or the Internet.

Yes, BB has some great security features on the device itself, but without BES, your network services are no different than an iPhone or Android.

BES adds encryption to corporate email server connections, to BBM connections to other devices of that business, and possibly to file access or custom apps for that business. Without BES, your network connections are either totally unencrypted (phone calls, texts) or use the same encryption standards that everyone else uses.

[MobileZen]

Anyone can encrypt their device (few do, though). We're talking about NETWORK security, as in, your data moving around through the carrier's networks and/or the Internet.

Yes, BB has some great security features on the device itself, but without BES, your network services are no different than an iPhone or Android.

BES adds encryption to corporate email server connections, to BBM connections to other devices of that business, and possibly to file access or custom apps for that business. Without BES, your network connections are either totally unencrypted (phone calls, texts) or use the same encryption standards that everyone else uses.

The OP, Blue Hef, was asking about the new BB10 device (hardware and software) mainly where in fact, plays a role in the overall security offering.

I believe Omnitech has kindly pointed out in his post that BlackBerry 10 has security built from the ground up. It's not just network security. Factor the network security out from the offering, I think it's quite clear which device and OS has the better security.

Android is the biggest culprit for the security holes and even Samsung Knox can't get ahead of the threats on its own device implementation. http://securityaffairs.co/wordpress/...ious-flaw.html

How much patch work does one have to do after the breach has already occurred? I'd go with the device that is security minded proactively. If I want the highest grade security, I'd for the end-to-end offering starting with BB10 OS on BB Hardware using BES and the BlackBerry NOC. Doesn't hurt that BlackBerry's subsidiary is Certicom who are hardware/software security experts but also experts in cryptography (Elliptical Curve) with government and large companies as their clients.
http://www.certicom.com/index.php/about

Posted via CB10

[crackbrry fan]

The OP, Blue Hef, was asking about the new BB10 device (hardware and software) mainly where in fact, plays a role in the overall security offering.

I believe Omnitech has kindly pointed out in his post that BlackBerry 10 has security built from the ground up. It's not just network security. Factor the network security out from the offering, I think it's quite clear which device and OS has the better security.

Android is the biggest culprit for the security holes and even Samsung Knox can't get ahead of the threats on its own device implementation. http://securityaffairs.co/wordpress/...ious-flaw.html

How much patch work does one have to do after the breach has already occurred? I'd go with the device that is security minded proactively. If I want the highest grade security, I'd for the end-to-end offering starting with BB10 OS on BB Hardware using BES and the BlackBerry NOC. Doesn't hurt that BlackBerry's subsidiary is Certicom who are hardware/software security experts but also experts in cryptography (Elliptical Curve) with government and large companies as their clients.
http://www.certicom.com/index.php/about

Posted via CB10

Very well articulated ,though somehow I think that he won't accept the facts. I have been a victim of Security Breach on Android specifically Samsung S4. This particular OP won't understand till he suffers an issue such as that, he can continue fooling himself.

Posted via CB10

[Omnitech]

Without BES, you're not significantly more secure than any other phone. You're still using ActiveSync for Gmail just like every other device, for example, and BBM is "scrambled" (but not considered securely encrypted) when sending to other BB devices, and in the clear when sent to Android or iOS devices.

I missed the bolded part earlier, which you are ALSO wrong on.

Not only could this have been deduced from various company statements on security, various official documents exist which make it plain that BBM cross-platform is TLS-encrypted, ie this one, quoting:

---

BBM Security note

TLS in BBM
TLS in BBMBlackBerry 10, iOS, and Android devices send all data to each other through the BlackBerry Infrastructure over a TLS connection. In certain scenarios, BlackBerry 7.1 and earlier devices also send data this way. TLS is a common web standard used across all major desktop and mobile web browsers for secure online banking and shopping. A TLS connection between a device and the BlackBerry Infrastructure is designed to protect BBM messages from eavesdropping or manipulation by an attacker.

---

Re: "scrambling", the only instance where data security in BBM relies only on the old "scrambling" technique is for legacy BBOS devices when one of the links is not traversing the public internet. Otherwise, BBM on BB10 devices is MORE secure than it was on BBOS devices because all communications AT MINIMUM travel via TLS encrypted tunnels, and typically use TLS COMBINED with traditional BBM "scrambling".

So how is the competition doing? A few data points:


WhatsApp

- Sent all traffic unencrypted until 2012-08 [1]
- When they added encryption in 2012-08, they did it poorly, leaving mobile numbers vulnerable and worse, using easily-guessed encryption keys [1]
- Serious flaws in WhatsApp encryption persisted up until at least 2013-10 [2]
- WhatsApp chat logs are readable by any other app on the device [3]
- In fact, Dutch and Canadian authorities concluded in 2013 that WhatsApp violated their countries privacy laws by insecurely storing non-user contact details [4]
- Crypto weaknesses in WhatsApp “the kind of stuff the NSA would love” [5]


Apple iMessage

Among other things, does not implement (as BBM does) "certificate pinning" - allowing attackers to spoof legitimate iMessage servers. (source)


Viber

Sends shared files and location data unencrypted, stores data on Amazon cloud servers unencrypted and accessible to anyone (source 1, source 2)


LINE Messenger

Messages and data are sent completely unencrypted over carrier networks (source)


WeChat

Plagued by a variety of technical security vulnerabilities, in addition to being subject to widespread surveillance by Chinese authorities (source)


.

[Omnitech]

Yes, BB has some great security features on the device itself...

Massive backtrack noted.

...but without BES, your network services are no different than an iPhone or Android.

When we're talking solely about "data in transit", both sides need to support encryption, or else nothing one side does is going to magically cause the other side to encrypt the traffic if they don't support it.

So if you are using insecure public internet services that don't bother to secure their content, then BlackBerry is not going to magically fix that, nor is anyone else's platform. (Nor is BES.)

However there are various other potential points of security vulnerability in a digital communications device other than "communicating with insecure services", and those things certainly can be mitigated by better security architecture and practices on the endpoint.

It can be safely assumed that people who are asking about BlackBerry's platform security are going to be at least moderately aware of how to avoid "insecure internet services".

As we know from Snowden's documents, shadowy 3-letter agencies will typically go after the "low hanging fruit" when it comes to breaking into someone's communications. And if that happens to be "garbage on-device security architecture", then that is where they will focus. They are not going to bother with some heroic attempt to decrypt SSL traffic when all they need to do is send you a little piece of Android malware and their job is done.

[MobileZen]

To add further to the above post,

5 Ways Snapchat Violated Your Privacy, Security

Snapchat settles FTC allegations that the company lied to consumers about the application's security and privacy

1) Recipients may have saved your images
- Despite the app's promises, your images did not necessarily disappear forever.
- A number of developers built applications that users could download to save picture and video messages without your knowledge.
- Recipients of your Snapchat messages could also use their devices' screenshot capabilities to capture an image of a snap while it appeared on their screens, the FTC said. Snapchat claimed that if this happened, it would notify you immediately -- but that wasn't true

2) Recipients may have saved your videos
- Until October 2013, recipients could connect their mobile devices to a computer and use file browsing tools to locate and save video files you sent them, the FTC said.
-This was possible because Snapchat stored video files in a location outside of the app's "sandbox," or the app's private storage area on the device, that other apps couldn't access.

3) Snapchat may have transmitted your location
- Snapchat's privacy policy says it does not ask for, track, or access any location-specific information from your device at any time, those claims are false, the FTC said.
- In fact, the company did transmit WiFi-based and cell-based location information from Android users' mobile devices to its analytics tracking service provider.

4) Snapchat may have collected contact information from your address book
- Snapchat's privacy policy claimed that the app collected only your email, phone number, and Facebook ID to find friends for you to connect with.
- However, if you're an iOS user and entered your phone number to find friends, Snapchat collected the names and phone numbers of all the contacts in your mobile device address books without your notice or consent.

5) The "Find Friends" feature was not secure
- Because Snapchat did not verify users' phone numbers during registration, some consumers complained that they sent images or videos to someone under the false impression that they were communicating with a friend.
- In reality, these messages were sent to strangers who had registered with phone numbers that did not belong to them.
- This resulted in a security breach permitting attackers to compile a database of 4.6 million Snapchat usernames and phone numbers, which could lead to spam, phishing, and other unsolicited communications, the FTC said.

Source

The FTC has stepped in and issued this as part of their statement "If a company markets privacy and security as key selling points in pitching its services to consumers, it is critical that it keep those promises," said FTC chairwoman Edith Rameriz in a statement. "Any company that makes misrepresentations to consumers about its privacy and security practices risks FTC action.Source

As a result, Snapchat gets 20 years scrutiny over FTC privacy and security charges. Source

WOW.

[Blue Hef]

wow seems ive really sparked a debate LOL, so BES it is, i will be getting this on my blackberry 10, ive got a note 3 also and knox is, welllll? eh? lol, with google and android, the NSA i really feel they are trying to track everything, i am a fan of blackberry for work purposes just the app store is where it lacks, anyway, getting off track, I will certainly look into BES, thanks guys

[jafrul]

wow seems ive really sparked a debate LOL, so BES it is, i will be getting this on my blackberry 10, ive got a note 3 also and knox is, welllll? eh? lol, with google and android, the NSA i really feel they are trying to track everything, i am a fan of blackberry for work purposes just the app store is where it lacks, anyway, getting off track, I will certainly look into BES, thanks guys

You're going to have BES for your company?
Congrats.

Posted via Astro on Z30STA100-2/10.2.1.2947

[ALToronto]

So if I don't connect my Q10 to any public wifi, and only use my phone's data plan to do online banking, how secure is that on a personal non-BES account? And if I connect my Windows tablet to the Internet through my phone's mobile hotspot, how secure is that - for the tablet AND the phone?

Posted via CB10

[THBW]

Make no mistake: the majority of the "security" on any BB phone, whether BBOS or BB10, comes from that phone being on BES. That's where you get secure emails and BBM, and perhaps secure file access to corporate servers.

Without BES, you're not significantly more secure than any other phone. You're still using ActiveSync for Gmail just like every other device, for example, and BBM is "scrambled" (but not considered securely encrypted) when sending to other BB devices, and in the clear when sent to Android or iOS devices.

Even with BES, texting (SMS/MMS) and phone calls are totally unsecure, as there is no universal protocol to secure those services.

Your not going down this road again, are you? You were wrong the first time; do we have to go through it again? Please do some background reading.

Posted via CB10

[Blue Hef]

You're going to have BES for your company?
Congrats.

Posted via Astro on Z30STA100-2/10.2.1.2947

hello mate,

all I need is secure emails and conversations, a way to share important files, pdfs etc and it seems that this is the only way, but on this new thread http://forums.crackberry.com/general...stions-934063/ i have had it explained to me that I can do it for free but with the purchasing of two licences as I only need it for communications btween myself and my business partner, ive signed up for the cloud service but having huge issues it says theirs a server error i need to contact blackberry tech support, then they said its a $249 charge to speak to them directly or i contact Microsoft on a premium number and they speak to blackberry for me lol

hopefully things work out in my new venture

all the best.

Jai

[clickitykeys]

I missed the bolded part earlier, which you are ALSO wrong on.

Not only could this have been deduced from various company statements on security, various official documents exist which make it plain that BBM cross-platform is TLS-encrypted, ie this one, quoting:

---

BBM Security note

TLS in BBM
TLS in BBMBlackBerry 10, iOS, and Android devices send all data to each other through the BlackBerry Infrastructure over a TLS connection. In certain scenarios, BlackBerry 7.1 and earlier devices also send data this way. TLS is a common web standard used across all major desktop and mobile web browsers for secure online banking and shopping. A TLS connection between a device and the BlackBerry Infrastructure is designed to protect BBM messages from eavesdropping or manipulation by an attacker.

---

Re: "scrambling", the only instance where data security in BBM relies only on the old "scrambling" technique is for legacy BBOS devices when one of the links is not traversing the public internet. Otherwise, BBM on BB10 devices is MORE secure than it was on BBOS devices because all communications AT MINIMUM travel via TLS encrypted tunnels, and typically use TLS COMBINED with traditional BBM "scrambling".

So how is the competition doing? A few data points:


WhatsApp

- Sent all traffic unencrypted until 2012-08 [1]
- When they added encryption in 2012-08, they did it poorly, leaving mobile numbers vulnerable and worse, using easily-guessed encryption keys [1]
- Serious flaws in WhatsApp encryption persisted up until at least 2013-10 [2]
- WhatsApp chat logs are readable by any other app on the device [3]
- In fact, Dutch and Canadian authorities concluded in 2013 that WhatsApp violated their countries privacy laws by insecurely storing non-user contact details [4]
- Crypto weaknesses in WhatsApp “the kind of stuff the NSA would love” [5]


Apple iMessage

Among other things, does not implement (as BBM does) "certificate pinning" - allowing attackers to spoof legitimate iMessage servers. (source)


Viber

Sends shared files and location data unencrypted, stores data on Amazon cloud servers unencrypted and accessible to anyone (source 1, source 2)


LINE Messenger

Messages and data are sent completely unencrypted over carrier networks (source)


WeChat

Plagued by a variety of technical security vulnerabilities, in addition to being subject to widespread surveillance by Chinese authorities (source)


.

Thanks for this. Posts like this is what CB should be about, at least in my opinion. I learnt more from this post than from the many days of catching-up I did on the CB homepage.

[ronfc]

Great information!

Cave, cave, moderator videt

[masterful]

Thanks click. You really helped us for understanding.

? Slicing using my ?

[targnik]

I like how if I change anything to do with my Z10, I get an email stating that there has been a change made...

Z10STL100-2/10.2.1.3175

[TgeekB]

I like how if I change anything to do with my Z10, I get an email stating that there has been a change made...

Z10STL100-2/10.2.1.3175

Could you explain this? Not exactly sure what you're referring to and if it's native or needs to be activated somehow. Thanks.

Posted via my Nexus 10.

[Jonny-R]

I'm glad that somebody else has pointed out that BB10 BBM is TLS end-end encrypted with the global DES key used over the top of this encryption. BBM is very secure due to it's strict implementation of SSL and certificate pinning; more secure than BBOS BBM ever was.

There is an interesting and in-depth security report on the Android BBM implementation of SSL, which would use only TLS end-end encryption. It was found to have no weaknesses and the encryption remained high. I'll try to find it.

To answer more of the OPs question. Not on BES email is as secure as Android/iOs/anything else which can use SSL. SMS/phone call are as secure as other phones (ie technology to make/receive/send is globally the same in phones). The cryptographic kernal in BlackBerry 10 seems very strong (without BES), ie your data on the physical phone is secure. This cannot be contested otherwise.