Security levels on Blackberry 10
- Hi guys.
I have gone through the old blackberrys and the new ones now have the q10 for work purposes, now, very simply, is this blackberry 10 as secure as the classic blackberry like the bold 9790 i had for example? I need it for my work emails and it is very important they remain safe, also does it not also have something to do with the company you use for emailing, i.e gmail outlook etc? please let me know its very important
if not lol i guess ill have to buy one of the old blackberrys again haha05-23-14 06:31 PMLike 0 - Sith_ApprenticeMod Team EmeritusHi guys.
I have gone through the old blackberrys and the new ones now have the q10 for work purposes, now, very simply, is this blackberry 10 as secure as the classic blackberry like the bold 9790 i had for example? I need it for my work emails and it is very important they remain safe, also does it not also have something to do with the company you use for emailing, i.e gmail outlook etc? please let me know its very important
if not lol i guess ill have to buy one of the old blackberrys again haha
So the device, without BES, is roughly as secure as previous. With BES it is the same security (or higher depending on BES settings). If you use Gmail or another public internet mail provider you are not secure on the mail server side.Blue Hef likes this.05-23-14 06:36 PMLike 1 - Make no mistake: the majority of the "security" on any BB phone, whether BBOS or BB10, comes from that phone being on BES. That's where you get secure emails and BBM, and perhaps secure file access to corporate servers.
Without BES, you're not significantly more secure than any other phone. You're still using ActiveSync for Gmail just like every other device, for example, and BBM is "scrambled" (but not considered securely encrypted) when sending to other BB devices, and in the clear when sent to Android or iOS devices.
Even with BES, texting (SMS/MMS) and phone calls are totally unsecure, as there is no universal protocol to secure those services.05-23-14 09:51 PMLike 4 - Make no mistake: the majority of the "security" on any BB phone, whether BBOS or BB10, comes from that phone being on BES. That's where you get secure emails and BBM, and perhaps secure file access to corporate servers.
Without BES, you're not significantly more secure than any other phone. You're still using ActiveSync for Gmail just like every other device, for example, and BBM is "scrambled" (but not considered securely encrypted) when sending to other BB devices, and in the clear when sent to Android or iOS devices.
Even with BES, texting (SMS/MMS) and phone calls are totally unsecure, as there is no universal protocol to secure those services.
Posted via CB1005-23-14 09:58 PMLike 3 - OmnitechDragon Slayer
I guess I'll be correcting this favorite FUD of yours until the cows come home.
From:
http://us.blackberry.com/content/dam...rity-Works.pdf
The Security Benefits of the QNX Microkernel
- It contains less code (about 150,000 lines)
- This small footprint helps eliminate vulnerabilities by making security verification and testing easier and more robust
It’s designed for resiliency
- The Microkernel isolates processes in the user space
- Unresponsive processes are restarted without affecting others, so that applications don’t crash the OS
It minimizes all root processes
- Only the most essential BlackBerry processes run as root
- Root processes are not available to non-BlackBerry parties, which makes the OS less vulnerable to security risks
The QNX Microkernel diagram below illustrates how user processes cannot directly access other processes.
Contained and Constrained: Application and Malware Controls
The best way to protect your enterprise from mobile malware is to use an operating system that’s designed to resist it. BlackBerry 10 uses a ‘contain and constrain’
design strategy to mitigate against malware risks.
By sandboxing the user space, BlackBerry 10 can block malicious behavior:
- Processes are constrained within the user space and the microkernel carefully supervises inter-process communication.
- Memory accessed by the user space is also authorized by the microkernel.
- Any process that attempts to address unauthorized memory is automatically restarted or shut down.
And in the next diagram, you’ll see just a few examples of the security mechanisms that are integrated into the BlackBerry 10 operating system to protect against attacks and arbitrary code execution.
Protection Mechanism Description Non-executable stack and heap Stack and heap areas of memory cannot execute machine code, protecting against buffer overflows Stack cookies Buffer overflow protection to prevent arbitrary code execution Robust heap implementations A form of protection against heap area of memory corruption that can lead to arbitrary code execution Address space layout randomization (ASLR) Random allocation of a process’ address space makes arbitrary code execution more difficult Compiler-level source fortification Compiler option replaces insecure code constructs where possible Guard pages A form of protection against heap buffer overflow and arbitrary code execution
.05-23-14 10:10 PMLike 8 - There's native encryption on Android too, and just like BB, it is turned OFF by default. Of course, it's simple to turn it on on either phone, and just as effective on either phone, but relatively few people actually use it (I'm one of those few).05-24-14 10:38 AMLike 0
- Make no mistake: the majority of the "security" on any BB phone, whether BBOS or BB10, comes from that phone being on BES. That's where you get secure emails and BBM, and perhaps secure file access to corporate servers.
Without BES, you're not significantly more secure than any other phone. You're still using ActiveSync for Gmail just like every other device, for example, and BBM is "scrambled" (but not considered securely encrypted) when sending to other BB devices, and in the clear when sent to Android or iOS devices.
Even with BES, texting (SMS/MMS) and phone calls are totally unsecure, as there is no universal protocol to secure those services.
http://forums.crackberry.com/showthread.php?t=933857
Signature - Google wants your info. What are you gonna do about it?CerveloJohn and smart548 like this.05-24-14 03:43 PMLike 2 - Hi guys.
I have gone through the old blackberrys and the new ones now have the q10 for work purposes, now, very simply, is this blackberry 10 as secure as the classic blackberry like the bold 9790 i had for example? I need it for my work emails and it is very important they remain safe, also does it not also have something to do with the company you use for emailing, i.e gmail outlook etc? please let me know its very important
if not lol i guess ill have to buy one of the old blackberrys again haha
Posted via CB10 from my spectacular Q1005-24-14 03:57 PMLike 0 - I suppose this dutch criminal had BES?
Dutch criminal's BlackBerry can't be decrypted. - BlackBerry Forums at CrackBerry.com
Yes, BB has some great security features on the device itself, but without BES, your network services are no different than an iPhone or Android.
BES adds encryption to corporate email server connections, to BBM connections to other devices of that business, and possibly to file access or custom apps for that business. Without BES, your network connections are either totally unencrypted (phone calls, texts) or use the same encryption standards that everyone else uses.05-24-14 06:04 PMLike 0 - Anyone can encrypt their device (few do, though). We're talking about NETWORK security, as in, your data moving around through the carrier's networks and/or the Internet.
Yes, BB has some great security features on the device itself, but without BES, your network services are no different than an iPhone or Android.
BES adds encryption to corporate email server connections, to BBM connections to other devices of that business, and possibly to file access or custom apps for that business. Without BES, your network connections are either totally unencrypted (phone calls, texts) or use the same encryption standards that everyone else uses.
I believe Omnitech has kindly pointed out in his post that BlackBerry 10 has security built from the ground up. It's not just network security. Factor the network security out from the offering, I think it's quite clear which device and OS has the better security.
Android is the biggest culprit for the security holes and even Samsung Knox can't get ahead of the threats on its own device implementation. http://securityaffairs.co/wordpress/...ious-flaw.html
How much patch work does one have to do after the breach has already occurred? I'd go with the device that is security minded proactively. If I want the highest grade security, I'd for the end-to-end offering starting with BB10 OS on BB Hardware using BES and the BlackBerry NOC. Doesn't hurt that BlackBerry's subsidiary is Certicom who are hardware/software security experts but also experts in cryptography (Elliptical Curve) with government and large companies as their clients.
http://www.certicom.com/index.php/about
Posted via CB1005-24-14 06:39 PMLike 4 - The OP, Blue Hef, was asking about the new BB10 device (hardware and software) mainly where in fact, plays a role in the overall security offering.
I believe Omnitech has kindly pointed out in his post that BlackBerry 10 has security built from the ground up. It's not just network security. Factor the network security out from the offering, I think it's quite clear which device and OS has the better security.
Android is the biggest culprit for the security holes and even Samsung Knox can't get ahead of the threats on its own device implementation. http://securityaffairs.co/wordpress/...ious-flaw.html
How much patch work does one have to do after the breach has already occurred? I'd go with the device that is security minded proactively. If I want the highest grade security, I'd for the end-to-end offering starting with BB10 OS on BB Hardware using BES and the BlackBerry NOC. Doesn't hurt that BlackBerry's subsidiary is Certicom who are hardware/software security experts but also experts in cryptography (Elliptical Curve) with government and large companies as their clients.
http://www.certicom.com/index.php/about
Posted via CB10
Posted via CB1005-24-14 06:59 PMLike 0 - OmnitechDragon SlayerWithout BES, you're not significantly more secure than any other phone. You're still using ActiveSync for Gmail just like every other device, for example, and BBM is "scrambled" (but not considered securely encrypted) when sending to other BB devices, and in the clear when sent to Android or iOS devices.
I missed the bolded part earlier, which you are ALSO wrong on.
Not only could this have been deduced from various company statements on security, various official documents exist which make it plain that BBM cross-platform is TLS-encrypted, ie this one, quoting:
BBM Security note
TLS in BBM
TLS in BBMBlackBerry 10, iOS, and Android devices send all data to each other through the BlackBerry Infrastructure over a TLS connection. In certain scenarios, BlackBerry 7.1 and earlier devices also send data this way. TLS is a common web standard used across all major desktop and mobile web browsers for secure online banking and shopping. A TLS connection between a device and the BlackBerry Infrastructure is designed to protect BBM messages from eavesdropping or manipulation by an attacker.
Re: "scrambling", the only instance where data security in BBM relies only on the old "scrambling" technique is for legacy BBOS devices when one of the links is not traversing the public internet. Otherwise, BBM on BB10 devices is MORE secure than it was on BBOS devices because all communications AT MINIMUM travel via TLS encrypted tunnels, and typically use TLS COMBINED with traditional BBM "scrambling".
So how is the competition doing? A few data points:
WhatsApp
- Sent all traffic unencrypted until 2012-08 [1]
- When they added encryption in 2012-08, they did it poorly, leaving mobile numbers vulnerable and worse, using easily-guessed encryption keys [1]
- Serious flaws in WhatsApp encryption persisted up until at least 2013-10 [2]
- WhatsApp chat logs are readable by any other app on the device [3]
- In fact, Dutch and Canadian authorities concluded in 2013 that WhatsApp violated their countries privacy laws by insecurely storing non-user contact details [4]
- Crypto weaknesses in WhatsApp “the kind of stuff the NSA would love” [5]
Apple iMessage
Among other things, does not implement (as BBM does) "certificate pinning" - allowing attackers to spoof legitimate iMessage servers. (source)
Viber
Sends shared files and location data unencrypted, stores data on Amazon cloud servers unencrypted and accessible to anyone (source 1, source 2)
LINE Messenger
Messages and data are sent completely unencrypted over carrier networks (source)
WeChat
Plagued by a variety of technical security vulnerabilities, in addition to being subject to widespread surveillance by Chinese authorities (source)
.05-24-14 06:59 PMLike 3 - OmnitechDragon Slayer
So if you are using insecure public internet services that don't bother to secure their content, then BlackBerry is not going to magically fix that, nor is anyone else's platform. (Nor is BES.)
However there are various other potential points of security vulnerability in a digital communications device other than "communicating with insecure services", and those things certainly can be mitigated by better security architecture and practices on the endpoint.
It can be safely assumed that people who are asking about BlackBerry's platform security are going to be at least moderately aware of how to avoid "insecure internet services".
As we know from Snowden's documents, shadowy 3-letter agencies will typically go after the "low hanging fruit" when it comes to breaking into someone's communications. And if that happens to be "garbage on-device security architecture", then that is where they will focus. They are not going to bother with some heroic attempt to decrypt SSL traffic when all they need to do is send you a little piece of Android malware and their job is done.05-24-14 07:20 PMLike 4 - To add further to the above post,
5 Ways Snapchat Violated Your Privacy, Security
Snapchat settles FTC allegations that the company lied to consumers about the application's security and privacy
1) Recipients may have saved your images
- Despite the app's promises, your images did not necessarily disappear forever.
- A number of developers built applications that users could download to save picture and video messages without your knowledge.
- Recipients of your Snapchat messages could also use their devices' screenshot capabilities to capture an image of a snap while it appeared on their screens, the FTC said. Snapchat claimed that if this happened, it would notify you immediately -- but that wasn't true
2) Recipients may have saved your videos
- Until October 2013, recipients could connect their mobile devices to a computer and use file browsing tools to locate and save video files you sent them, the FTC said.
-This was possible because Snapchat stored video files in a location outside of the app's "sandbox," or the app's private storage area on the device, that other apps couldn't access.
3) Snapchat may have transmitted your location
- Snapchat's privacy policy says it does not ask for, track, or access any location-specific information from your device at any time, those claims are false, the FTC said.
- In fact, the company did transmit WiFi-based and cell-based location information from Android users' mobile devices to its analytics tracking service provider.
4) Snapchat may have collected contact information from your address book
- Snapchat's privacy policy claimed that the app collected only your email, phone number, and Facebook ID to find friends for you to connect with.
- However, if you're an iOS user and entered your phone number to find friends, Snapchat collected the names and phone numbers of all the contacts in your mobile device address books without your notice or consent.
5) The "Find Friends" feature was not secure
- Because Snapchat did not verify users' phone numbers during registration, some consumers complained that they sent images or videos to someone under the false impression that they were communicating with a friend.
- In reality, these messages were sent to strangers who had registered with phone numbers that did not belong to them.
- This resulted in a security breach permitting attackers to compile a database of 4.6 million Snapchat usernames and phone numbers, which could lead to spam, phishing, and other unsolicited communications, the FTC said.
Source
The FTC has stepped in and issued this as part of their statement "If a company markets privacy and security as key selling points in pitching its services to consumers, it is critical that it keep those promises," said FTC chairwoman Edith Rameriz in a statement. "Any company that makes misrepresentations to consumers about its privacy and security practices risks FTC action.Source
As a result, Snapchat gets 20 years scrutiny over FTC privacy and security charges. Source
WOW.The Big Picture and Vorkosigan like this.05-24-14 07:42 PMLike 2 - wow seems ive really sparked a debate LOL, so BES it is, i will be getting this on my blackberry 10, ive got a note 3 also and knox is, welllll? eh? lol, with google and android, the NSA i really feel they are trying to track everything, i am a fan of blackberry for work purposes just the app store is where it lacks, anyway, getting off track, I will certainly look into BES, thanks guysOmnitech likes this.05-25-14 02:01 PMLike 1
- wow seems ive really sparked a debate LOL, so BES it is, i will be getting this on my blackberry 10, ive got a note 3 also and knox is, welllll? eh? lol, with google and android, the NSA i really feel they are trying to track everything, i am a fan of blackberry for work purposes just the app store is where it lacks, anyway, getting off track, I will certainly look into BES, thanks guys
Congrats.
Posted via Astro on Z30STA100-2/10.2.1.2947Blue Hef likes this.05-26-14 05:40 AMLike 1 - So if I don't connect my Q10 to any public wifi, and only use my phone's data plan to do online banking, how secure is that on a personal non-BES account? And if I connect my Windows tablet to the Internet through my phone's mobile hotspot, how secure is that - for the tablet AND the phone?
Posted via CB1005-26-14 08:31 AMLike 0 - Make no mistake: the majority of the "security" on any BB phone, whether BBOS or BB10, comes from that phone being on BES. That's where you get secure emails and BBM, and perhaps secure file access to corporate servers.
Without BES, you're not significantly more secure than any other phone. You're still using ActiveSync for Gmail just like every other device, for example, and BBM is "scrambled" (but not considered securely encrypted) when sending to other BB devices, and in the clear when sent to Android or iOS devices.
Even with BES, texting (SMS/MMS) and phone calls are totally unsecure, as there is no universal protocol to secure those services.
Posted via CB1005-26-14 08:47 AMLike 0 -
all I need is secure emails and conversations, a way to share important files, pdfs etc and it seems that this is the only way, but on this new thread http://forums.crackberry.com/general...stions-934063/ i have had it explained to me that I can do it for free but with the purchasing of two licences as I only need it for communications btween myself and my business partner, ive signed up for the cloud service but having huge issues it says theirs a server error i need to contact blackberry tech support, then they said its a $249 charge to speak to them directly or i contact Microsoft on a premium number and they speak to blackberry for me lol
hopefully things work out in my new venture
all the best.
Jai05-26-14 09:03 AMLike 0 - I missed the bolded part earlier, which you are ALSO wrong on.
Not only could this have been deduced from various company statements on security, various official documents exist which make it plain that BBM cross-platform is TLS-encrypted, ie this one, quoting:
BBM Security note
TLS in BBM
TLS in BBMBlackBerry 10, iOS, and Android devices send all data to each other through the BlackBerry Infrastructure over a TLS connection. In certain scenarios, BlackBerry 7.1 and earlier devices also send data this way. TLS is a common web standard used across all major desktop and mobile web browsers for secure online banking and shopping. A TLS connection between a device and the BlackBerry Infrastructure is designed to protect BBM messages from eavesdropping or manipulation by an attacker.
Re: "scrambling", the only instance where data security in BBM relies only on the old "scrambling" technique is for legacy BBOS devices when one of the links is not traversing the public internet. Otherwise, BBM on BB10 devices is MORE secure than it was on BBOS devices because all communications AT MINIMUM travel via TLS encrypted tunnels, and typically use TLS COMBINED with traditional BBM "scrambling".
So how is the competition doing? A few data points:
WhatsApp
- Sent all traffic unencrypted until 2012-08 [1]
- When they added encryption in 2012-08, they did it poorly, leaving mobile numbers vulnerable and worse, using easily-guessed encryption keys [1]
- Serious flaws in WhatsApp encryption persisted up until at least 2013-10 [2]
- WhatsApp chat logs are readable by any other app on the device [3]
- In fact, Dutch and Canadian authorities concluded in 2013 that WhatsApp violated their countries privacy laws by insecurely storing non-user contact details [4]
- Crypto weaknesses in WhatsApp “the kind of stuff the NSA would love” [5]
Apple iMessage
Among other things, does not implement (as BBM does) "certificate pinning" - allowing attackers to spoof legitimate iMessage servers. (source)
Viber
Sends shared files and location data unencrypted, stores data on Amazon cloud servers unencrypted and accessible to anyone (source 1, source 2)
LINE Messenger
Messages and data are sent completely unencrypted over carrier networks (source)
WeChat
Plagued by a variety of technical security vulnerabilities, in addition to being subject to widespread surveillance by Chinese authorities (source)
.06-15-14 03:43 AMLike 0 -
Posted via my Nexus 10.06-15-14 07:16 PMLike 0 - I'm glad that somebody else has pointed out that BB10 BBM is TLS end-end encrypted with the global DES key used over the top of this encryption. BBM is very secure due to it's strict implementation of SSL and certificate pinning; more secure than BBOS BBM ever was.
There is an interesting and in-depth security report on the Android BBM implementation of SSL, which would use only TLS end-end encryption. It was found to have no weaknesses and the encryption remained high. I'll try to find it.
To answer more of the OPs question. Not on BES email is as secure as Android/iOs/anything else which can use SSL. SMS/phone call are as secure as other phones (ie technology to make/receive/send is globally the same in phones). The cryptographic kernal in BlackBerry 10 seems very strong (without BES), ie your data on the physical phone is secure. This cannot be contested otherwise.06-16-14 12:24 PMLike 0
- Forum
- Popular at CrackBerry
- General BlackBerry News, Discussion & Rumors
Security levels on Blackberry 10
Similar Threads
-
Z10 just reboots by it self on standby
By jd_statman in forum BlackBerry Z10Replies: 15Last Post: 07-24-14, 05:41 PM -
New to BlackBerry 10
By VZWBBZ10 in forum New to the Forums? Introduce Yourself Here!Replies: 11Last Post: 05-28-14, 01:32 PM -
BBM Channel subscription 10% up in 15 days, could be a trend?
By TioPepe78 in forum General BBM ChatReplies: 3Last Post: 05-27-14, 11:20 AM -
Buying on ebay from overseas
By MB64 in forum Rehab & Off-Topic LoungeReplies: 3Last Post: 05-25-14, 06:28 AM -
How does MLB At Bat 2014 Run on the Q10?
By NYRbeezer in forum BlackBerry Q10Replies: 1Last Post: 05-23-14, 06:05 PM
LINK TO POST COPIED TO CLIPBOARD