When we perform security testing of blackberry applications for our customers, we have to consider the device from 5 points of view:
- BES managed blackberry application that pushes data over the carrier IP network
- BES managed blackberry application that can use the WiFi radio in the device
- BIS blackberry where the end-user gets to grant security permissions, data over carrier IP network
- BIS blackberry where the application can use the carrier network
- BIS/BES blackberry that can do its authentication via the carriers LDAP/Radius via a reverse IP look-up
All of these can dramatically change the scope and type of testing we do.
The application security rights management is, — to use one word, awful! — Most applications are requesting rights to portions of the device they don’t need, most are requesting cross-application-communication rights they don’t need, and quite a few are wanting location data when they don’t really need it. — I can see why the enterprise IT manager is concerned about letting employee managed BIS RIM devices into their environment. It’s a mess! and it WILL lead to compromise of sensitive data if RIM doesn’t do something to fix this. The user needs a better way to make informed judgement calls on application rights management, and RIM needs to audit and remove applications from appworld that are requesting egregious permissions.
More about this here:
From Blackberry’s blog: IT Managers: Embracing Personal Employee Smartphones in the Enterprise
and
Blackberrycool: RIM Hosting Sessions for IT Managers Looking to Embrace Employee Liable Smartphones
So the real problem is all the unmanaged applications,.. more about that later in Part 2.
RIM Security: Application Rights, what a mess – Part 2
^higB