Enterprise Mobile Device Application Security on BlackBerry Devices

By Rich Campagna, Subbu Iyer, and Ashwin Krishnan from Mobile Device Security For Dummies

As an enterprise administrator, you can control what applications can be deployed on your employees’ BlackBerry devices. The BlackBerry Enterprise Server (BES) is a leading Mobile Device Management solution for BlackBerry devices that allows the configuration and enforcement of several application security policies for corporate use. Using BES policies, you can specify whether a user can install third-party apps, or determine the device privileges of that third-party apps.

Third-party apps can, in general, access two types of data on a BlackBerry device:

User data, such as e-mail, calendar, and contacts
App data — persistent storage that shares data with other applications

You can control or restrict access to both types of data by using BES policies. If you develop your own apps for corporate-owned BlackBerry devices, you can enable appropriate permissions for your apps.

The BlackBerry also includes a personal firewall feature that restricts the types of connections maintained by an application. When an app tries to establish an internal connection to a corporate server, the device prompts the user to allow or deny that connection. As an administrator, you can choose to allow or deny such connections as a policy. This prevents suspicious apps from breaking into your corporate network and stealing information from internal servers.

Third-party apps can be written to use BlackBerry device APIs for sensitive packages, classes, or methods. Such apps need to be signed by Research in Motion (RIM) before they are allowed to use those APIs. The signing process ensures that the app is tested and verified for authenticity before being granted APIs to use sensitive information.