With the increased prevalence of smartphones and tablets becoming a common part of how we share information with our family, friends and co-workers, there is a growing potential for increased risks related to data security and privacy. This isn’t the first time we’ve watched the computing threat landscape evolve. Over the last decade, as more users leveraged the power of personal computers, attackers began focusing on ways to steal users’ data and take control of their computers. Their methods included using vulnerabilities in the software and creating malicious software, known as malware, which is designed to trick a user into installing these programs in order for the attacker to gain control of a user’s system. Now, as we move toward a mobile computing society, we’re seeing that same trend happening across the mobile industry.

One of the significant security concerns facing the mobile industry is how to address the skyrocketing amount of malware on mobile devices. This concern is especially challenging because instead of attackers trying to trick computer users to install malware, attackers have shifted their focus and tactics by offering what appear to be safe apps. They are placing their malicious apps within smartphone app stores and bypassing protections that these app store vendors may have in place to help prevent malware. While most smartphone users have heard of malware, and know about its potential to harm their devices, they don’t expect that any app downloaded from their smartphone’s app store is malicious. As a result, smartphone users may not be as careful or discerning when deciding which third-party apps to download, and these choices can lead to users being vulnerable to potential security and privacy implications associated with these apps.

Every smartphone and tablet vendor uses a different strategy for protecting customers from both malware and privacy concerns, and customers do not typically have insight into how they may or may not be protected from these issues. At BlackBerry, we’re committed to protecting customers and their data, and also to providing greater transparency into the unique level of protection we offer customers.

We recognize that customers want and need access to apps that do not infringe on their privacy or impact their security. With such a significant challenge facing the mobile industry, we determined adding additional layers of protection are crucial to helping protect BlackBerry customers. As part of our comprehensive approach, we are incorporating Trend Micro’s industry-leading anti-malware technology with our current internal, proprietary system for analyzing apps. Through this collaboration, we will use Trend Micro’s suite of app scanning technology to help enhance BlackBerry’s anti-malware capabilities, including industry-leading app analyzing techniques and built-in permission settings on BlackBerry devices. By vetting apps against Trend Micro’s extensive library of known malicious software, we will help ensure both current and new apps submitted to the BlackBerry World storefront are scanned for potential malicious behavior.

When an app is flagged as suspicious during our continuous vetting process, BlackBerry investigates it thoroughly to determine if the app is malicious. If it is not malicious, we examine it for privacy implications by determining if it clearly and adequately informs customers about its behaviors. If and when an application is found that either contains malicious code or may infringe on customers’ privacy, we inform the developer about the issue, remove the app from BlackBerry World and release a corresponding malware or privacy notice to customers. These notices help provide greater transparency to our customers about what actions we are taking to help safeguard their privacy and protect their data as well as offer guidance to customers on what actions they should consider regarding those specific apps.

While there are several approaches to protecting mobile customers from emerging security and privacy concerns, as an industry overall, we need to do a better job of ensuring that customers have the opportunity to make informed decisions about exactly what they are downloading and purchasing on their mobile devices. It is important to remember that attackers are not just focusing on one type of smartphone, and they are continuously refining their methods and abilities with each attempt as well as sharing techniques.

Given that both malware and privacy concerns span across the breadth of the mobile industry, it’s not practical to believe that any one company can thoroughly address these issues on their own. By working with an industry leader, such as Trend Micro, we’re establishing a unique level of protection for BlackBerry customers, and we believe the rest of the industry should also consider working collaboratively in order to address the significant increase in mobile malware and privacy implications associated with third-party apps.

Malware can gain access to a mobile device through several methods. One type of potential malware exposure can occur when someone connects a mobile device to an infected desktop computer via USB, but most desktop anti-virus software will help prevent this type of attack. A more common method of attack is to trick customers into installing malware through hoax messages that lead users to click a link to a malicious website. The malicious website prompts them to install what seems like a harmless application, but instead downloads malicious software onto their computer or mobile device.

How to protect your BlackBerry smartphone from malware

In order to help protect yourself from these types of security concerns, you should avoid downloading and installing applications from untrusted sources. This simple precaution helps mitigate the risk of malware being installed on your device because you don’t permit it to.

To further help protect customers, BlackBerry smartphones are designed to require user interaction and decision making to prevent malware from silently gaining access to devices. For example, when an application attempts to install itself on a BlackBerry smartphone, the device always asks the user if they want to download the application. In addition, if the user or a BlackBerry Enterprise Server administrator has configured the BlackBerry smartphone to require a device password when installing an application, the user will be prompted for their device password, before downloading and installing the application.

BlackBerry smartphones also give users the option to configure third-party application permissions across all applications or on an app by app basis, thereby preventing third-party applications that have been downloaded from gaining unwarranted access to data resources and making specific connections.

BlackBerry smartphone users can also remove an application from the device by simply deleting it. The instructions for deleting an application can be found in the BlackBerry knowledge base.

How administrators can protect their organization

Organizations can use the application control features that are available as part of the BlackBerry Enterprise Server (BES) to help protect BlackBerry smartphones and their network from malware. Using IT policy rules and application control policy rules, the BlackBerry Enterprise Server administrator has the ability to:

• Prevent BlackBerry smartphones from downloading any third-party applications
• Either require or prevent the installation of specific third-party applications
• Control the permissions of third-party applications that are installed on BlackBerry smartphones

These options give administrators control over which applications can be installed on BlackBerry smartphones in their organizations and what information and capabilities those applications can access. These RIM recommended settings are described in the public security whitepaper Protecting BlackBerry Smartphones against Malware.

From the battlefield to the boardroom, our customers have come to rely upon the unique level of protection RIM offers through its layered approach to security, and as malware continues to present challenges for our customers, we will continue to provide actionable security solutions.

For more information on BlackBerry security, visit www.blackberry.com/security, and if you have a security issue you would like to discuss with us, please email us at secure@rim.com.

In July, we continued to show our support for the security research community by sponsoring the annual Black Hat conference in Las Vegas. We support dozens of conferences every year, but Black Hat is one of the largest gatherings of the research community in the world. This year, there was definitely an increased focus on mobile security and a lot of great presentations highlighting the need for the industry to continuously improve our understanding and monitoring of the threat landscape.

As the mobile threat landscape continues to evolve, it is imperative that we remain committed to advancing research and technology that will help bolster the security of not only our customers, but also the entire industry.

To further demonstrate our support for mobile security research and our passion for helping to fortify the industry, RIM® is sponsoring the Mobile Pwn2Own competition at EUSecWest in Amsterdam on September 19th and 20th. Due to the prizes available (including BlackBerry® PlayBook™ tablets), we expect to see some cutting edge research as contestants focus on finding weaknesses in mobile web browsers, Near Field Communication (NFC), Short Message Service (SMS), and cellular baseband.

We are looking forward to the contest because it offers a safe environment for direct collaboration, and the details of the research are only discussed with the affected vendors. This means that customers are not put at risk while vendors work with researchers to address any issues that are uncovered. Sponsoring this contest is another logical step toward BBSIRT advancing the technologies that continue to help us deliver the unique level of security that our customers depend upon.

In addition to our collaboration with the security community, we are also focused on how RIM can help influence and support security throughout IT infrastructures. As a result, we are pleased to announce that we became a member of the Industry Consortium for Advancement of Security on the Internet (ICASI). ICASI fosters an open dialogue between industry leaders in information technology (IT) to address multi-product security challenges and to better protect the IT infrastructures that support the world’s enterprises, governments and citizens.

Our industry is no longer facing threats that are isolated to a single platform or technology. The focus areas for Mobile Pwn2Own highlight that the vulnerabilities discovered will likely cross platforms, and therefore, these emerging threats emphasize the need for associations like ICASI to help bridge the gap for the common good of everyone on the Internet.

As September approaches, we are eagerly awaiting the kickoff of the Mobile Pwn2Own competition. In the meantime, our collaboration efforts are ongoing. If you have security research you would like to discuss with us, we would love to hear from you at secure@rim.com.

Compounding these challenges is the fact that many don’t realize that their smartphone is susceptible to the same kinds of attacks that target desktop computers. As a result, mobile vendors must be able to adapt and develop a tailored approach to ensuring security in a way that’s seamless to customers. But RIM also goes beyond that. Maintaining a leadership position in mobile security certainly requires deep integration of security at the product development stage, but it also requires listening to the needs of customers, and working collaboratively across the industry. At RIM, these are some of the core tenets that have led to the unique level of security the BlackBerry® solution delivers and that our customers depend upon.

As the director of the BlackBerry® Security Incident Response Team (BBSIRT), I am responsible to help ensure that RIM can respond to emerging threats. It is our mission to identify and address security risks to our customers, and as part of that mission, we work to build collaborative relationships across the industry.

One segment that is extremely important to us is the independent security researcher community. This community includes some of the brightest minds conducting new and exciting research on the frontier of technology. We are committed to further developing our relationships with security researchers, and we’re excited to have some of the industry’s elite researchers visiting our Waterloo campus for the first BlackBerry Security Summit to discuss their research with our product engineers, exchange ideas and have open discussions.

Why is this collaboration valuable? When leading security researchers get together with the leader in mobile security, it is customers that will benefit from the results. We’ve built a solid security development lifecycle (SDL) into the BlackBerry platform, and security is at our core. However, helping to protect customers against shifting threats requires layers of defense, which includes working with others to identify and plan for new, emerging issues.

As already experienced in the traditional computing space, products released today with the latest security advancements may be effective against current threats and even against some we know are coming. However, shifting user behaviors and rapidly emerging technologies often breed new unforeseen attack scenarios. This can occur even if the vendor works through solid security engineering practices developed by the best developers and security engineers. A great example of this was the early generation of web browsers that primarily focused on the safe transfer and encryption of information over the Internet. Over time, they faced new and emerging threats from script injection and compromised certificate infrastructures. Independent security researchers are at the forefront of discovering new ways to use the convergence of new technologies along with user expectations and behaviors, to uncover those unforeseen security issues. In many cases, this happens before criminals and those with malicious intent can use them against unsuspecting users.

Collaboration with the research community is not new for RIM. In the last year alone, BBISRT participated in over 50 security conferences around the world. These events provide us the opportunity to foster relationships with members of the security community and also to support the research that comes out of it. While RIM invests heavily in internal security engineering, we also support and recognize that independent security research is crucial for the industry and our customers. In addition, we regularly collaborate with researchers who cooperatively disclose vulnerabilities they find to us in order to address them as quickly as possible.

Given how important our relationships are with the security community, we want to go beyond sponsoring and attending conferences to further develop our relationships with researchers and protect customers. The BlackBerry Security Summit offers an effective way to exchange information and ideas between our own talented engineers and external security researchers. We plan to share and listen on several important topics including the future of mobile malware, baseband security and advanced “fuzzing” techniques. These are all topics we are eager to collaborate on with the security community, as well as putting focus on areas where RIM continues to make investments as a leader in mobile security.
Ultimately, security researchers and RIM have the same goal: protect mobile customers from threats. Working collaboratively on the remediation of newly discovered vulnerabilities in a coordinated fashion, along with having an open dialogue and exchange of innovative attack and defensive techniques, is the most effective way to reach our common goal.

These types of summits are a common occurrence for technology companies that place a high priority on security, and hosting the BlackBerry Security Summit is another step in our ongoing collaboration with the security researcher community. Together, RIM and security researchers are working to address the mobile security challenges of today, and to protect customers against the mobile threats of tomorrow.

I’m Adrian Stone, and I am the Director of the BlackBerry Security Incident Response Team (BBSIRT) here at Research In Motion. The BBSIRT is responsible for responding to potential security issues and investigating vulnerability claims that may impact RIM’s products. Security is a priority for our customers, and that’s why I’ll be contributing regularly to this blog. For my first post, I want to provide some insight into how we investigate and respond to jailbreak-related reports.

“Jailbreaking”, or gaining root access to a device, has become common place in both the mobile and gaming industries. Essentially, gaining this deeper level of access to the core functions of the device allows the user to do things not originally intended by a manufacturer, such as install software outside of “official” channels. Unfortunately, gaining this level of root access may increase the security risk. For this reason, most device manufacturers, including RIM, strongly discourage jailbreaking while understanding that whole communities exist for just that purpose. At RIM, we take these issues very seriously. Let’s walk through how we assess and respond to jailbreaking reports.

From a user perspective, there are two primary ways to jailbreak a device. First, there is the method where the user voluntarily makes changes that require: a) the device to be tethered to a computer; b) access to an authorized user account on the device; and c) may even require the user to make changes to the device’s default settings by putting it into developer mode (which can also compromise security). This method cannot be used by remote attackers to compromise user data or the integrity of the device as it requires both possession of the device and valid user credentials for the device. The second method involves less interaction on the user’s part. For example, a software bug may be exploited from a web page to gain root access to any mobile device and not require any interaction from the user except visiting the page.

On hearing reports of a jailbreak for a BlackBerry® product, the BBSIRT will quickly triage the underlying issue and method used to perform the jailbreak. If it falls into the first category, where extensive user interaction is required, we will seek to address it in a future software update. If it falls into the second category (where a vulnerability is exposed with little to no user interaction), that is an indication of a more serious underlying issue and will most likely result in the release of a security update to address it as soon as possible. When this happens, my team publishes a security advisory or notice. These notifications typically offer an assessment of the issue and the required steps customers should take to resolve the vulnerability.

To be clear, RIM recommends against installing any jailbreaking tool. Customers who use a jailbreaking tool on BlackBerry products void the manufacturer warranty and also increase the long-term risk of negatively impacting the stability and user experience of their BlackBerry products. Use of a jailbreaking tool could also amplify the impact and severity of a future security issue, making your personal data more vulnerable to theft and more difficult to protect. If new jailbreaks for BlackBerry products are reported, rest assured that we will evaluate them and take appropriate action to help protect customers.

But the best actions you can take to protect your BlackBerry products are also pretty simple to follow: 1) keep your BlackBerry software up to date; 2) don’t install jailbreaking tools; and 3) don’t install software from unauthorized or unverified sources.

I look forward to your questions and feedback, so please submit a comment below. The BBSIRT and I promise to read each one and comment back where possible.