Introduction to Platform
devices are more consumer friendly than their predecessors and have
consumer features, including GPS, camera, full web browser, and media
player. RIM released its first touch-screen device, the BlackBerry
Storm, in 2008. BlackBerry OS versions more recent than 4.6 include a
most Internet sites, including those that use AJAX technologies.
Versions of the browser prior to 4.2 are incomplete and do not support
advanced web functionality.
third-party application development and provides fairly complete
documentation and developer support via forums. The BlackBerry OS is
primarily Java and supports J2ME Mobile Information Device Profile
(MIDP) 1.0, a subset of MIDP 2.0, Wireless Application Protocol (WAP)
1.2, and Connected Limited Device Configuration (CLDC) profiles
natively. A RIM proprietary Java API for using device-specific features
is required to take complete advantage of the BlackBerry platform.
Applications are able to use RIM, MIDP, and CLDC APIs all at once, but
RIM’s UI classes can only be used within CLDC applications because their
GUI threading model conflicts with MIDP applications. For that reason,
most BlackBerry-specific Java applications are CLDC based and use RIM’s
proprietary APIs. RIM calls these applications “RIMlets” (http://developers.sun.com/mobility/midp/articles/blackberrydev/).
Developers may also write applications using alternate development
technologies, including a data-driven web service model targeting the
Mobile Data System (MDS) runtime.
Most mobile devices “poll”
the server on an intermittent basis to check for new messages; the
BlackBerry uses a “push” technology, where the server initiates the
communication immediately after a message arrives. Proprietary RIM
server software monitors users’ e-mail accounts and initiates the push.
Policy, applications, and other messages can also be sent using this
mechanism. To save on bandwidth, the server compresses messages before
sending them to the device. The “push” architecture prolongs battery
life and decreases message delivery latency because the device does not
burn the battery by pinging the server to ask for new messages.
BlackBerry device has a globally unique personal identification number
(PIN) that identifies the device for both messaging and management.
Unlike a bank account’s PIN, the BlackBerry PIN is public. Users employ
PINs to find each other over BlackBerry Messenger, and administrators
can use PINs to identify the devices they are managing.
BlackBerry Enterprise Server (BES)
Most organizations with
BlackBerry-equipped employees will install BlackBerry Enterprise Server
(BES). BES integrates with corporate e-mail servers (including Exchange,
Lotus Notes, and Novell Groupware), monitors users’ accounts, and
pushes out e-mail and attachments once they arrive. Administrators can
also use BES to control devices and deploy applications, author device
policy, and force a remote device wipe. The high level of control
afforded by BES pleases control-happy administrators and makes
BlackBerry the current leader in enterprise manageability of devices.
Once a device is associated with a
BES instance, an encrypted tunnel is created between the device and its
BES. All traffic flows over this tunnel, with the BES acting as a
bridge between the carrier’s mobile network, the Internet, and the
company’s intranet. The Mobile Data System (MDS) component of BES is
responsible for actually performing the internal routing and bridging.
BlackBerry security research has focused on the BES/device relationship
because BES provides a bridge between the trifecta of the Internet,
intranet, and carrier networks. This article takes a different approach
and covers the on-device security itself, especially as it relates to
applications. For an in-depth security analysis of BES, refer to RIM’s
documentation, FX’s BlackHat presentation (http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-fx.pdf), and Praetorian Global’s Defcon presentation (http://www.praetoriang.net/presentations/blackjack.html).
BlackBerry Internet Service (BIS)
For consumers and
small businesses without BES, RIM operates the BlackBerry Internet
Service (BIS). Every BlackBerry purchased with a data plan can associate
with BIS and access the Internet and personal POP3/IMAP e-mail
accounts. BIS is branded per-carrier but the service is actually run by
RIM and includes MDS and the BlackBerry Attachment Service (BAS). Unlike
an enterprise BES, BIS does not push out policy and leaves it up to
users to control and manage their devices.
Device and OS Architecture
tightly controls information about BlackBerry internals, making few
details publically available. At the time of this writing, version 4.7
is the most current version of the BlackBerry OS, and BlackBerry OS 5.0
has been announced. Despite the large swings in version numbers, the
core architecture has not changed dramatically.
Original BlackBerry pager
devices used Intel 80386 processors, and RIM provided a low-level C API
to developers. Preventing security coding errors and controlling
application behavior are really difficult when writing code in unchecked
native languages. So when the 5810 was introduced, the 80386 processor
and C API were abandoned in favor of ARM 7 or 9 processors and a JME
runtime environment. To increase speed, RIM created a custom Java
Virtual Machine (JVM) that supports the standard JME instruction set and
several RIM JVM-specific instructions. A complete list of these opcodes
is available from Dr. Bolsen’s GeoCities website at www.geocities.com/drbolsen/opcodes.txt.
Only the device and JVM are still written in C/C++ and assembly. All
other applications, such as messaging and the browser, are written using
The BlackBerry OS is a modern
OS with features such as multitasking, interprocess communication (IPC),
and threads. All OS and device features are accessed using RIM and J2ME
APIs. Security is enforced using a combination of signatures, Java
verification, and class restrictions. The JVM does not support Java
native invocation (JNI) or reflection, which should prevent attackers
from controlling the device in ways that RIM did not intend.
The security system is
intended to control access to data and does not prevent applications
from consuming an unfair share of memory or CPU time. The OS does not
enforce limitations on the number of objects an application can create,
and developers are responsible for minimizing the amount of memory and
system resources that they use. When the JVM is no longer able to
allocate storage space for objects, Java garbage collection runs to
remove unused objects from memory. At some point, memory will simply be
exhausted, resulting in a JVM OutOfMemoryError.
Each Java object has an object
handle that is used as a JVM global identifier for that object. If the
application chooses to persist the object, the JVM creates a persistent object handle.
The maximum number of possible handles is dictated by the size of the
device’s memory. On a device with 32MB of memory, it is possible to have
65,000 persistent object handles and 132,000 object handles. The number
of possible object handles is always greater than the number of
possible persistent object handles because there is always more SRAM
than flash memory. With a system-wide cap on the number of objects,
developers must be conscious of how many
objects they create or risk negatively impacting other applications.
The number of implementation handles is BlackBerry OS version specific
and can only be found by consulting the documentation.
Each BlackBerry has two
different types of memory: flash and SRAM. Flash memory is nonvolatile
and persists even when the device’s power runs out. The BlackBerry OS,
applications, and long-lived data such as e-mail are stored within flash
memory. Compared to volatile SRAM, flash memory chips are comparatively
expensive, so each device has a limited amount. Newer devices have 64MB
of flash. SRAM is used for storing runtime object data and holds
information only as long as the device has power. Some BlackBerry
devices have slots for external flash memory cards, which are used for
storing larger objects such as documents and media files.