Mobile Application Security - BlackBerry Security - Permissions and User Controls (part 2)

2/9/2011 9:09:24 AM

Carrier and MIDLet Signatures

MIDLets are applications that use only MIDP2 and CLDC APIs and are not specifically targeted at BlackBerry devices. Signatures and permissions for these applications are handled following MIDP2 specifications, and signature verification is slightly different from the behavior of BlackBerry applications. Unsigned MIDP applications that use sensitive MIDP or CLDC APIs (for example, javax.microedition.pim.Contact) will be allowed to run, but the user will be presented with annoying prompts each time the application uses a sensitive API (see Figure 3). The user’s answer to the prompt is not remembered, and a malicious application could run in an infinite loop prompting the user all day. A conspiracy theorist might even suggest that RIM made its so unsigned application behavior so obnoxious so that developers would sign their applications or not use controlled APIs.

Figure 3. Prompt shown when an MIDP application attempts to access contact information

Each device has a carrier certificate installed that is used when verifying the signature on MIDP applications. Most carriers will install a certificate chained to VeriSign, but this is not guaranteed, and some carriers have their own code-signing processes. Once an application is signed with a carrier certificate, the application is “trusted” and the BlackBerry will not prompt the user when the application is installed or uses sensitive APIs, unless the device policy specifically requires it.

Handling Permission Errors in MIDP Applications

As shown in the earlier section on debugging, the BlackBerry JVM performs permission checking for MIDP APIs at runtime. When a security error occurs, a java.lang.SecurityException is thrown by the offending API and the application has a chance to handle it. Developers can detect the security error and either disable the offending functionality or show more information to the user. For example, a Solitaire application could disable the high score upload feature if the user blocks network access (see Listing 1).

Listing 1. Manually Handling a SecurityException Using Try/Catch
try {

//Opening a ContactList will cause a java.lang.SecurityException if the
//user denies the "Access personal information" prompt.

ContactList contactList =
} catch (PIMException e) {
//Handle PIMException
} catch (SecurityException secE) {

//Show dialog to the user or disable functionality

Locking Devices

Users and BES administrators can require a password to be entered every time a user wants to unlock a device or connect it to a PC. By default, a password is not required to unlock the phone, and the password is never required to answer incoming phone calls. To keep attackers out, the user specifies the maximum number of times an invalid password can be entered. If this number is exceeded, then the device is fully wiped; all contacts, messages, and media files are first deleted and then the memory is explicitly overwritten to delete any traces that may remain in the flash memory. The user has to type in blackberry between every couple of invalid login attempts. This keeps one’s pockets (or children) from wiping the device by accident.

To specify a password, follow these steps:

Open Options | Security Options | General Settings.

Change the Password setting to Enabled.

Exit the menu by pressing the Escape key.

Select Save.

Specify and confirm the password.

Once a password is specified, the user must supply the password when unlocking the device or changing any of the security options. Note that the password for the Password Keeper application is unrelated to the password specified in the General Settings dialog.

Managing Application Permissions

Users can control which permissions are allowed for which applications, and these permissions apply even to signed applications. Deep within the BlackBerry device’s options is an Application Permissions menu that lists each installed application and its associated permissions. Permissions can be changed on the device or pushed down by the enterprise administrator through BES. Because IT administrators rule all, BES policies have precedence over user-specified device policies. Here’s how to manually change permissions for an application:

  1. Open the Application Permissions menu (Options | Security Options | Application Permissions).

  2. Select the application you want to control permissions for.

  3. Click the BlackBerry key and choose Edit Permissions. The overall device permissions can be changed by opening this menu and selecting Edit Default Permissions. The default permissions will be applied when an explicit permission definition for an application does not exist.

  4. Choose the corresponding permission and set it to Enable/Disable/Prompt. If Prompt is chosen, you will be shown a prompt the first time the application uses a controlled API that requires the corresponding permission. The BlackBerry will remember your choice and not show the prompt again unless the permission policy is changed back to Prompt.

  5. If a permission is changed to be more restrictive, the device may reboot to ensure the new permission set is enforced.

  •  Windows Phone 7 Development : Working with Controls and Themes - Introducing the Metro Design System
  •  Windows Phone 7 Development : WebBrowser Control - Saving Web Pages Locally
  •  Programming the Mobile Web : Geolocation and Maps - Detecting the Location (part 3)
  •  Programming the Mobile Web : Geolocation and Maps - Detecting the Location (part 2) - Google Gears
  •  Programming the Mobile Web : Geolocation and Maps - Detecting the Location (part 1) - W3C Geolocation API
  •  Programming the Mobile Web : Geolocation and Maps - Location Techniques
  •  iPhone Programming : Table-View-Based Applications - Connecting the Controller to the Model
  •  Programming the Mobile Web : Mobilizing WordPress and Other CMSs
  •  Programming the Mobile Web : Server-Side Browser Detection and Content Delivery - Content Adaptation
  •  Programming the Mobile Web : Multimedia and Streaming
  •  Mobile Application Security : BlackBerry Security - Development and Security Testing
  •  Mobile Application Security : BlackBerry Security - Introduction to Platform
  •  Windows Phone 7 Development : Using a WebBrowser Control to Display Dynamic Content
  •  Windows Phone 7 Development : Using a WebBrowser Control to Display Local HTML Content
  •  Windows Mobile Security - Networking
  •  Windows Mobile Security - Local Data Storage
  •  Windows Mobile Security - Permissions and User Controls
  •  Windows Phone 7 Development : Using a WebBrowser Control to Display Web Content
  •  Windows Phone 7 Development : Adding a WebBrowser Control
  •  Programming the Mobile Web : Content Delivery (part 3)
    Top 10
    Fujifilm XF1 - The Stylish Shooter
    Nikon 1 V2 - Still Fast and Handles Better
    Asustor AS-604T 4-Bay NAS Review (Part 3)
    Asustor AS-604T 4-Bay NAS Review (Part 2)
    Asustor AS-604T 4-Bay NAS Review (Part 1)
    Toshiba Satellite U925t Review (Part 3)
    Toshiba Satellite U925t Review (Part 2)
    Toshiba Satellite U925t Review (Part 1)
    iBall Andi 4.5H - Pretty In White
    The HTC Butterfly - Full HD In 5 Inches Only
    Most View
    Windows 8 Special (Part 2)
    Visual Studio 2010 : Understanding Solutions and Projects (part 1)
    Record Onscreen Action In Windows
    Programming .NET Security : Hashing Algorithms Explained
    A brief history of transforming robots (Part 2)
    Zalman F1-Series 240GB - New star SSD
    The Small Screen Revolution (Part 1)
    Learn How Too... Work Faster Than Ever With Windows 8 (Part 1)
    The Xperia T - Remarkable In How Unremarkable It Is (Part 1)
    Caching User Controls
    Stay Safe On Public Hotspots
    LG 42LM660T - Slick, Good Looking ‘Cinema Screen’
    .NET Components : Configuring Permissions
    Programming with DirectX : View Transformations
    New Year Gift Guide 2013 (Part 2)
    Apple Macbook Pro With Retina Display
    Chord QuteHD – Digital-to-analogue Converter
    Windows Server 2003 : Extending IPSec Operations, Designing IPSec Policies to Meet Secure Communications Needs
    Toshiba Satellite L850-F31R Notebook - Books & Covers
    iphone Programming : Integrating Your Application - Application Preferences