I've heard that it's possible to run Android apps on BlackBerry 10 devices. I associate tight security standards with BlackBerry; not so much with Android devices. Do Android apps present a potential BB10 security issue?
Ask the Expert!
SearchSecurity.com expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email. (All questions are anonymous.)
The BlackBerry 10 (BB10) runs on a new platform based on touch technology. It has received FIPS 140-2 security certification, allowing it to be used by government agencies. That said, you are correct; users can run Android apps on BB10 devices through an emulator. The BlackBerry Runtime runs Android 2.3.3 platform applications on the BlackBerry Tablet OS and BB10. The Android runtime will be updated in the coming months to Android 4.1, which will fix many of the current performance and compatibility issues.
BlackBerry implemented several controls to ensure that Android apps do not present a security threat to data held on its devices, as security is the company's main differentiator in the corporate market. For example, all Android apps will run in a sandbox. In order to cause damage, a malicious app must avoid detection during app-store review and be able to leave the sandbox. Sandboxes have been defeated before (take the Java sandbox, for example), so this is an area to watch carefully.
For an Android app to use the runtime, developers must first repackage and port the Android application into the BAR file format, which is the compatible file format required for an application to work on the BB10. BlackBerry provides various tools, such as the BlackBerry Packager for Android apps, to make this process reasonably straightforward. In order for any app to be distributed through the BlackBerry World storefront, though, it has to be digitally signed. This requires a developer to request a code-signing key from BlackBerry and submit the app for approval. BlackBerry is incorporating Trend Micro's Mobile Applications Reputation Service into its own system for analyzing applications, and all applications on the BlackBerry World application store are scanned for potentially malicious behavior. There is also a certification called Built for BlackBerry, which consists of a set of additional tests covering the user interface, user experience, security and optimization.
To further protect sensitive data, BB10's Balance security feature separates work and personal environments, and ensures that work-related information can be wiped remotely if necessary. Administrators can prevent company data from being accessed by a user's personal apps, which connect directly to the Internet, unlike work apps, which connect through the corporate network. However, organizations have to purchase BB Enterprise Service 10, or BES 10, to use Balance. (For those enterprises that have a bring-your-own-device policy, Secure Work Space for iOS and Android will be of interest. This expands BlackBerry Balance to other mobile devices, letting those without a BlackBerry check data such as corporate calendars, contacts and email without requiring a VPN to access data and applications that reside behind corporate firewalls.)
Finally, sideloading (installing a mobile application onto a device via a method not approved by the device's OEM) applications onto a BlackBerry should be banned in an organization's acceptable-use policy. Malware does exist that targets BlackBerry devices, and if this new version proves popular, BB10 could attract more interest from malicious hackers.
This was first published in June 2013