RIM's upcoming BlackBerry 10 operating system is intended to be as secure, if not more so, than the OS running on RIM's current crop of BlackBerry devices. Mobile security could become a major selling point for the new platform, for enterprises, carriers, and users alike.
Essentially, RIM is blending security elements from its BlackBerry heritage with the security architecture of the new OS, which is based on the QNX Neutrino real-time operating system, acquired when RIM bought QNX Software Systems in 2010. While RIM has not revealed BlackBerry 10 security in detail, Scott Totzke, RIM's senior vice president for BlackBerry security, talked about the topic generally during a briefing at last week's BlackBerry World conference.
BACKGROUND: RIM CEO vows to wow with BlackBerry 10
"Security is becoming more complex for consumers than for the enterprise," Totzke says. The enterprise typically has a security infrastructure in place, often with dedicated security staff. The BlackBerry Enterprise Server lets administrators set hundreds of device and data policies for the BlackBerry phones, and forges an encrypted link for the devices through RIM's Network Operations Center. "The industry has been promising mobile commerce [to consumers] for years: the idea of using your phone as your wallet. But if that happens, it better be secure," he says. "If the user can't trust the [mobile] platform, it's a tough sell."
BB10 security will have multiple integrated layers, with the tight, cooperating relationship between hardware and software that's been a BlackBerry hallmark. For mobile users, there will be a permissions-based security model for apps, in plain, understandable English, coupled with a various OS-level security and safety features borrowed from QNX's experience in the embedded systems market.
At the OS level, QNX has offered a hardened variant of its OS called Neutrino RTOS Secure Kernel for several years. The secure kernel has been certified under the Common Criteria ISO/IEC 15408 Evaluation Assurance Level (EAL) 4+. The Common Criteria is intended to show that a computer security product has been specified, implemented and evaluated in a standard and thorough way. QNX says Neutrino was the first full-featured RTOS certified under this standard.
But RIM doesn't appear to be using the Secure Kernel variant. Rather, after RIM acquired QNX, the device maker's security architects began working closely with the QNX software engineers, according to Totzke. The works seems to be focused on how to exploit the microkernel's strengths while adding new security features.
This combined group has been focusing on a range of protections, such as: