Secure Mobile Web Service Applications: The BlackBerry Enterprise Solution
Strong IT Policy Enforcement and Management for Handheld Devices
To secure information stored on BlackBerry devices, password authentication can be made mandatory through the customizable IT policies of the BlackBerry Enterprise Server. By default, password authentication is limited to ten attempts, after which the device's memory is erased.
Local encryption of all data (messages, address book entries, calendar entries, memos, and tasks) also can be enforced via IT policy. And, with the Password Keeper, password entries can be securely stored on the device (for example, banking passwords, PINs, and so forth) using AES encryption technology.
Permit-Only Trusted Connections
The BlackBerry Enterprise Server does not store any e-mail or data. To increase protection from unauthorized parties, there is no staging area between the server and the BlackBerry device where data is decrypted.
To further enhance the security of the solution, the BlackBerry Enterprise Server is designed to allow only authenticated, outbound-initiated connections through port 3101 of the firewall. Unauthorized commands cannot be executed on the system because no inbound traffic is permitted from sources other than the BlackBerry device. Only data that can be decrypted with a valid encryption key are permitted between the server and the wireless network. All data and application traffic, including browser, MDS Studio, and Java application data messages, use the same data encryption technologies that are used by the BlackBerry Enterprise Server.
The conflation of mobile technology (which is getting faster and more nearly ubiquitous) and Web services (which is entering the mainstream and becoming more standardized) in an increasingly security-conscious world is supported by some very good software and hardware. That from Research In Motion and RSA Security is not the only choice out there. But, the technologies and products from these two pioneers should serve as a standard by which the technologies and products from other vendors may be measured or judged when you peruse alternative solutions. Although neither Research In Motion nor RSA Security is resting on its laurels, neither is its competition.
Appendix A: Web Services
Web services are self-contained software components that are published, located, and invoked over the Internet or an intranet, using standard protocols and interfaces. For example, the Web services architecture allows an application at one company to query a service at another company to determine the current price of a particular product. Although this is currently possible without using Web services, it requires modification of each company's applications so that each service can find and talk to each other. By using standard enabling technologies, an application or service can be made available over the network without regard to platform, language, location, or implementation of the service.
In Figure 8, the Service Broker helps Service Providers and Service Requesters find each other. The UDDI (Universal Discovery, Description, and Integration)-based registry is where a Web service is discovered. UDDI's approach to discovery is to have a registry of services distributed across the Web. In that distributed registry, businesses and services are described in a common XML format. The structured data in those XML documents is easily searched, analyzed, and manipulated. Currently, there exist a number of global registries that allow businesses to find each other across enterprise boundaries. WSDL (Web Services Description Language) is an XML-based language for describing the interface of Web services. The service requester can use WSDL to find a compliant service and the service provider uses WSDL to describe the service it is providing.
Figure 8: Relationships among service requester, provider, and broker
Advantages of Web services
- Web services provide interoperability between various software applications running on disparate platforms/operating systems.
- Web services use open standards and protocols. Protocols and data formats are text-based where possible, making it easy for developers to comprehend.
- By utilizing HTTP, Web services can work through many common firewall security measures without requiring changes to the firewall filtering rules. Other forms of RPC may more often be blocked.
- Web services allow software and services from different companies and locations to be combined easily to provide an integrated service.
- Web services allow the reuse of services and components within an infrastructure.
- Web services are loosely coupled, thereby facilitating a distributed approach to application integration.
Disadvantages of Web services
- Web services standards features such as transactions are currently nonexistent or still in their infancy compared to more mature distributed computing open standards such as CORBA. This is likely to be a temporary disadvantage as most vendors have committed to the OASIS standards to implement the Quality of Service aspects of their products.
- Web services may suffer from poor performance compared to other distributed computing approaches such as RMI, CORBA, or DCOM. This is a common trade-off when choosing text-based formats. XML explicitly does not count among its design goals either conciseness of encoding or efficiency of parsing. This could change with the XML Infoset standard, which describes XML-based languages in terms of abstractions (elements, attributes, and logical nesting). The traditional angle-bracket representation is now seen as an ASCII (or Unicode) serialization of XML, not XML itself. In this model, binary serialization is an equally valid alternative. Binary representations such as SOA MTOM promise to improve the wire efficiency of XML messaging.
Appendix B: FIPS 140-2
RIM's FIPS validation program focuses on the software components that provide the core cryptographic operations required for BlackBerry functionality. In the case of BlackBerry devices, the "BlackBerry Cryptographic Kernel" was validated, and in the case of the BlackBerry Enterprise Server, the "BlackBerry Enterprise Server Cryptographic Kernel" was validated. This ensures two things: that data sent between the BlackBerry Enterprise Server and a device (in other words, over-the-air) and any data stored on the device are encrypted.
BlackBerry has several FIPS 140-2 validation certificates that span several versions of both Cryptographic Kernels, including all currently released versions with BlackBerry handheld software and BlackBerry Enterprise Server 4.1. References 12 and 13 contains details of the BlackBerry FIPS 140-2 Security Policy.
Appendix C: The BlackBerry Manager
The BlackBerry Manager is the administration console through which administrators manage the BlackBerry Enterprise Server. For example, they can enforce corporate policies by specifying acceptable use for the handheld, on a per user or per group basis and everything is done over-the-air. Further discussion of the administration console is beyond the scope of this article, but you can see the "tip of the iceberg" in Figure 9.
Figure 9: BES administration console
- Johnston, C., Evers, R. Professional BlackBerry, Wrox (2005)
- Mabe, D. BlackBerry Hacks, O'Reilly Media (2006)
- Foust, B. Mobile Guide to BlackBerry, Que (2005)
- Simmons, C. How to Do Everything with Your Blackberry, 2nd Ed., McGraw-Hill/Osborne (2004)
- Newcomer, E. Understanding Web Services: XML, WSDL, SOAP, and UDDI, Addison-Wesley (2002)
- Knudsen, J., Li, S. Beginning J2ME: From Novice to Professional, 3rd Ed., Apress (2005)
- Koletzke, P. et al Oracle JDeveloper 10g Handbook, McGraw-Hill/Osborne (2004)
- Johansson, J., Riley, S. Protect Your Windows Network, Addison-Wesley (2005)
- Adams, C., Lloyd, S. Understanding PKI, 2nd Ed., Addison-Wesley (2003)
- Erbschloe, M. Physical Security for IT, Elsevier (2004)
- Poole, I., Cellular Communications Explained, Elsevier (2006)
About the Author
Marcia Gulesian has served as Software Developer, Project Manager, CTO, and CIO over an eighteen-year career. She is author of well more than 100 feature articles on Information Technology, its economics, and its management. You can e-mail Marcia at firstname.lastname@example.org.
© 2006 Marcia Gulesian
Page 4 of 4