Catching Up to the BlackBerry on Security
BlackBerrys gained favor in corporate IT departments partly because of their strong security, but rival devices aren’t necessarily more dangerous for employees to use.
Before Apple’s iPhone turned smart phones into coveted consumer devices, most corporate employees were toting around BlackBerrys. The devices weren’t slim or sexy, they didn’t boast hundreds of thousands of apps, and surfing the Web with them was awkward. But employers trusted Research in Motion, which marketed its BlackBerry phones as a secure way to let mobile workers access sensitive company information.
The perception persists among many technology executives that a BlackBerry is more secure than an iPhone or a phone running Google’s Android software. And yet the popularity of those rivals has led many companies to loosen their restrictions on which mobile devices people can use for work. When employees ask to use their iPhones and Android phones, are they putting the company at risk? It depends more on what people do with their phones than on which phones they use.
One traditional advantage of the BlackBerry is that it encrypts not only e-mail but also regular Web traffic that wouldn’t normally get such treatment. RIM’s server software also gives technology managers precisely targeted control over every BlackBerry a company hands out. Scott Totzke, RIM’s vice president of BlackBerry security, says there are 500 different settings for locking down the devices. For example, a company can decide that employees can download only certain approved applications, or none at all. They might be permitted to access and post to Facebook, but not to have the social-networking site access the company e-mail directory via the BlackBerry.
The iPhone doesn’t offer quite such sophisticated tools for managing the device’s settings. Still, IT departments can manage e-mail to the iPhone and Android devices with third-party programs such as Microsoft’s Exchange system.
When it comes to the damage that malicious code can wreak on smart phones, however, some security experts give the iPhone the edge for safety (assuming the device isn’t “jailbroken,” or modified to get around some of Apple’s restrictions). That’s partly because of the process that Apple requires software developers to go through if they want to create iPhone applications. Apple’s method for authenticating and identifying their code is more rigorous than RIM’s. (Google doesn’t have an up-front screening process for the Android app marketplace.)
Vincenzo Iozzo, an independent security consultant in Milan, Italy, targeted the BlackBerry at this year’s Pwn2own hacking competition: he and two teammates attacked through a security hole in the open-source code behind its Web browser. (RIM has since plugged the hole, which had already been patched on Apple and Android devices.) He says BlackBerry has benefited from “security through obscurity”: there are tools and documentation that help software developers—benign ones and bad guys alike—create programs and observe how they run on the iPhone or Android, but RIM has been less forthcoming. “From the outside world, [the BlackBerry] is more of a black box,” he says. That has worked to RIM’s advantage—Iozzo would still recommend BlackBerrys first, and iPhones second, for companies extremely concerned about attacks on individual employees’ phones. But he adds: “The BlackBerry is easier to exploit once you get to know it.”
Charlie Miller, principal research consultant at the security firm Accuvant Labs, agrees with that assessment. He notes that the iPhone and Microsoft’s Windows Phone 7, unlike the BlackBerry, employ standards called Address Space Layout Randomization and Data Execution Prevention. The first makes it harder for an intruder to find specific parts of the software code or data on a phone; the second keeps phones’ processors from running data provided by the attacker.
Eric Maiwald, an analyst for the technology research group Gartner, says companies should worry less about the security of any particular device and more about their overall strategies for dealing with a workforce that wants to connect personal phones to the corporate network. For example, does a company want to allow sensitive data to be stored on a phone itself, or should it stay in the data center, from which it can be accessed remotely?
Not having to worry about which particular devices to buy for employees frees Lars Crotwell, vice president for information technology at the oilfield services company Basic Energy Services, to focus more on the specific IT needs of the business. He says some features that earned BlackBerry favor among corporate customers, such as the ability to remotely wipe data from devices that are lost or stolen, are now available on competing phones. He believes RIM might still offer better overall security, but even if it does, he says the marginal utility of that extra security has declined in the last few years. That’s one reason why he now lets employees bring in their own smart phones. “Just because (BlackBerry) is more secure doesn’t mean the iPhone or Android can’t meet our needs. After a certain point, who cares?” Crotwell says. “It’s secure enough for our risk profile.”
Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.Subscribe today