We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Business Report

Catching Up to the BlackBerry on Security

BlackBerrys gained favor in corporate IT departments partly because of their strong security, but rival devices aren’t necessarily more dangerous for employees to use.

Before Apple’s iPhone turned smart phones into coveted consumer devices, most corporate employees were toting around BlackBerrys. The devices weren’t slim or sexy, they didn’t boast hundreds of thousands of apps, and surfing the Web with them was awkward. But employers trusted Research in Motion, which marketed its BlackBerry phones as a secure way to let mobile workers access sensitive company information.

This chart compares worldwide market share for smart phones in the first quarter of 2011 and 2010. Research in Motion’s BlackBerry has lost share while the iPhone and Android devices have gotten more popular.

The perception persists among many technology executives that a BlackBerry is more secure than an iPhone or a phone running Google’s Android software. And yet the popularity of those rivals has led many companies to loosen their restrictions on which mobile devices people can use for work. When employees ask to use their iPhones and Android phones, are they putting the company at risk? It depends more on what people do with their phones than on which phones they use.

One traditional advantage of the BlackBerry is that it encrypts not only e-mail but also regular Web traffic that wouldn’t normally get such treatment. RIM’s server software also gives technology managers precisely targeted control over every BlackBerry a company hands out. Scott Totzke, RIM’s vice president of BlackBerry security, says there are 500 different settings for locking down the devices. For example, a company can decide that employees can download only certain approved applications, or none at all. They might be permitted to access and post to Facebook, but not to have the social-networking site access the company e-mail directory via the BlackBerry.

The iPhone doesn’t offer quite such sophisticated tools for managing the device’s settings. Still, IT departments can manage e-mail to the iPhone and Android devices with third-party programs such as Microsoft’s Exchange system.

When it comes to the damage that malicious code can wreak on smart phones, however, some security experts give the iPhone the edge for safety (assuming the device isn’t “jailbroken,” or modified to get around some of Apple’s restrictions). That’s partly because of the process that Apple requires software developers to go through if they want to create iPhone applications. Apple’s method for authenticating and identifying their code is more rigorous than RIM’s. (Google doesn’t have an up-front screening process for the Android app marketplace.)

Vincenzo Iozzo, an independent security consultant in Milan, Italy, targeted the BlackBerry at this year’s Pwn2own hacking competition: he and two teammates attacked through a security hole in the open-source code behind its Web browser. (RIM has since plugged the hole, which had already been patched on Apple and Android devices.) He says BlackBerry has benefited from “security through obscurity”: there are tools and documentation that help software developers—benign ones and bad guys alike—create programs and observe how they run on the iPhone or Android, but RIM has been less forthcoming. “From the outside world, [the BlackBerry] is more of a black box,” he says. That has worked to RIM’s advantage—Iozzo would still recommend BlackBerrys first, and iPhones second, for companies extremely concerned about attacks on individual employees’ phones. But he adds: “The BlackBerry is easier to exploit once you get to know it.”

Charlie Miller, principal research consultant at the security firm Accuvant Labs, agrees with that assessment. He notes that the iPhone and Microsoft’s Windows Phone 7, unlike the BlackBerry, employ standards called Address Space Layout Randomization and Data Execution Prevention. The first makes it harder for an intruder to find specific parts of the software code or data on a phone; the second keeps phones’ processors from running data provided by the attacker.

Eric Maiwald, an analyst for the technology research group Gartner, says companies should worry less about the security of any particular device and more about their overall strategies for dealing with a workforce that wants to connect personal phones to the corporate network. For example, does a company want to allow sensitive data to be stored on a phone itself, or should it stay in the data center, from which it can be accessed remotely?

Not having to worry about which particular devices to buy for employees frees Lars Crotwell, vice president for information technology at the oilfield services company Basic Energy Services, to focus more on the specific IT needs of the business. He says some features that earned BlackBerry favor among corporate customers, such as the ability to remotely wipe data from devices that are lost or stolen, are now available on competing phones. He believes RIM might still offer better overall security, but even if it does, he says the marginal utility of that extra security has declined in the last few years. That’s one reason why he now lets employees bring in their own smart phones. “Just because (BlackBerry) is more secure doesn’t mean the iPhone or Android can’t meet our needs. After a certain point, who cares?” Crotwell says. “It’s secure enough for our risk profile.”

The AI revolution is here. Will you lead or follow?
Join us at EmTech Digital 2019.

Register now
Next in this Business Report
Securing Data

In June, Business Impact will show why information security isn’t an issue only the IT department needs to worry about. We’ll explore why companies still struggle to secure data—from theft or loss—even after all the attention given to costly data breaches and hacking attacks. We’ll analyze fresh ideas for improving security in the cloud and on mobile devices and explain what smart companies are doing.

Want more award-winning journalism? Subscribe to Insider Plus.
  • Insider Plus {! insider.prices.plus !}*

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    Print + Digital Magazine (6 bi-monthly issues)

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

    Technology Review PDF magazine archive, including articles, images, and covers dating back to 1899

    10% Discount to MIT Technology Review events and MIT Press

    Ad-free website experience

You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.