Specifying the resources third-party applications can access on a BlackBerry device
You can specify which applications a user can download and install on a BlackBerry® device and the resources on the BlackBerry device that the applications can access. When you control the applications that a user can install and limit the resources that the applications can access, you can help protect the BlackBerry device from malware. You can also help prevent damage to the BlackBerry device, applications, BlackBerry device data, or your organization’s network.
You can use application control policy rules and code signing to control application access to the resources and to help prevent malware on the BlackBerry device.
For more information, see Protecting the BlackBerry Device Platform Against Malware.
You can also use application control policy rules to specify the types of connections that the application that is running on the BlackBerry device can open (for example, local, internal, and external connections).
For example, you can create an application control policy rule that prevents an application from opening connections to internal servers. When you assign an application control policy to a software configuration and assign the software configuration to a user account or group, the user might not be able to use all of the features of a third-party application that is included in the software configuration. When you assign the application control policy rule to a software configuration and assign the software configuration to a group, the BlackBerry® Enterprise Server limits permitted application behavior to a subset of user accounts that it trusts.
The BlackBerry device revokes the application control policy and resets itself if the permissions for an application that the application control policy is applied to become more restrictive. A BlackBerry device that is running BlackBerry® Device Software version 4.1 or later permits the user to make permissions more restrictive, but never less restrictive than, the permissions that you specify.
Managing BlackBerry Java Applications on a BlackBerry device using code signing
Before a BlackBerry® Java® Application can use BlackBerry device APIs that include sensitive packages, classes, or methods, Research In Motion requires that the RIM® signing authority system digitally sign the application. Sensitive packages, classes, or methods are APIs that impact device data or permit an application to communicate with another application.
The RIM signing authority system uses public key cryptography to authorize and authenticate the application code. The developer must visit www.blackberry.com/developers/downloads/jde/api.shtml to register the application with the RIM signing authority system so that the application can access the controlled APIs and use the BlackBerry® Signing Authority Tool. The BlackBerry Signing Authority Tool is a component of the BlackBerry® Java® Development Environment that permits an application to request, receive, and verify a digital signature from RIM.
If a developer creates a third-party API that controls access to resources and applications on the BlackBerry device, the developer can act as a signing authority for the third-party API. The developer can download and install the BlackBerry Signing Authority Tool and permit other developers to register with the BlackBerry Signing Authority Tool so that the applications that other developers create can access the third-party API. Developers who register with the RIM signing authority system can use the BlackBerry Signing Authority Tool to request, receive, and verify digital signatures for applications.
MIDlets (also known as applications that use standard MIDP APIs and CLDC APIs only) cannot write to the BlackBerry device memory, access the memory of other applications, or access the persistent data of other MIDlets unless the RIM signing authority system digitally signed them.
For more information about code signing and third-party applications, see the BlackBerry Signing Authority Tool Administration Guide.