Security Technical Overview

Local Navigation

Specifying the resources that third-party applications can access on a device

You can specify which applications a BlackBerry® device user can download and install on a BlackBerry device and the resources on the device that the applications can access. If you control the applications that a user can install and limit the resources that the applications can access, you can help protect the device from malware. You can also help prevent damage to the device, applications, device data, and your organization’s network.

You can use application control policy rules and code signing to control the application's access to the resources and help prevent malware on the device.

For more information about helping to prevent malware on the device, see Protecting Devices From Malware.

Using application control policy rules to specify whether a user can install a third-party application on a device

You can use application control policy rules to specify whether a BlackBerry® device user can install a third-party application on a BlackBerry device and to specify the permissions for the application.

You can use application control policy rules to specify whether an application can access the following items on the device:
  • data or applications (for example, Messages application, phone)
  • device key store
  • User Authenticator API (permits the registration of drivers so that a user can unlock the device using two-factor authentication)

When you assign an application control policy to a software configuration and assign the software configuration to a user account or group, the user might not be able to use all of the features of a third-party application that is included in the software configuration. You can assign the application control policy rule to a software configuration and assign the software configuration to a group, so that the BlackBerry® Enterprise Server limits permitted application behavior to a subset of user accounts that it trusts.

The device revokes the application control policy and resets if the permissions for an application that the application control policy is applied to become more restrictive. A device that is running BlackBerry® Device Software version 4.1 or later permits the user to make permissions more restrictive, but never less restrictive than, the permissions that you specify.

For more information about configuring application control policies, see the BlackBerry Enterprise Server Administration Guide.

Back To Top

Managing BlackBerry Java Applications on a device using code signing

Before a BlackBerry® Java® Application can use BlackBerry device APIs that include sensitive packages, classes, or methods, Research In Motion requires that the RIM® signing authority system must digitally sign the application. Sensitive packages, classes, or methods are APIs that impact device data or permit an application to communicate with another application.

The RIM signing authority system uses public key cryptography to authorize and authenticate the application code. The developer must visit www.blackberry.com/developers/downloads/jde/api.shtml to register the application with the RIM signing authority system so that the application can access the controlled APIs and use the BlackBerry® Signing Authority Tool. The BlackBerry Signing Authority Tool is a component of the BlackBerry® Java® Development Environment that permits an application to request, receive, and verify a digital signature from RIM.

If a developer creates a third-party API that controls access to resources and applications on the device, the developer can act as a signing authority for the third-party API. The developer can download and install the BlackBerry Signing Authority Tool and permit other developers to register with the BlackBerry Signing Authority Tool so that the applications that other developers create can access the third-party API. Developers who register with the RIM signing authority system can use the BlackBerry Signing Authority Tool to request, receive, and verify digital signatures for applications.

MIDlets cannot write to the device memory, access the memory of other applications, or access the persistent data of other MIDlets unless the RIM signing authority system digitally signed them. MIDlets are applications that use only standard MIDP APIs and CLDC APIs.

For more information about code signing and third-party applications, see the BlackBerry Signing Authority Tool Administration Guide.

Back To Top

Was this information helpful? Send us your comments.