RIM Cryptographic API
The AES implementation in the RIM® Cryptographic API has changed. Prior to BlackBerry® Java® SDK 7.0, a FIPS-validated version of the AES encryption algorithm was always used, but with BlackBerry® 7, the BlackBerry device chooses the version of AES that allows for the best performance. This flexibility is possible because BlackBerry devices that run BlackBerry 7 do not use FIPS compliant AES implementations by default. Most developers do not need to create FIPS compliant applications. The option to enforce FIPS compliance on BlackBerry devices is available in a BlackBerry® Enterprise Server environment. To enforce FIPS compliance, your BlackBerry Enterprise Server administrator must set the new IT policy rule "Enforce FIPS Mode of Operation."
A new FIPS-validated random source was added: the AES cipher-based deterministic random bit generator. It is represented by a new constant in the Crypto class, PRNG_TYPE_AES_CTR_DRBG. In addition, a constant was added: PRNG_TYPE_FIPS186. Previously, this was the only random number generator; as the only type, it did not need to be specified. This random number generator is no longer FIPS compliant. A new variable, prngType, is now supported by the Crypto.getPRNG() method. It can be set to PRNG_TYPE_AES_CTR_DRBG (for FIPS compliance) or PRNG_TYPE_FIPS186 (for no FIPS compliance)
The AESEncryptorEngine(), AESDecryptorEngine(), AESCBCEncryptorEngine(), and AESCBCDecryptorEngine() methods each have a new Boolean parameter called useFIPSmode. A parameter name was changed in AESEncryptorEngine(), AESDecryptorEngine(), AESCBCEncryptorEngine(), and AESCBCDecryptorEngine(). The parameter inECMMode is changed to useCPAProtection. This name change does not affect functionality.
The AESCTRDRBGPseudoRandomSource class was added. TheAESCTRDRBGPseudoRandomSource class is identical to FIPS186PseudoRandomSource, except that the new class supports FIPS compliance. The FIPS186PseudoRandomSource class can no longer be used to generate pseudorandom data in FIPS compliant applications, but it can still be used for applications that do not require FIPS compliance.
BlackBerry Balance technology support
The Multi Service Platform API supports the BlackBerry® Balance™ technology that was introduced in BlackBerry® Enterprise Server 5.0.3.
BlackBerry Enterprise Server administrators can set IT policy rules that controls access to work data and personal data on a BlackBerry device. These rules allow administrators to control access to work data, as well as facilitating the deletion of work data.
The net.rim.device.api.system.MultiServicePlatformManager class and the net.rim.device.api.system.MultiServicePlatformListener interface allow you to implement controls on data access and create listeners that allow administrators to delete data remotely. Modes (such as work) are defined in the net.rim.device.api.system.ServiceMode class. The net.rim.device.api.system.Application class includes the following new methods: getServiceMode, setServiceMode, setServiceModeImpl, and suggestServiceMode.
The PL_INVALID_OPERATION constant has been added to the FileIOException class. The PL_INVALID_OPERATION exception is generated when an unauthorized, personal or non-work application attempts to delete, create, read, or change a work file.
Security for NFC
The PERMISSION_NFC and PERMISSION_SECURE_ELEMENT constants have been added to the ApplicationPermissions class. PERMISSION_NFC controls an application's ability to access NFC functionality. PERMISSION_SECURE_ELEMENT controls an application's ability to access the secure elements embedded in the phone or on a SIM card.
You can specify both permissions to VALUE_ALLOW, VALUE_PROMPT, or VALUE_DENY. The default value for both permissions is VALUE_PROMPT. You can find the ApplicationPermissions class in the net.rim.device.api.applicationcontrol package.