BlackBerry 10 OS will have multi-layered security model

RIM's upcoming BlackBerry 10 operating system is intended to be as secure, if not more so, than the OS running on RIM's current crop of BlackBerry devices. Mobile security could become a major selling point for the new platform, for enterprises, carriers and end users alike.

Essentially, RIM is blending security elements from its BlackBerry heritage with the security architecture of the new OS, which is based on the QNX Neutrino real-time operating system, acquired when RIM bought QNX Software Systems in 2010. While RIM has not revealed BlackBerry 10 security in detail, Scott Totzke, RIM's senior vice president, BlackBerry security, talked about the topic generally during a briefing at last week's BlackBerry World conference.

BACKGROUND: RIM CEO vows to wow with BlackBerry 10

"Security is becoming more complex for consumers than for the enterprise," Totzke says. The enterprise typically has a security infrastructure in place, often with dedicated security staff. The BlackBerry Enterprise Server lets administrators set hundreds of device and data policies for the BlackBerry phones, and forges an encrypted link for the devices through RIM's Network Operations Center. "The industry has been promising mobile commerce [to consumers] for years: the idea of using your phone as your wallet. But if that happens, it better be secure," he says. "If the user can't trust the [mobile] platform, it's a tough sell."

BB10 security will have multiple integrated layers, with the tight, cooperating relationship between hardware and software that's been a BlackBerry hallmark. For mobile users, there will be a permissions-based security model for apps, in plain, understandable English, coupled with a various OS-level security and safety features borrowed from QNX's experience in the embedded systems market.

At the OS level, QNX has offered a hardened variant of its OS called Neutrino RTOS Secure Kernel for several years. The secure kernel has been certified under the Common Criteria ISO/IEC 15408 Evaluation Assurance Level (EAL) 4+. The Common Criteria is intended to show that a computer security product has been specified, implemented and evaluated in a standard and thorough way. QNX says Neutrino was the first full-featured RTOS certified under this standard.

(In December 2011, QNX announced that Neutrino has also been received a safety certification, under the IEC 61508 standard for Safety Integrity Level 3 (SIL 3). Strictly speaking, this isn't a security certification, but one intended to reduce the rate of "dangerous failures" to a system.)

But RIM doesn't appear to be using the Secure Kernel variant. Rather, after RIM acquired QNX, the device maker's security architects began working closely with the QNX software engineers, according to Totzke. The works seems to be focused on how to exploit the microkernel's strengths while adding new security features.

This combined group has been focusing on a range of protections, such as:

• Blocking root access, which enables a user or hacker to gain administrative access to the OS.
• Memory randomization, which in effect "scrambles" where in memory routines may run, making it harder for these to be leveraged by attackers.
• Adding security management, including auditing, to the kernel.

It's a work in progress. Code to jailbreak or root the QNX-based PlayBook OS (so you can load apps apart from BlackBerry App World) is available from DingleBerry.it, specifically Version 3.3, which was a big step up in simplicity and ease of use. A 4.0 version is in development. The PlayBooks will eventually run BlackBerry 10, so if blocking root access is a priority for RIM, then they may be harder to jailbreak with the release of the new OS.

One advance to protect data is already present in the PlayBook OS and will be a key part of BlackBerry 10, according to Totzke. BlackBerry Balance creates separate and secure work and personal "perimeters" at the data level. Corporate apps and data are encrypted in the work perimeter, and can't be transferred or copied to the personal perimeter. (Encryption for personal data will be available in the next release of the PlayBook OS, he says.)

"But I [as the end user] don't have to think about this separation," says Totzke. "There's a unified presentation to the data [in the user interface], but under the covers, the system separates the data." There is only one email system and UI, for example, on the device, but work and personal emails are kept separate by the underlying system.

Neutrino's microkernel architecture keeps an essential set of services in the core, but drivers, applications, protocol stacks, and the file system run outside the microkernel, effectively sandboxed in what's called memory-protected user space. This means that almost any of these external components can fail and be replaced and restarted without affecting other components or the kernel itself, according to QNX. Presumably malware designed to compromise the kernel likewise will be isolated in these protected spaces.

Another layer of protection lies in QNX Neutrino conforming to the POSIX standard, which specifies an API, and some shells and interfaces, for software compatibility between POSIX-compliant operating systems. "A POSIX API prevents the use of proprietary interfaces with the potential for insecure behavior and misunderstood results," among other benefits, according to the QNX website. The RTOS was designed from the outset for POSIX support, an approach that eliminates the need for adding a "complex POSIX adaptation layer" that some rivals RTOSs require. The result is faster performance and lower memory requirements for applications, according to QNX.

Much of this security infrastructure will be invisible to end users. But if mobile payment technologies actually find some traction, security or at least the need for it may become more pressing for end users. RIM been an enthusiastic adopter of near-field communications (NFC) in its BlackBerry smartphones, to support using them for "contactless" mobile payments. U.K.-based The Inquirer reported this week that RIM says it accounted for 80% of NFC phones shipped to U.K. retailers in the first quarter.

"I think that's where people want to go," says Totzke. "I sometimes forget my wallet, but I never forget my phone."

"Security has to become a little more in the forefront for consumers and a lot more in the forefront for device makers and app developers," he adds.

John Cox covers wireless networking and mobile computing for Network World. Twitter: http://twitter.com/johnwcoxnww Email: john_cox@nww.com Blog RSS feed: http://www.networkworld.com/community/blog/2989/feed

Read more about anti-malware in Network World's Anti-malware section.