Subscribe via RSS

BlackBerry Developer's Blog

Select Language

Explaining BlackBerry Security for Developers: Application Control

BlackBerry Development Advisor on 09-28-2009 05:36 PM

BlackBerry application control 
 
In part one of our three-part series on BlackBerry® security, we discussed the nuances of enterprise IT policy. Today, we'll discuss application control. 
 
In contrast to IT policy, which IT administrators use to manage and control employee use of BlackBerry smartphones, application control refers to a security setting that can be managed by the end-user and/or the IT administrator (if the user is connected to a BlackBerry Enterprise Server) that defines application behavior on BlackBerry® smartphones. Specifically, application control allows IT administrators to define whether or not applications can make network connections, play media, access the BlackBerry® Calendar… etc.
 
These settings are configurable by either the end user or the BlackBerry Enterprise Server admin. It’s important to note this subtle difference: because application control can be configured by the user, the BlackBerry smartphone does not need to be connected to a BlackBerry Enterprise Server to use them (whereas for IT policy to be applied the BlackBerry smartphone has to be connected to a BlackBerry Enterprise Server).
 
BlackBerry smartphone users with experience installing applications are likely familiar with application control. In BlackBerry® Device Software 4.6 (first introduced with the BlackBerry® Bold™ smartphone) and above, users encounter application control as soon as the installed application is first executed:

"Would you like to grant [Application Name] Trusted Application status?"

If the user selects "Yes", then your application will be given all the permissions commonly needed for normal execution, i.e. all permissions will be set to “Allow” with the exception of:
  • Prompt - Recording, Security Timer Reset
  • Deny - Input Simulation, Browser Filtering, Display Information While Locked

Alternatively, if the user selects "No", it's not the end of the world; it just means that your application will be given the default set of permissions. For BlackBerry smartphones that are connected to a BlackBerry Enterprise Server, all permissions are set to “Allow” with the exception of:
  • Prompt - Recording, Phone, Location Data, Server Network, Internet
  • Deny - Browser Filtering, Input Simulation, Security Timer Reset, Display Information While Locked
 
For smartphones that are not connected to a BlackBerry Enterprise Server, all permissions are set to “Allow” with the exception of:
  • Prompt - Recording, Phone, Location Data
  • Deny - Browser Filtering, Input Simulation, Security Timer Reset, Display Information While Locked

Regardless of what the user selects, on first run of your application, it's a good idea to check what permissions are assigned to your application, using ApplicationPermissionsManager.getApplicationPermissions(). All application permissions have a setting of “Allow” and “Deny”, and some have a tertiary setting:  “Prompt”. If a permission is set to “Prompt”, the user will receive a dialog like the one below when you use an API that triggers it:

"The application [Application Name] has requested a http connection to [domain X]"

At this point, the user is given the choice to “Allow” or “Deny” the request. If they select “Allow” (and check the box to not be asked again), the value of the permission will be changed from “Prompt” to “Allow” and your API call will succeed.  However, if the user selects “Deny”, then your application will receive either a ControlledAccessException or a SecurityException, depending on the method definition.
 
It is probably best to avoid these prompts in the first place. Since there's no magic formula that will allow you to eliminate all these prompts, your best bet is to group them into a single request, using ApplicationPermissionsManager.invokePermissionRequest (ApplicationPermissions requestedPermissions) for the permission values your application will require. Calling this method will first present the user with a dialog indicating to the user that your application is attempting to change permissions, and then display a screen with all requested permissions, which requires the user to save the settings presented to them. Since developers don't have the ability to control the user interface for either of these screens, it's recommended that you inform the user what your application is about to do before blindly launching into the permission request. 
 
Lastly, if despite all your best efforts, the user still hasn't granted you permission access beyond “Prompt”, you do have the ability to provide more information to the user explaining your reasoning for leveraging a certain function. To explain, let's return to the http message we got:

"Would you like to grant [Application Name] Trusted Application status?"

Using the ReasonProvider API, you can attach your own message to this dialog prompt, contained within a link for "Details...". If the user clicks this link, your message will be displayed to the user, allowing you to explain why your application needs this permission:

"My application needs to open a network connection so that it can download pictures from your favorite website." 

 details.jpg
 
This approach eases the minds of your users by providing them all the information they need to make confident decisions about your application. 
 
For more information on the various application control settings that can be applied to your application, see the Javadoc for the ApplicationPermissions class, which defines constants for each permission. 
 
In part three of this series, we'll address the topic of code signing. Stay tuned!

Message Edited by bzubert on 09-28-2009 05:39 PM

Categories:
2
Post a Comment
Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
 
About BlackBerry Developer's Blog
The Developer Relations team at RIM is focused upon providing solutions for all stages of the BlackBerry development lifecycle. The Developer’s Blog is a forum to share best practices, market insight and developer-engagement opportunities with the development community. The Developer’s Blog complements our existing outreach programs (BlackBerry Developer Conference and Developer Newsletter) while giving us an opportunity to share our personalities too!

About the Author
  • Adam is a product manager at RIM in the platform product management team. Adam’s focus and responsibility is on setting the strategy and direction of the BlackBerry web platform, including the web developer tooling products. He is also responsible for RIM’s involvement with the Eclipse Foundation and the Pulsar project. Adam hopes this blog will allow him to share his knowledge, viewpoint and passion for BlackBerry, but is really interested in what capabilities the community feels should be added to the web platform and tooling to create even more compelling web applications and content.
  • Adam is an Application Development Consultant with the Developer Relations Team at RIM. As a member of the Developer Relations Team, Adam manages the technical relationship with ISVs who specialize in producing applications based on web technologies. Adam's development background consists of a degree in Computer Science and work in web development for both the insurance and technical support industries.
  • I joined Research In Motion in 2005 working with Independent Software Vendors (ISVs) who specialize in Bluetooth, GPS, multimedia, and gaming. As a senior member of the Developer Relations Team it's my mandate to not only support the application development efforts for a number of ISVs, but it's also to act as a voice at RIM for third party application developers. Like RIM, my roots are in the enterprise world, but over the past couple of years I've quickly adapted to the consumer space, and that's where I spend most of my time today.
  • Chris has been at RIM since 2001 and runs R&D for the BlackBerry Development Platform. Practically speaking, this means day-to-day he is busy harnassing the innovative power of a talented group of RIM engineers to serve the needs of the BlackBerry Developer community.
  • Denver is a software developer at RIM, working on the BlackBerry Java APIs. Denver has been working at RIM for 4 years and started in automated testing of the APIs, making the switch to development in 2008. He enjoys programming, and finds developing for BlackBerry especially interesting. Denver also enjoys writing and sharing his development experiences, and hopes his posts will be useful and informative to other developers out there.
  • With more than a half-decade of experience in the wireless industry, Douglas “tr0n” Soltys has chronicled the evolution of mobile culture in both the consumer and enterprise space. Prior to joining RIM, Douglas manned the helm of wireless weblogs QuicklyBored and BlackBerry Cool. When not blogging about all things BlackBerry®, Douglas can be found extolling the virtues of Strunk and White. He uses a BlackBerry® Bold™.
  • As Manager, Developer Programs at Research In Motion (RIM), Ian and his team are responsible for the design and delivery of programs and services for BlackBerry developers – including support tools and resources, recognition, advocacy, go-to-market, and regional programs. Ian is passionate about making sure that BlackBerry developers have everything they need in order to be successful from the inception of an idea to app deployment or commercialization. Prior to joining Developer Relations, Ian was a Product Manager for various BlackBerry solutions including the BlackBerry Java Development Environment, BlackBerry Maps, and BlackBerry Mobile Voice System.
  • Kamen is a Senior Architect, Strategic Initiatives, and started at RIM in 2001 with already established expertise in development for the BlackBerry platform and other mobile devices. Since then Kamen has been part of both device and server-side design and development activities - helping to evolve the BlackBerry development environment. As part of the Strategic Initiatives group he is now involved in looking for new ways to bring additional value to third party developers.
  • Mike Kirkup is the Director for the Developer Relations program at Research In Motion (RIM), which is responsible for managing the technical relationships and programs for RIM’s developer community worldwide. Mike and his team work with RIM’s developer community to provide support and guidance as developers work to integrate their applications to the BlackBerry platform. Mike joined RIM in 2001 as a Security Software Developer in RIM’s Wireless Security Group. As part of the Wireless Securty group, Mike contributed to the development of the BlackBerry Cryptography API, S/MIME and PGP implementations. Mike holds a Masters of Management Science and a Bachelor of Mathematics from the University of Waterloo.
  • When he’s not out riding the waves off the sunny eastern coast of Australia, you’re likely to find Neil at his desk answering emails, taking calls, or cutting code in his role of Application Developer Consultant for RIM. As a member of the Developer Relations team Neil spends a great deal of time working with Independent Software Vendors (ISVs) in Australia and New Zealand helping them get the most out of the BlackBerry platform, and also working behind the scenes to ensure everything is “most excellent” for all developers. Neil’s been developing for the BlackBerry for five years and prior to joining RIM ran a successful BlackBerry software company. He also likes hats.
  • Prosanta is a member of the BlackBerry Developer Relations team specializing in Web Development. Prosanta’s focus is on developing out the web platform and tools associated with web development while supporting the development efforts of a number of Independent Software Vendors. Prior to joining RIM, Prosanta had worked on numerous web portals for major multinational firms writing both front and backend code.
  • Tim is the Development Manager for BlackBerry development tooling. This includes Java, Web and also Theme creation tools. He is always hanging out in the development forums trying to help out where he can and to bring your feedback into the next releases of BlackBerry tooling. You’ll also see Tim presenting various topics at the BlackBerry Developer Conference and Wireless Enterprise Symposium so be sure to stop by and say hi. Just don’t start talking about cars or Batman or you won’t be able to get rid of him.
  • I work on the Developer Relations team at RIM, with a focus on enterprise applications for Sales Force Automation, Health Care, Public Safety and Real Estate. I started on the team at the beginning of 2007.
Categories