Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

Java Development

BlackBerry Support for HTTPS connection

by Retired on ‎02-17-2010 01:17 PM - edited on ‎09-19-2011 09:48 AM by Retired (8,049 Views)

Summary

 

This article applies to BlackBerry® smartphones based on Java® technology.

 


Description

 

The BlackBerry® Browser and BlackBerry applications are able to make use of Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS) connections. The following are the three possible routes available for making HTTPS connections:

 

 
  • Wireless service provider’s WAP Gateway

    When creating a connection through a Wireless Application Protocol (WAP) 1.x Gateway, the gateway can be configured to create HTTPS connections to origin servers. In this configuration, the connection between the BlackBerry smartphone and the WAP gateway is encrypted with Wireless Transport Layer Security (WTLS).

    In WAP 1.x, the WAP security gap occurs when WTLS is used over WAP. WTLS-encrypted Hyptertext Transfer Protocol (HTTP) requests are decrypted at the WAP gateway and then re-encrypted using HTTPS before they are sent to the origin server. HTTPS-encrypted HTTP responses are decrypted at the WAP gateway and re-encrypted with WTLS before being sent back to the BlackBerry smartphone.

    WAP 2.0 supports Secure Sockets Layer (SSL) over HTTP (HTTPS), which secures the connection between the BlackBerry smartphone and the target server. Support for HTTPS connections through a WAP gateway may depend on the wireless service provider. Contact your wireless service provider for details on connections permitted using the WAP gateway.

 
  • Direct TCP Connection

    Direct Transmission Control Protocol (TCP) connections are supported with BlackBerry® Device Software 4.0 and later. When creating an HTTPS connection using a direct TCP connection, data is encrypted between the BlackBerry smartphone and the origin server and is not decrypted at any point in transit.

 
  • BlackBerry MDS Connection Service

    When connecting to the wireless network using the BlackBerry® Mobile Data System (BlackBerry MDS), the following connection modes are possible:

     

     
  • Proxy mode

    In Proxy mode (the default setting), the connection between the BlackBerry smartphone and the BlackBerry® Enterprise Server is encrypted using the same Advanced Encryption Standard (AES) algorithm that is used for messaging by default. This configuration also includes a security gap. AES-encrypted HTTPS requests from the BlackBerry smartphone are decrypted at the BlackBerry Enterprise Server, passed unencrypted to the BlackBerry MDS Connection Service and HTTPS-encrypted before they are sent to the origin server. HTTPS-encrypted HTTP responses are decrypted at the BlackBerry MDS Connection Service, then passed unencrypted to the BlackBerry Enterprise Server where they are AES-encrypted again before they are forwarded to a BlackBerry smartphone.

    A significant difference between the BlackBerry MDS Connection Service configuration and the WAP configuration is that in the WAP configuration the security gap is often at the wireless service provider. In the BlackBerry MDS Connection Service configuration, the security gap is behind the corporate firewall and is usually considered to be more secure.

     

  • End-to-end (Handheld) mode

    End-to-end (Handheld) HTTPS mode is supported in BlackBerry Device Software 3.6.1 and later. The TLS Default option appears in the Security Options for Transport Layer Security (TLS) on the BlackBerry smartphone. BlackBerry smartphone users can set the TLS Default option to Handheld which is the mode using a direct TLS or SSL connection. This setting applies to all HTTPS connections that the BlackBerry Browser makes.

    All traffic between the BlackBerry MDS and the BlackBerry smartphone is AES- encrypted. Therefore, traffic between the BlackBerry Enterprise Server and the BlackBerry smartphone will be encrypted twice, once by HTTPS and then in AES by the BlackBerry MDS and the BlackBerry smartphone. This will lead to a small increase in bandwidth usage and battery usage by the BlackBerry smartphone. In addition, since traffic is HTTPS-encrypted prior to arrival at the BlackBerry MDS, no optimizations will occur, which can significantly affect performance.

    To use end-to-end (Handheld) mode from within a BlackBerry smartphone application, the application developer can add one of the following parameters to the connection string passed to Connector.open():


Parameter Description 
EndToEndRequired This parameter specifies that an end-to-end HTTPS connection must be used from the BlackBerry smartphone to the target server. If an end-to-end HTTPS connection cannot be set up, the connection is closed.
EndToEndDesired This parameter specifies that an end-to-end HTTPS connection should be used from the BlackBerry smartphone to the target server (if the BlackBerry smartphone supports it). If the BlackBerry smartphone does not support end-to-end SSL/TLS connections, and the user permits proxy SSL/TLS connections, then a proxy connection is used.

 

For example, the following parameter sets the application to use end-to-end HTTPS connections:


HttpsConnection stream = HttpsConnection)Connector.open("https://host:443/;EndToEndDesired");


When the SSL/TLS connection options on the BlackBerry smartphone are set to use end-to-end (Handheld) HTTPS mode, the BlackBerry MDS Connection Service opens the TCP connection with the origin server. It also maintains a separate connection with the BlackBerry smartphone. When those connections have been established, the BlackBerry MDS Connection service passes the SSL/TLS-encrypted packets back and forth between the BlackBerry smartphone and the origin server. The encrypted packets are not decrypted at the BlackBerry MDS Connection Service, maintaining security from the origin server to the BlackBerry smartphone.

 

BlackBerry MDS Connection Service and Proxy Servers

 

The BlackBerry MDS Connection Service can be configured to connect through a proxy server.  The type of connection being made from the handheld determins if the connection can be routed through a proxy server or if MDS-CS connects directly to the destination server, bypassing proxy servers.  Applications may perform a range of functions and because of this, there are different methods to connect a client-side app to an application server.  For example, you may choose to use “https:” or “ssl:”, among some other options.  These different prefixes tells MDS-CS to handle the stream of traffic differently.  Keeping this in mind, by design MDS-CS has two types of proxy mappings – HTTP and HTTPS.  Note, these Proxy mappings are easier to identify with based on handler.  The following options are available

 

  • HTTPS Connection Handler
  • SSL Connection Handler
  • EndToEnd Connections

 

  • HTTPS Connection Handler

If a you use “https:” and do not specify use of another parameter to tell MDS-CS where the SSL termination point is (ie. End-to-end, or proxy through MDS), MDS knows to behave as a masquerading client.  Under this behavior, the request comes into MDS and is assign to an HTTPS connection handler.  If there is an HTTPS proxy mapping, it can observe this.  If not, continue direct.  

 

  •  SSL Connection Handler

If you use “SSL:” with no option to force an end-to-end tunnel, then this type of request will reach MDS-CS and be assigned to a TLS connection handler.  With a TLS connection handler, it may be true that this stream should remain uninterrupted in its data portion, but the client may wish MDS to terminate the SSL tunnel.  For this, there are no proxy settings.

 

  • EndToEnd Connections

A connection from a client-side app to an application server may need create a device to application server secure tunnel.  Some wish to do this for heightened security requirements when the “AES to BES to MDS-(SSL)-to app server” isn’t good enough (for whatever that regulatory reason is).  This end-to-end connection is a parameter that can be specified with the “https:” and “ssl:” (among others).  This tells the MDS Connection service to deal with this connection as an end-to-end, or in other words “an uninterrupted TCP stream”.  This type of connection does not observe proxy settings because end-to-end connections (regardless of their prefix) are not handled within the http or https connection handlers. 

 

Contributors
Users Online
Currently online: 32 members 541 guests
Please welcome our newest community members: