u blackberry 10 os v1r2 overview

BLACKBERRY

SECURITY TECHNICAL IMPLEMENTATION GUIDE

Developed by BlackBerry

UNCLASSIFIED

UNCLASSIFIED

BLACKBERRY 10 OS


(STIG)

OVERVIEW

Version 1, Release 2

25 October 2013

BlackBerry Ltd. in coordination with DISA

for the DoD


in coordination with DISA

UNCLASSIFIED BlackBerry 10 OS Overview, V1R2 DISA Field Security Operations

25 October 2013 Developed by BlackBerry Ltd. in coordination with DISA for the DoD

ii

UNCLASSIFIED

Trademark Information

Names, products, and services referenced within this document may be the trade names,

trademarks, or service marks of their respective owners. References to commercial vendors and

their products or services are provided strictly as a convenience to our users, and do not

constitute or imply endorsement by DISA FSO or any non-Federal entity, event, product,

service, or enterprise.



iii

UNCLASSIFIED

TABLE OF CONTENTS

Page

1. INTRODUCTION..................................................................................................................1

1.1 Background ..........................................................................................................................1

1.2 Authority ..............................................................................................................................1

1.3 Scope ....................................................................................................................................1

1.4 Vulnerability Severity Category Code Definitions ..............................................................1

1.5 SRG Compliance Reporting .................................................................................................4

1.6 SRG and STIG Distribution .................................................................................................4

1.7 Document Revisions ............................................................................................................5

2. BLACKBERRY 10 OS COMPLIANCE REQUIREMENTS ...........................................6

2.1 Mobility Policy STIG and CMD Policy STIG .....................................................................6

2.2 BlackBerry Device Service ..................................................................................................6

2.3 BlackBerry Balance .............................................................................................................6

2.4 BlackBerry Bridge ...............................................................................................................6

2.5 BlackBerry Smart Card Reader ............................................................................................7

3. BLACKBERRY 10 DEVICE SECURITY INFORMATION ...........................................8

3.1 BlackBerry Architecture ......................................................................................................8

3.2 Access Control .....................................................................................................................9

3.2.1 Password Lock for Device and Work Space .................................................................9

3.2.2 Mandatory Access Control ..........................................................................................10

3.3 Configuration Management ...............................................................................................10

3.3.1 IT Policy ......................................................................................................................11

3.3.2 Over-the-air Provisioning ............................................................................................11

3.3.3 Software Configurations ..............................................................................................11

3.3.4 Profiles .........................................................................................................................11

3.4 Identification and Authentication .......................................................................................11

3.4.1 Password ......................................................................................................................11

3.4.2 Certificates ...................................................................................................................12

3.5 Media Protection ................................................................................................................12

3.6 System and Services Acquisition .......................................................................................12

3.7 System and Communications Protection ...........................................................................12

3.7.1 Cryptographic Support .................................................................................................13

3.7.1.1 Public Key Cryptography ..................................................................................... 13

3.7.2 System Protection ........................................................................................................13

3.7.2.1 Protection of Work and Personal Data.................................................................. 13

3.7.2.2 Permissions and Access Rights ............................................................................. 13

3.7.3 Communications Protection .........................................................................................14

3.7.3.1 Wi-Fi ..................................................................................................................... 14

3.7.3.2 VPN....................................................................................................................... 14

3.7.3.3 Bluetooth ............................................................................................................... 14

3.7.3.4 Proxy ..................................................................................................................... 15

3.8 System and Information Integrity ......................................................................................15



iv

UNCLASSIFIED

APPENDIX A: ACRONYMS .....................................................................................................16



v

UNCLASSIFIED

LIST OF TABLES

Page

Table 1-1: Vulnerability Severity Category Code Definitions ....................................................... 2

Table 3-1: BlackBerry Device Service Components ...................................................................... 8



vi

UNCLASSIFIED

LIST OF FIGURES

Page

Figure 3-1: BlackBerry Device Service Architecture ..................................................................... 8



vii

UNCLASSIFIED

This page intentionally left blank.



1

UNCLASSIFIED

1. INTRODUCTION

1.1 Background

The BlackBerry 10 OS Security Technical Implementation Guide (STIG) provides the technical

security policies, configuration requirements, and implementation details for the use of the

BlackBerry 10 OS under the management of a securely configured BlackBerry Device Service

(BDS) server. Guidance for the Mobile Device Management (MDM) component resides in the

BlackBerry Enterprise Service 10.1.x BlackBerry Device Service STIG.

1.2 Authority

DoD Directive (DoDD) 8500.1 requires that “all IA and IA-enabled IT products incorporated

into DoD information systems shall be configured in accordance with DoD-approved security

configuration guidelines” and tasks Defense Information Systems Agency (DISA) to “develop

and provide security configuration guidance for IA and IA-enabled IT products in coordination

with Director, NSA.” This document is provided under the authority of DoDD 8500.1.

Although SRGs and STIGs implement an applicable subset of IA controls for specific types of

systems, all applicable IA controls must be applied to information systems. The current DoD IA

controls are specified in DoDI 8500.2. Draft DoDI 8500.02aa states that “All DoD ISs and

platform IT systems, including non-National Security System (NSS), shall be categorized in

accordance with CNSSI 1253, and implement a corresponding set of security controls that are

published in National Institute of Standards and Technology (NIST) Special Publication (SP)

800-53.” SRGs and derived STIGs are based on NIST SP 800-53.

1.3 Scope

This document is a requirement for all DoD-administered systems and all systems connected to

DoD networks. These requirements are designed to assist Security Managers (SMs), Information

Assurance Managers (IAMs), Information Assurance Officers (IAOs), and System

Administrators (SAs) with configuring and maintaining security controls. This guidance supports

DoD system design, development, implementation, certification, and accreditation efforts.

1.4 Vulnerability Severity Category Code Definitions

Severity Category Codes (referred to as CAT) are a measure of vulnerabilities used to assess a

facility or system security posture. Each security policy specified in this document is assigned a

Severity Code of CAT I, II, or III.



2

UNCLASSIFIED

Table 1-1: Vulnerability Severity Category Code Definitions

DISA Category Code

Guidelines Examples of DISA Category Code Guidelines

CAT

I

Any vulnerability, the exploitation

of which will, directly and

immediately result in loss of

Confidentiality, Availability, or

Integrity.

Includes BUT NOT LIMITED to the following

examples of direct and immediate loss:

1. May result in loss of life, loss of facilities, or

equipment, which would result in mission

failure.

2. Allows unauthorized access to security or

administrator level resources or privileges.

3. Allows unauthorized disclosure of, or access

to, classified data or materials.

4. Allows unauthorized access to classified

facilities.

5. Allows denial of service or denial of access,

which will result in mission failure.

6. Prevents auditing or monitoring of cyber or

physical environments.

7. Operation of a system/capability which has not

been approved by the appropriate Designated

Accrediting Authority (DAA).

8. Unsupported software where there is no

documented acceptance of DAA risk.



3

UNCLASSIFIED

DISA Category Code


CAT

II

Any vulnerability, the exploitation

of which has a potential to result in

loss of Confidentiality, Availability,

or Integrity.


examples that have a potential to result in loss:

1. Allows access to information that could lead to

a CAT I vulnerability.

2. Could result in personal injury, damage to

facilities, or equipment which would degrade

the mission.

3. Allows unauthorized access to user or

application level system resources.

4. Could result in the loss or compromise of

sensitive information.

5. Allows unauthorized access to Government or

Contractor owned or leased facilities.

6. May result in the disruption of system or

network resources degrading the ability to

perform the mission.

7. Prevents a timely recovery from an attack or

system outage.

8. Provides unauthorized disclosure of or access

to unclassified sensitive, Personally

Identifiable Information (PII), or other data or

materials.



4

UNCLASSIFIED

DISA Category Code


CAT

III

Any vulnerability, the existence of

which degrades measures to protect

against loss of Confidentiality,

Availability, or Integrity.


examples that provide information which could

potentially result in degradation of system

information assurance measures or loss of data:

1. Allows access to information that could lead to

a CAT II vulnerability.

2. Has the potential to affect the accuracy or

reliability of data pertaining to personnel,

resources, operations, or other sensitive

information.

3. Allows the running of any applications,

services or protocols that do not support

mission functions.

4. Degrades a defense in depth systems security

architecture.

5. Degrades the timely recovery from an attack or

system outage.

6. Indicates inadequate security administration.

7. System not documented in the site’s C&A

Package/System Security Plan (SSP).

8. Lack of document retention by the Information

Assurance Manager (IAM) (i.e., completed

user agreement forms).

1.5 SRG Compliance Reporting

All technical NIST SP 800-53 requirements were considered while developing this STIG.

Requirements that are applicable and configurable are included in this STIG. A compliance

report marked For Official Use Only (FOUO) is available for those items that did not meet

requirements. This report is available to component DAA personnel for risk assessment purposes

by request via email to [email protected].

1.6 SRG and STIG Distribution

Parties within the DoD and Federal Government's computing environments can obtain the

applicable SRGs and STIGs from the Information Assurance Support Environment (IASE)

website. This site contains the latest copies of any SRG, as well as STIGs, scripts, and other

related security information. The Non-classified Internet Protocol Router Network (NIPRNet)

Uniform Resource Locator (URL) for the IASE website is http://iase.disa.mil/.



5

UNCLASSIFIED

1.7 Document Revisions

Comments or proposed revisions to this document should be sent via email to

[email protected]. DISA Field Security

Operations (FSO) will coordinate all change requests with the relevant DoD organizations before

inclusion in this document. Approved changes will be made in accordance with the DISA FSO

maintenance release schedule.



6

UNCLASSIFIED

2. BLACKBERRY 10 OS COMPLIANCE REQUIREMENTS

2.1 Mobility Policy STIG and CMD Policy STIG

General mobility policy requirements are listed in the Mobility Policy STIG and are applicable to

all mobile systems used in the DoD. Commercial Mobile Device (CMD) policy requirements are

listed in the CMD Policy STIG and are applicable to all CMDs used in the DoD. Both STIGs can

be downloaded from http://iase.disa.mil/stigs/net_perimeter/wireless/wireless_pol.html.

2.2 BlackBerry Device Service

The BlackBerry Device Service component of the BlackBerry Enterprise Service 10 is the

Mobile Device Management for enterprise mobility management of BlackBerry 10 OS. BDS

allows enterprise security administrators to enforce security policy (e.g., password usage and

rules), publish enterprise profiles (e.g., Wi-Fi, VPN, etc.), and manage (e.g., change work

password and wipe the work space) BlackBerry 10 devices. Under management of BDS, all

enterprise data traffic is routed through the enterprise, applying enterprise network controls and

traceability. The BlackBerry 10 OS STIG covers the use of BlackBerry 10 devices only when

activated with the BDS. The BlackBerry 10 devices used in DoD must be activated on, and

managed by, the BDS.

2.3 BlackBerry Balance

BlackBerry 10 OS is designed to allow users to use BlackBerry 10 devices for both work and

personal use. BlackBerry Balance technology distinguishes and separates work and personal data

on the device. DoD data is stored and processed in the work space only while device users

manage their personal data in the personal space. The DISA SRG requirements apply only to the

work space protecting DoD information, and the BlackBerry 10 OS STIG contains guidance for

securing the work space, unless otherwise specified within this document.

2.4 BlackBerry Bridge

BlackBerry Bridge allows users to pair a BlackBerry smartphone and BlackBerry PlayBook

tablet. When paired, users are able to use the BlackBerry PlayBook to access the Internet using

the BlackBerry smartphone’s connection, control the BlackBerry PlayBook tablet remotely using

the BlackBerry smartphone, and share files and data between the devices.

A tablet and a smartphone perform Bluetooth pairing and BlackBerry Bridge pairing processes to

open an encrypted and authenticated connection, utilizing ECDH and AES-256. All data

transferred from the smartphone to the tablet is stored temporarily and protected using XTS-

AES-256. The data from the BlackBerry smartphone remains separated between personal and

work spaces using BlackBerry Balance technology and is deleted when the Bridge connection is

terminated.



7

UNCLASSIFIED

2.5 BlackBerry Smart Card Reader

The BlackBerry Smart Card Reader (SCR) allows users to access hardware-based tokens

embedded in the DoD Common Access Card (CAC). The BlackBerry 10 smartphone must be

paired with the BlackBerry SCR version 2 to correctly integrate with the CAC. For BlackBerry

SCR running unsupported software versions, an update package is available from the BlackBerry

Support website. Support for the SCR is available by default in BlackBerry OS version 10.2.

However, for devices running BlackBerry OS version 10.1, the Smart Card Services application

must be downloaded from the support website and included in a software configuration on the

BDS server for deployment. Once deployed to the BlackBerry device, the Smart Card settings

panel is available in the Security and Privacy menu on the handheld device. BlackBerry 10

devices are only compatible with BlackBerry Smart Card Readers running SCRv2.

The BlackBerry SCR and BlackBerry 10 smartphone perform secure Bluetooth pairing to open

an encrypted and authenticated connection, utilizing ECDH and AES-256. Once the initial

pairing is completed, all data transferred from the smartphone to the SCR is encrypted and

authenticated on the application layer using AES 256 in CBC mode to encrypt the data and

keyed HMAC with SHA-512 to protect data. The BlackBerry SCR also supports two-factor

authentication, which binds the BlackBerry smartphone or computer to the installed smart card.

After the BlackBerry smartphone or computer binds to the smart card, it requires that smart card

to authenticate the user. More information on BlackBerry Smart Card Reader functionality and

configuration, as well as details on the secure pairing process, can be found in the BlackBerry

Smart Card Reader Version 2.0 Security Technical Overview document, available on the support

website.



8

UNCLASSIFIED

3. BLACKBERRY 10 DEVICE SECURITY INFORMATION

3.1 BlackBerry Architecture

Figure 3-1: BlackBerry Device Service Architecture

Table 3-1: BlackBerry Device Service Components

Component Description

BlackBerry Administration

Service

The BlackBerry Administration Service is used to manage the

BlackBerry Device Service and the user accounts and devices that

are associated with it. Through this utility it is possible to manage

user accounts and assign groups, administrative roles, software

configurations, email profiles, and IT policies to user accounts.

The BlackBerry Administration Service connects to the

BlackBerry Configuration Database. BlackBerry Configuration

Database

The BlackBerry Configuration Database is a relational database

that contains user account information and configuration

information (such as connection details) that the BlackBerry

Device Service components use.

BlackBerry Mail Store

Service

The BlackBerry Mail Store Service connects to the Microsoft

Active Directory and retrieves user information that the

BlackBerry Administration Service requires to activate user

accounts. User accounts can only be added to the BlackBerry

Device Service if the user account exists in the corresponding

Microsoft Active Directory.

Enterprise Management The Enterprise Management Web Service is a set of web services



9

UNCLASSIFIED

Web Service that communicate commands, configuration information, IT

policies, VPN profiles, Wi-Fi profiles, and email profiles between

the BlackBerry Administration Service and the Enterprise

Management Agent on the devices.

BlackBerry MDS

Connection Service

The BlackBerry MDS Connection Service provides a secure

connection between the Enterprise Management Agent on the

devices and the Enterprise Management Web Service in the

BlackBerry Device Service. The connection is used when the

device is not connected to a work Wi-Fi network or VPN.

BlackBerry Dispatcher The BlackBerry Dispatcher maintains a connection with the

BlackBerry Infrastructure over the Internet. The BlackBerry

Dispatcher is responsible for compressing and encrypting, and

decrypting and decompressing, data that travels over the Internet

to and from the devices.

BlackBerry Web Desktop

Manager

The BlackBerry Web Desktop Manager is a web application that

permits users to activate and manage devices.

Microsoft Active Directory The BlackBerry Mail Store Service obtains, from the Microsoft

Active Directory, user account information required to create user

accounts in the BlackBerry Device Service.

Work Wi-Fi network After a device is activated on the BlackBerry Device Service,

communication between the BlackBerry Device Service and the

device can occur over an organization’s Wi-Fi network when the

device is within a wireless coverage area and enabled for access

as may be required by the organizational network security

policies.

External Wi-Fi access point Depending on the organization's network configuration,

communication can occur between the BlackBerry Device Service

and devices that are located outside the firewall and connected to

the Internet over an external Wi-Fi connection.

Firewall The BlackBerry Device Service requires an outbound-initiated,

bidirectional connection through port 3101 on the firewall and

over the Internet to the BlackBerry Infrastructure to transport data

to and from the devices.

Internet The Internet transports data between the BlackBerry Infrastructure

and the BlackBerry Device Service. Depending on the network

configuration, the devices may also communicate with the

BlackBerry Device Service using a VPN connection over the

Internet.

3.2 Access Control

3.2.1 Password Lock for Device and Work Space

The BlackBerry 10 devices feature password lock mechanisms to protect the personal and work

data. The work space password through BlackBerry Balance protects DoD data stored in the

work space of the device, whereas the personal data is protected with the device password. When



10

UNCLASSIFIED

locked, the OS hides what was previously visible on the screen and remains in this state until the

user is authenticated using the device password.

With the work space password set, the work space is locked when the user directly initiates the

lock on the work space, after the configured time of inactivity, or when the device is instructed

by a BDS administrator.

A BlackBerry 10 device user is allowed a maximum number of attempts to unlock the device and

the work space, preventing an adversary from bypassing the password lock by brute force. By

default, the maximum number of password attempts is set at 10. However, this value for the

work space can be configured on the BDS. When the maximum allowed number of attempts to

unlock the device is reached, BlackBerry 10 OS performs a security wipe, deleting all data in

storage. On the other hand, when the maximum number of attempts to unlock the work space is

reached, the OS wipes and removes the work space on the BlackBerry 10 device.

The BDS can also enforce rules on the work space password, such as length, complexity, age,

and history. The work space password the user creates on the BlackBerry 10 device must be at

least 8 characters, and contain at least:

- 1 uppercase letter

- 1 lowercase letter

- 1 number

- 1 special character

When activated on the BDS, the BlackBerry 10 user will be forced to create a password which

satisfies these rules.

3.2.2 Mandatory Access Control

BlackBerry 10 OS enforces mandatory access control (MAC) policies to prohibit any

application, user, or process from modifying software in the trusted computing base. It also

enforces a MAC to prohibit any application from accessing the private data or code of another

application.

3.3 Configuration Management

Enterprise-related configurations of BlackBerry 10 devices are configured on the BDS.

Administrators can create and manage configurations on the BDS, and assign them to a single

user or group of users. The configurations consist of IT policies, software configurations, and

Wi-Fi, VPN, and email profiles. As part of enterprise activation, the BDS sends the assigned

configuration to the device. Changes to the assigned configuration are also published to the

device automatically. Configurations from the BDS harden the security posture of the

BlackBerry 10 devices, as well as prevent misconfigurations that may arise.

BDS administrators can also remotely control access to BlackBerry 10 devices. Administrators

can remotely set a new device password and lock the device, or wipe all device data or only the

work space data.



11

UNCLASSIFIED

3.3.1 IT Policy

IT Policies are used to control and manage BlackBerry 10 devices from the BDS. IT Policies

consist of IT Policy rules, which are used to centrally configure and control device behavior and

enforce these rules. When a rule is specified, the applicable configuration is grayed out on the

device, prohibiting the device user from modifying or disabling it. For example, when an IT

Policy rule is set to enforce a password-protected lock feature for the work space or the full

device by the administrator, the device user cannot disable this feature on the BlackBerry 10.

3.3.2 Over-the-air Provisioning

Over-the-air (OTA) provisioning of BlackBerry 10 devices from the BDS is through a secure

communication channel using bi-directional PKI-based cryptographic authentication methods

when the device is activated. The provisioning data in transit is protected using both transport

layer encryption (using AES-256) and TLS. The BlackBerry 10 device and the BDS generate

message keys to protect the integrity of the data sent to each other.

3.3.3 Software Configurations

Work applications on BlackBerry 10 devices can be managed by the BDS. System administrators

can create, manage, and assign software configurations that consist of applications for

organizational use. Applications can be assigned as required or as optional applications.

Required applications are installed on BlackBerry 10 devices during activation and cannot be

removed by the device user, whereas optional applications are available for download and install

through the “BlackBerry World - Work” application in the work space, and can be removed

later. The applications cannot be modified, unless they are updated from the BDS. Each

application is signed by Research In Motion, and the integrity of the application is validated

during install and startup.

3.3.4 Profiles

BDS administrators can create and manage profiles for BlackBerry 10 devices. Email, SCEP,

Wi-Fi, and VPN profiles can be configured and published to device users from a centrally

managed source.

3.4 Identification and Authentication

3.4.1 Password

There are two password protection mechanisms on the BlackBerry 10 device. Users must

authenticate using:

- A device password to access the personal space

- A work space password to access the work space

The use of a work space password and its rules are enforced by the BDS. The user must create

(at minimum) a 4-digit password without complexity for the device to protect the personal space.



12

UNCLASSIFIED

Administrators can enforce work space password rules, such as required character set, maximum

age, minimum length, and history. However, BlackBerry 10 OS does not require device users to

change at least two characters whenever the work space password is changed, and does not

prevent the password from containing sequential numbers. Device users should follow this

requirement to mitigate this until such feature is implemented by BlackBerry. Passwords are

stored on the device encrypted using XTS-AES-256. Passwords used to authenticate to work or

personal accounts are always transmitted in secure channels, never in clear text, and are obscured

on the screen as they are entered on the device.

3.4.2 Certificates

Certificates on the BlackBerry 10 device are used to authenticate using the public key when

connecting to remote information systems, and with organizational resources such as a

messaging server, Wi-Fi network, or VPN. When authenticating using certificates, the certificate

is validated by constructing a certification path with status information to a trust anchor. The OS

also verifies the certificate’s revocation status before verifying its authenticity. During this

process, the BlackBerry 10 device alerts the user and provides the option to deny acceptance of

the certificate when:

- The certificate is invalid

- The certificate is issued from an untrusted certificate authority

- The revocation status of the certificate cannot be verified

All private key materials in the key store are encrypted using AES-256 and stored in the

encrypted domain of the file system. Files in the encrypted domain are protected by a hierarchy

of encryption keys, stemming from the KEK embedded in the processor during the

manufacturing process.

3.5 Media Protection

BlackBerry 10 devices support micro SD cards. The media card storage is considered to be in the

personal space, and BlackBerry Balance prevents DoD data from being transferred from the

work space to the personal space, including the media card. It is optional to encrypt the media

card in order to protect the user’s personal data. The security wipe procedure in BlackBerry 10

OS does not wipe the removable media. However, if the media card is encrypted, the security

wipe procedure wipes the encryption key that protects the media card. Because the media card is

encrypted, without the encryption key, the media card will become inaccessible.

3.6 System and Services Acquisition

Due to the dual persona nature of BlackBerry 10 devices, use of only DoD approved software or

applications is enforced on the work space only. BlackBerry 10 users are able to download and

install any publicly available application from BlackBerry World for personal usage. BDS

administrators must prohibit the use of Development Mode to ensure device users can download

and install applications from BlackBerry World only.

3.7 System and Communications Protection



13

UNCLASSIFIED

3.7.1 Cryptographic Support

BlackBerry 10 utilizes Cryptographic Kernel v5.6, a FIPS 140-2 validated cryptographic module,

to protect data on the device and in transit. The cryptographic module is also used to protect data

for VPN, Bluetooth, and Wi-Fi communications, as well as to protect the certificate store and for

key management and digital signature implementations. The cryptographic module utilizes AES-

256 encryption to protect data at rest and in transit for communicating with DoD resources via

the BDS.

3.7.1.1 Public Key Cryptography

BlackBerry 10 supports software-based and hardware-based asymmetric key technology.

Certificates are used for the Web, Wi-Fi, VPN profiles, etc. and can be managed by the BDS.

BDS administrators can use SCEP Profiles to publish required DoD certificates, including DoD

root and intermediate, and client certificates to be stored in the enterprise certificate store in the

work space of the BlackBerry 10 device. In order to access hardware-based tokens embedded in

the DoD Common Access Card, the device must be paired with a BlackBerry Smart Card

Reader. In BlackBerry 10 OS version 10.1, this can be achieved by deploying the “Smart Card

Subsystem” application from BlackBerry Device Service.

3.7.2 System Protection

3.7.2.1 Protection of Work and Personal Data

Data on BlackBerry 10 is stored in personal and work file systems. BlackBerry Balance

technology distinguishes and separates personal and work applications and data and stores them

in their respective file systems. The work file system consists of work apps and data and is

encrypted by default. The personal file system consists of personal apps and data with optional

encryption support, which can be enforced from the BDS. XTS-AES-256 encryption is utilized

to protect both file systems.

3.7.2.2 Permissions and Access Rights

3.7.2.2.1 Device User

BlackBerry 10 OS assigns a user account to the device user with limited privileges. The device

user is therefore prohibited from directly administering UIDs, file permissions, and system

configuration files, and from starting and stopping system processes.

3.7.2.2.2 Applications

As previously stated, BlackBerry Balance technology distinguishes and separates personal and

work applications and data. Inherently, a personal application has read-write access to its private

data and files in the personal file system, but does not have any access to work data. By default, a

work application has read-write access to its private data and files in the work file system, and

read-only access to files in the personal file system. “Work App Access to Shared Files in the



14

UNCLASSIFIED

Personal Space” rule must be set to “Disallow” in BlackBerry Device Service to achieve

complete separation of work and personal data.

Applications on BlackBerry 10 OS can be installed from the BlackBerry World application store

front. While applications for the personal space consist of all publicly available apps in

BlackBerry World, BDS administrators have the ability to publish a whitelist of applications for

the work space, thus preventing use of non-DoD applications (i.e., IM systems) in the work

space, and can publish apps directly from the BDS in the DoD network. All applications

published in BlackBerry World are scanned and monitored for malicious behavior, and signed by

the RIM signing authority, which can be verified by BlackBerry 10 OS during install and launch,

and this binding of the digital signature to the application remains until the application is deleted

or updated. If the integrity of the application cannot be verified, BlackBerry 10 OS notifies the

user.

To ensure applications are given only the permissions that DoD has authorized, the device user

must inspect to verify proper permissions are given for each application. Applications on

BlackBerry 10 OS are launched and executed on user direction only.

3.7.3 Communications Protection

Network connections are terminated by the OS when an application requests the termination,

including when the application is closed, or after a DoD defined time period of inactivity forcing

BlackBerry 10 to lock. See Section 3.1 for details on enabling device lock after a specified

period of inactivity.

BlackBerry 10 OS does not allow remote activation of applications or functions without explicit

user instructions. The OS does not contain the capability to filter traffic based on IP address and

port. However, because work traffic is routed through BlackBerry MDS Connection Service,

network traffic to BlackBerry 10 can be filtered within the DoD organization.

3.7.3.1 Wi-Fi

The Wi-Fi module on BlackBerry 10 OS is WPA2 certified for both enterprise and personal use,

and can be configured to use EAP-TLS authentication and AES-CCMP encryption for

connecting and authenticating to DoD networks. For DoD Wi-Fi networks, BDS administrators

are required to create a work Wi-Fi profile to enforce use of these security types. Remote access

to the BlackBerry 10 device via Wi-Fi must be prohibited.

3.7.3.2 VPN

The VPN client on BlackBerry 10 OS can be configured to utilize IPSec, SSL/TLS, and

certificates to authenticate and connect to DoD networks. VPN profiles, which include these

configurations, must be managed and published from the BDS. Once published, the user is

required to use BDS configured gateway and authentication types.

3.7.3.3 Bluetooth



15

UNCLASSIFIED

The Bluetooth module on BlackBerry 10 devices cannot be turned off by BDS administrators,

due to the dual persona nature of the device. However, BDS administrators can configure

“Transfer Work Contacts Using Bluetooth PBAP or HFP”, “Transfer Work Files Using

Bluetooth OPP”, and “Transfer Work Messages Using Bluetooth MAP” IT Policy rules to

“Disallow” to protect DoD data from Bluetooth usage.

When pairing with a device, the Bluetooth module prohibits any data transfer prior to Bluetooth

mutual authentication, which utilizes Bluetooth 4.0 authentication techniques with a combination

of public key cryptography and passkey, mitigating risk.

3.7.3.4 Proxy

If a DoD proxy server must be used, a proxy profile must be created on the BDS. The proxy

profile then can be assigned to Wi-Fi and VPN profiles, forcing traffic to flow through the proxy

server.

3.8 System and Information Integrity

The integrity of BlackBerry 10 OS is verified during boot up. If an integrity check failure has

been detected during this process, the OS does not boot, preventing a potentially malicious code

from executing.

Information about the OS can be obtained on the device from the “Settings” menu by selecting

“About”. Information such as the OS version is also reported to the BDS. When OS updates

(including security patches to remediate flaws) are published, device users receive a notification

of the availability, and upon user initiation, the updates are downloaded and installed.

BlackBerry 10 device users are required to update the operating system to the latest DoD

approved software, currently at version10.1.

The internal clock of BlackBerry 10 OS must be synchronized with an authoritative time server.

There are two separate browsers on BlackBerry 10 OS, one each for personal and work spaces.

While the work space browser directs all its traffic through DoD infrastructure, the personal

space browser does not. The personal space browser cannot be removed at this time.



16

UNCLASSIFIED

APPENDIX A: ACRONYMS

AES Advanced Encryption Standard

BDS BlackBerry Device Service

BES BlackBerry Enterprise Service

C&A Certification and Accreditation

CAC Common Access Card

CAT Severity Category Code

CCMP Counter Cipher Mode with Block Chaining Message

Authentication Code Protocol

CMD Commercial Mobile Device

CNSS Committee on National Security Systems

CNSSI Committee on National Security Systems Instruction

DAA Designated Accrediting Authority

DISA Defense Information Systems Agency

DoD Department of Defense

DoDD DoD Directive

EAP Extensible Authentication Protocol

ECDH Elliptic curve Diffie-Hellman

FIPS Federal Information Processing Standard

FOUO For Official Use Only

FSO Field Security Operations

HFP Hands-Free Profile

IA Information Assurance

IAM Information Assurance Manager

IAO Information Assurance Officer

IASE Information Assurance Support Environment

IM Instant Messaging

IP Internet Protocol

IPSec Internet Protocol Security

IT Information Technology

k 210

or 1024

m 220

or 1048576

MAC Mission Assurance Category

Mandatory Access Control

MAP Message Access Profile

MDM Mobile Device Management

MDS Mobile Data System

NIPRNet Non-classified Internet Protocol Router Network

NIST National Institute of Standards and Technology

NSA National Security Agency

OPP Object Push Profile

OS Operating System

OTA Over-the-air

PBAP Phone Book Access Profile



17

UNCLASSIFIED

PII Personally Identifiable Information

PIN Personal Identification Number

PKI Public Key Infrastructure

SA System Administrator

SCEP Simple Certificate Enrollment Protocol

SM Security Manager

SP Special Publication

SRG Security Requirement Guide

SSL Secure Sockets Layer

SSP System Security Plan

STIG Security Technical Implementation Guide

TLS Transport Layer Security

UID User ID

URL Uniform Resource Locator

VPN Virtual Private Network

WPA Wi-Fi Protected Access

u blackberry 10 os v1r2 overview

Documents

disa unclassified blackberry

blackberry balance

blackberry bridge

blackberry architecture

blackberry device service

blackberry smart card

disa fso

os overview