Link to home
Create AccountLog in
Avatar of therearestupidquestions
therearestupidquestionsFlag for United States of America

asked on

Is BlackBerry REALLY safe? How does this compare to the iPhone or Android?

Short version:  The claim is that the BlackBerry operating system is inherently safe.  Apparently, this is universally believed, so much so that not even Symantec, Kaspersky, Etc. sell any sort of security software for BlackBerries.  Is it really so?

Longer version:  First, see "Short version," above.  Add the following to that.  If I understand correctly, BlackBerry devices are considered secure, and in no need of security software, because of a few reasons.*  (I should mention that my BlackBerry--which is what I care about, and I'm limiting the scope of my question to this type of setup--connects to the Web, including email, via a personal, Verizon account.  I don't get email from, say, my employer's Exchange server.  I get my email from GMail.)

First, the telephone traffic between my BlackBerry and anybody I'm talking to is encrypted.  Even if it weren't, it wouldn't matter, because, even in theory, it's impossible to break into the PC-type features of the device (such as stored voice notes and music, the ability to install software on the device, Etc.) by making a telephone call to the device.  By theoretically impossible, I'm talking the same level of impossibility as, say, trying to install a program on my device by holding an installation CD next to the device, and have the program jump from the CD into the device.  The most brilliant NSA hacker, even with an infinite budget, could not get a program to install by either of these methods.

Clearly, my absurd example is correct.  You can't install software from a CD on anything without a laser beam, somewhere along the way, reading the data off of the CD.  I'm betting that receiving a telephone call on the device poses a bigger security risk than physically holding a CD with a program saved on it next to my BlackBerry does.  Am I right about this at least?  Even if I am right that the risk is bigger than my absurd scenario, is it still correct to say that, even in theory, it's impossible for somebody to install malware on my device, or, say, read the contents of my device's memory card, just because I accepted a phone call from the wrong party?  Why can't it be done?  BTW, I'm not that concerned about this type of infection vector.

The infection vector I'm more concerned about is my BlackBerry's ability to surf the Web.  My understanding is that when I, say, download a photo from an evil website onto my PC, it's possible that this act, or say the act of clicking a sneaky command button on an evil website, can cause my PC to allow some type(s) of malware onto my PC.  However, my security suite on my PC is there to protect me against such an action from executing.  ON THE BLACKBERRY, there's no need for this security software, because that security suite is effectively running on either Verizon's or RIM's server.  (This is the SECOND feature of BlackBerries that makes them inherently safe, right?)  The data path from the evil website to my BlackBerry is: evil website > internet > RIM's server > internet** > Verizon's server > radio waves > my BlackBerry, right?  AND, RIM's server has super-kick-ass anti-malware software on it, and it catches the fact that the evil website is sending something evil to me, and RIM blocks it, right?  AND--this part I'm just speculating about--if something slips past RIM's amazing security software, well, Verizon ALSO has its own super-kick-ass anti-malware software on ITS server, so Verizon, in such a case, blocks the malware from getting to me, right?

Even if I'm looking at a totally benign website, but there's an evil ISP between that site and me (benign website > evil ISP > internet > RIM's server > internet** > Verizon's server > radio waves > my BlackBerry), I still don't have a problem, because RIM and Verizon are always at the end, just before the packets get to me, so I'm still safe, right?

The THIRD feature that protects me is the fact that packets carried by radio waves from Verizon to me are heavily encrypted, right?  How heavily?

So, as long as RIM and Verizon can be trusted***, the BlackBerry is safe.

BUT, what about programs I buy for my BlackBerry from software vendors other than those selling through, what's it called, "BlackBerry App World," I think?  This network security model fails to protect me against hackers who trick me into installing their software on my device, right?  Am I in a worse position with respect to those hackers than I would be if I installed their malware on my Symantec- or Kaspersky-protected PC or Mac?

Am I totally mis-understanding the security model for the BlackBerry?  Also, is there something else in the security model I'm missing?  Something in the BlackBerry's OS that inherently protects me?

FINALLY, how is security on the BlackBerry different from security on the IPHONE or the ANDROID?  I know that BlackBerries and iPhones won't allow Adobe's Flash Player to install and run.  Is there something inherently un-secure in Flash-based applications, or is it just that vulnerabilities are periodically discovered in the Flash Player?  I also know that Blackberries and Androids run programs written to be run in the Java Runtime Environment.  Are there security vulnerabilities inherent in that?  The last fact I (think I) know about this topic is that the iPhone will only allow the user to install applications from the iPhone application store (whatever it's called), and Apple checks out all of the programs it allows to be sold through that site.  Assuming Apple never makes a mistake, letting malware get sold on that site (which sounds like an unreasonably optimistic assumption****), that's a big point in favor of Apple for security.  However, as long as I stick to RIM's equivalent software store for the Blackberry, that gives the BlackBerry the same point in its favor.  The same would apply to buying Android software.

I know I've just left a TON of questions in this post, and I've probably got a lot of misunderstanding laced throughout it.  I'll be interested to read both your answers and your corrections of my mistakes.  Points will be awarded for both, as well as for correcting mistakes and affirming correct answers of other experts posting in this thread.  Be aware that I'm probably not going to check this thread for at least a few days.  I won't award the points for two weeks (04/15/11), so take your time.  It's not a 500 point-er because I need a fast answer.  It's because there are so many questions, and it's such a big topic, that I'll almost certainly end up giving partial credit to multiple experts.  I need enough points to spread around.

Thank you all for your time and participation.

Very truly yours,

therearestupidquestions+


*Am I right?  Is this the claim?  It's these factors that make BlackBerries safe, or is there more that allegedly make BlackBerries secure?

**Or maybe the internet isn't part of the path here.  Maybe Verizon has its own cable connecting it directly to RIM.  Does it?  If it doesn't, then RIM checking my packets is not worth much, is it?

***Which, if history is any guide, they can't be, at least with respect to protecting my privacy from the state?  However, I'll assume they can be trusted to protect me against criminals who want to steal my bank account and such.

****Human beings, who run the Apple software-selling site, make mistakes.  I can't believe NOTHING in the way of malware or security-hole-opening software EVER makes it past Apple's scrutiny.

+Hopefully I haven't just demonstrated the truth of my handle too much, just now.  :)
SOLUTION
Avatar of abbright
abbright
Flag of Germany image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of therearestupidquestions

ASKER

abbright:

Thanks for the reply.

You said, "As it seems to be the case with blackberrys there are not enough people considering blackberrys an attractive target / or it to be too difficult."  Well, the president of the United States uses one, and I'm pretty sure that he's "an attractive target" for hackers!  It's popular among business people, and industrial espionage is has A LOT of money put into it.  Again, "attractive target."  I find the whole "not an attractive target" argument unpersuasive pretty much wherever it's offered (e.g., Macs).  The most appealing context I ever see this argument offered in is the case of Linux, because that OS is limited, pretty much, to use by the MOST tech-savvy people around, so they're one of the least-likely populations to leave valuable information in a place that it might be stolen.  Even that I don't find to be too convincing.

You also said, "...it to be too difficult."  THIS is what I'm getting after.  IS it too difficult to hack into (or I guess you could say out of) BlackBerries?

I realize that 100% security is a virtual impossibility.  (However, I'm sure the NSA has made sure that Obama's comes close enough (for government work--ha!).)  Such is the case in my extreme example of trying to install malware on a computer by holding a CD with the malware on it up next to the computer.  I want to know if the developer community regards BlackBerries as, in some way, analogous.  It's just theoretically impossible to hack them.  There must be some dominant sentiment out there along these lines if the major security software vendors aren't selling security software for BlackBerries.

Anyway, thanks again for the reply.

--therearestupidquestions
Everybody:

I forgot to ask something in my original question (if you can believe THAT!).  

What about when I hook my BlackBerry up to my PC with a USB cable?  What if my PC is contaminated?  I frequently copy media files, like news shows and lectures, downloaded from the internet, from my PC to my BlackBerry.  This seems like an attractive vector for contaminating a BlackBerry with malware.  Why is there no need (or IS there) for software to scan files copied to a BlackBerry like this?

Am I wrong?

I'm actually more interested in the answer to THIS question than to any I posed in the original post.

Thanks again, experts.

--therearestupidquestions
ASKER CERTIFIED SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
abbright:

Thanks for your responses.  You obviously get all of the points.
Sorry.  I TRIED to award the points and close out this question on the date of my last entry.  I must have made some mistake in that process.  Hopefully, this closes it out now.