BlackBerry Device Software Protecting BlackBerry Smartphones Against Malware Security Note
Published: 2012-05-14 SWD-20120514091746191
Contents 1 Protecting smartphones from malware... 4 2 System requirements... 5 3 Managing the risk of malware attacks... 6 Using BlackBerry Enterprise Solution tools to protect smartphones from malware... 6 4 Installing and managing applications on smartphones... 7 Creating an application for a smartphone... 7 Specifying the methods that users can use to install applications on a smartphone... 8 5 Using IT policy rules to help protect smartphones from malware... 9 Creating new IT policy rules to control applications that your organization creates... 12 IT policy rules take precedence on smartphones... 12 6 Specifying the resources that applications can access on a smartphone... 13 Using application control policy rules to control the resources that applications can access on a smartphone... 13 Using application control policy rules to specify the types of connections that applications can open... 14 Application permissions for applications that users install on a smartphone... 15 Application permissions for applications that users install as trusted applications on a smartphone... 17 Application control policy rules... 18 How code signing controls the resources that applications can access on a smartphone... 23 Permitting an application to encode data on a smartphone... 23 Best practice: Controlling the resources that applications can access in your organization's network... 24 7 Managing third-party applications on a smartphone that a user uses for personal purposes... 26 8 Removing applications from smartphones... 27 Removing applications that a user installed when a user deletes all smartphone data... 27 9 Using a segmented network to help prevent the spread of malware... 28 Using a segmented network to help reduce the spread of malware on a work Wi-Fi network that uses a VPN... 28 10 MAPI attacks... 30 Best practice: Protecting your organization's network from a MAPI attack... 30 11 Related resources... 31 12 Glossary... 33 13 Legal notice... 35
Protecting smartphones from malware Protecting smartphones from malware 1 Applications that are designed with malicious intent to cause harm to computer systems are commonly known as malware. Malware can include the following examples: Viruses replicate themselves by attaching to legitimate applications on a computer. Trojan horses disguise themselves as or embed themselves within other applications. To attack a smartphone, a user must install and run the application that contains the Trojan horse. A Trojan horse relies on social engineering to convince the user to install the application rather than on the ability of the attacker to exploit flaws in the security design or configuration of the smartphone. Worms replicate themselves to spread across networks and potentially overwhelm computer systems. A worm is selfcontained and does not need to be part of another program to spread itself. Spyware is designed to log user activities and personal data and send that information to an unauthorized user. Some malware attacks might target BlackBerry smartphones. Malware may be used to perform attacks that are designed to do the following: Steal personal and work data. Create a denial of service attack to make a work network unusable. Access a work network using work smartphones. To help protect smartphones in your organization from malware, you can use the application control features that are available as part of the BlackBerry Enterprise Server. You can use the features to contain the threat of malware on the smartphones in your organization and on your organization's network. Related information Using a segmented network to help prevent the spread of malware, 28 4
System requirements System requirements 2 To help protect BlackBerry smartphones from malware, your organization's environment should meet the following requirements: Smartphones that run BlackBerry Device Software 4.1 or later BlackBerry Enterprise Server for Microsoft Exchange 4.1 SP2 or later BlackBerry Enterprise Server for IBM Lotus Domino 4.1 SP2 or later BlackBerry Enterprise Server for Novell GroupWise 4.1 SP2 or later BlackBerry Enterprise Server Express for Microsoft Exchange 5.0 SP1 or later BlackBerry Enterprise Server Express for IBM Lotus Domino 5.0 SP 2 or later To manage smartphones that classify applications for both work use and personal use in your organization s environment, you must use either BlackBerry Enterprise Server for Microsoft Exchange (5.0 SP3 or later), BlackBerry Enterprise Server for IBM Lotus Domino (5.0 SP3 or later), or BlackBerry Enterprise Server Express (5.0 SP3 or later), and smartphones that are running BlackBerry 7 or any of the following smartphones that are running BlackBerry 6: BlackBerry Bold 9700 smartphone (bundle 1478 or later) BlackBerry Bold 9780 smartphone (bundle 1478 or later) BlackBerry Curve 9300 smartphone (bundle 1478 or later) BlackBerry Pearl 9100 smartphone (bundle 1478 or later) BlackBerry Torch 9800 smartphone (bundle 1478 or later) BlackBerry Bold 9650 smartphone (bundle 1830 or later) BlackBerry Curve 9330 smartphone (bundle 1830 or later) BlackBerry Style 9670 smartphone (bundle 1830 or later) 5
Managing the risk of malware attacks Managing the risk of malware attacks 3 You should plan your organization's network architecture and design the security policies for your organization to help manage the risk of malware attacks. When you plan and set up your organization's network, you should set security policies to help protect the network components and BlackBerry smartphones. You should consider separating your organization's network infrastructure into segments that are separated by firewalls, and restricting internal user access and external user access to the segments. You might require multiple security products and methods to protect each gateway from one segment of your organization's network to another and each gateway to and from the Internet. Using BlackBerry Enterprise Solution tools to protect smartphones from malware Detection is the process where you determine whether or not a program is malware. Effective malware detection requires a constant connection to a comprehensive local or online database of known malware. On computers, you can implement processes that have access to these databases to help detect and contain malware. BlackBerry smartphones do not have enough storage space for a malware database and cannot guarantee a constant connection to the Internet. The BlackBerry Enterprise Solution is designed to use IT policies, application control policies, and code signing to help contain malware by controlling third-party application access to smartphone resources and applications. IT policies, application control policies, and code signing help prevent malware that might gain access to smartphones from causing damage to the applications and data on smartphones or to your organization's environment. By default, users can install all applications until you use IT policies or application control policies to control applications on smartphones. 6
Installing and managing applications on smartphones Installing and managing applications on smartphones 4 You can install and manage applications on BlackBerry smartphones. To send applications to smartphones, you must first add the applications to the application repository of the BlackBerry Enterprise Server. You can use the application repository to store and manage all versions of the applications that you want to install on, update on, or remove from smartphones. In the BlackBerry Administration Service, you create software configurations to apply to smartphones. Software configurations specify which applications are required, optional, or not permitted and the versions of the applications that you want to install on, update on, or remove from smartphones. When you create a software configuration, you must also specify whether users can install applications that are not listed in the software configuration. When you add an application to a software configuration, you must assign an application control policy to the application to specify what resources the application can access. If you permit users to install applications that are not listed in the software configuration, you must create an application control policy for unlisted applications that specifies what resources the unlisted applications can access. The BlackBerry Administration Service has two standard application control policies for unlisted applications: one for unlisted applications that are optional, and one for unlisted applications that are not permitted. You can change the default settings of the standard application control policy for unlisted applications that are optional, or you can create custom application control policies for unlisted applications that are optional. Creating an application for a smartphone An application developer can create an application for BlackBerry smartphones using a variety of developer tools. Applications can perform the following actions on a smartphone: Share application data with other applications Access user data such as calendar entries, email messages, and contacts Control smartphone resources, such as the camera or GPS Some applications are preloaded on smartphones. You can use the BlackBerry Administration Service to install and manage applications on smartphones. A user can also download and install applications on a smartphone using a computer or over the wireless network. For more information on the tools available for application developers, visit www.blackberry.com/developers. 7
Installing and managing applications on smartphones Specifying the methods that users can use to install applications on a smartphone BlackBerry smartphone users can install applications using the following methods: Using the BlackBerry App World storefront Using a browser Using a media card Over a USB connection (for example, using the BlackBerry Desktop Software or BlackBerry Application Web Loader) You can use the Application Installation Methods IT policy rule to specify which application installation options are available to a user. You can also use the Installation from Specified URLs Only IT policy rule to specify a list of web addresses that a user can download applications from. For more information about using IT policy rules, visit www.blackberry.com/go/serverdocs to see the BlackBerry Enterprise Server Policy Reference Guide. 8
Using IT policy rules to help protect smartphones from malware Using IT policy rules to help protect smartphones from malware 5 You can configure the following IT policy rules to prevent users from downloading applications over the wireless network and specify whether applications on the BlackBerry smartphone can open specific types of connections. For more information comfiguring IT policy rules, visit www.blackberry.com/go/serverdocs to see the BlackBerry Enterprise Server Policy Reference Guide and the BlackBerry Enterprise Server Administration Guide. IT policy group IT policy rule Description Default value Desktop Desktop Allow Desktop Add-ins This rule specifies whether the BlackBerry Desktop Software can run add-on applications, such as COMbased extensions that access smartphone databases during synchronization. Yes This rule is not applicable for BlackBerry Desktop Software 6.0. BlackBerry Desktop Software 6.0 does not support add-on applications. Personal Devices Enable Separation of Work Content This rule specifies whether a smartphone distinguishes between work data and personal data, and whether only authorized applications on the smartphone can access work data. If you set this rule to Yes and a user tries to delete a Desktop service book, the smartphone prompts the user to delete the work data on the smartphone. No The "Is access to the corporate data API allowed" application control policy rule affects this rule. The "Is access to the corporate data API allowed" application control policy rule specifies whether an application or an add-on application is authorized to access work data. To make this rule affect applications, you must set the "Is access to the corporate data API allowed" application control policy to Disallowed for the application. Security Allow External Connections This rule specifies whether applications can initiate external connections (for example, to WAP gateways). Yes 9
Using IT policy rules to help protect smartphones from malware IT policy group IT policy rule Description Default value Allow Internal Connections Allow Resetting of Idle Timer Allow Screen Shot Capture Allow Split-Pipe Connections Allow Third Party Apps to Access Screen Contents Allow Third Party Apps to Use Serial Port Application Installation Methods Application Installation from Specific URLs Only This rule specifies whether applications can initiate internal connections (for example, to websites behind your organization's firewall using the BlackBerry MDS Connection Service). This rule specifies whether a smartphone permits applications to reconfigure the inactivity-timeout value on the smartphone and bypass the timeout value for the smartphone password. For more information about the inactivity timeout, visit www.blackberry.com/go/apiref to read the EventInjector class and Backlight.enable() method in the API reference for the BlackBerry Java Development Environment. This rule specifies whether a smartphone permits applications to take screen shots. This rule specifies whether applications can open internal and external connections on a smartphone at the same time. An application may create a security issue if it opens internal and external connections at the same time because the application can collect data from inside the firewall and send it outside the firewall. This rule specifies whether an application on a smartphone can access the data that is displayed on the smartphone screen. This rule specifies whether applications can use the serial port, IrDA port, or USB port on a smartphone. This rule specifies which application installation options are not available to the user. Each application installation option provides a unique method for the user to install applications onto the smartphone. This IT policy rule takes priority over the Disallow Third Party Application Downloads IT policy rule. If both IT policy rules exist, this IT policy rule takes precedence. This policy rule does not affect applications that are already installed on the smartphone. This rule specifies a list of web addresses that a user can download applications from. Separate multiple web addresses with a comma (,). Each address must be a fully qualified domain name or a wildcard domain name that starts with a period (.). Yes No No No Yes Yes None None 10
Using IT policy rules to help protect smartphones from malware IT policy group IT policy rule Description Default value Disallow Third Party Application Downloads Password Required for Application Download Reset to Factory Defaults on Wipe Security Transcoder Cod File Hashes A BlackBerry smartphone does not use this IT policy rule if you set the Application Installation Methods IT policy rule to Disallow Browser. If you specify a web address in this IT policy rule, the browser uses the BlackBerry MDS Connection Service to connect to the web address, even if the web address is not listed in the MDS Browser Domains IT policy rule. This rule specifies whether a user can install or update applications on a smartphone using the BlackBerry Browser or the BlackBerry App World storefront. If you set this rule to Yes, the user cannot install or update applications on the smartphone using the BlackBerry Browser or BlackBerry App World. The user can install or update an application that Research In Motion creates using the BlackBerry Desktop Software. This rule does not apply to add-on applications developed by RIM in software configurations. This rule affects the "Application Restriction Rule" IT policy rule. If you set this rule to Yes, it takes precedence over the "Application Restriction Rule" IT policy rule. This rule affects the "Category Restriction Rule" IT policy rule. If you set this rule to Yes, it takes precedence over the "Category Restriction Rule" IT policy rule. This rule specifies whether a smartphone prompts a user for the smartphone password when using the browser to download applications. This rule specifies whether a smartphone resets to the factory default settings when it receives the Delete all device data and disable device IT administration command over the wireless network. For smartphones that are running BlackBerry Device Software 5.0 and later, this rule is enforced both remotely (when an administrator erases the data on a smartphone remotely) and locally (for example, when a user types the device password incorrectly more times than the Set Maximum Password Attempts IT policy rule or the password option on the device permits). This rule specifies the hashes for the.cod files of a transcoder that a smartphone needs to register the transcoder. Set each hash in hexadecimal format and separate multiple values with a comma (,). No No No None 11
Using IT policy rules to help protect smartphones from malware Creating new IT policy rules to control applications that your organization creates You can create IT policy rules to control the applications that your organization creates for BlackBerry smartphones that are running in your organization's environment. After you create an IT policy rule, you can add it to a new or existing IT policy and assign a value to it. Only applications that your organization creates can use the IT policy rule that you create. You cannot create new IT policy rules to control smartphone applications and features. For more information about creating IT policy rules, visit www.blackberry.com/go/serverdocs to see the BlackBerry Enterprise Server Administration Guide. IT policy rules take precedence on smartphones IT policy rule settings override application control policy rule settings. For example, if you change the Allow Internal Connections IT policy rule to No for BlackBerry smartphones, and if the smartphones have an application control policy set that allows a specific application to make internal connections, the application cannot make internal connections. The smartphone revokes an application control policy and resets if the permissions of the application it is applied to become more restrictive. Smartphones permit users to make application permissions more restrictive, but not less restrictive, than the permissions that you specify. 12
Specifying the resources that applications can access on a smartphone Specifying the resources that applications can access on a smartphone 6 You can use application control policy rules to specify which applications a user can download and install on a BlackBerry smartphone and the resources on the smartphone that the applications can access. If you control the applications that a user can install and limit the resources that the applications can access, you can help protect the smartphone from malware. You can also help prevent damage to the smartphone software, applications, smartphone data, and your organization s network. Code signing can also help control the resources that applications can access on smartphones and can help to prevent malware on smartphones. Using application control policy rules to control the resources that applications can access on a smartphone You can use application control policy rules to specify whether users can install applications on BlackBerry smartphones and to specify the permissions for applications. You can use application control policy rules to specify whether applications can access the following resources on smartphones: Data or applications (for example, Messages application, phone) Smartphone key store Network connections Near field communications Secure element Smartphone settings Security timer 13
Specifying the resources that applications can access on a smartphone BlackBerry APIs (for example, GPS API, User Authenticator API, Module Management API) When you assign an application control policy to a software configuration and assign the software configuration to user accounts or groups, users might not be able to use all of the features of the applications that are included in the software configuration. For example, if you set the "Are External Network Connections " application control policy rule to "Not permitted", a game that is installed on a smartphone may not be able to send high scores back to a central server since the game is not permitted to access the Internet. You can assign application control policies to software configurations so that the BlackBerry Enterprise Server limits the permitted application behavior to a subset of user accounts that it trusts. Smartphones revoke the application control policy and reset if the permissions for applications that the application control policy is applied to become more restrictive. Smartphones permit users to make application permissions more restrictive, but never less restrictive, than the permissions that you specify. For more information about configuring application control policies, visit www.blackberry.com/go/serverdocs to see the BlackBerry Enterprise Server Administration Guide. Using application control policy rules to specify the types of connections that applications can open You can use the following application control policy rules to specify whether an application that is running on the BlackBerry smartphone can open local, internal, and external network connections: Are External Network Connections Are Internal Network Connections Are Local Connections application An application can connect to both the Internet and your organization's intranet at the same time, which might be a security issue because applications can collect data from inside your organization's firewall and send it outside your organization's firewall. You should consider preventing applications on a smartphone from opening both internal and external connections at the same time. Although you can use the Allow Split-Pipe Connections IT policy rule to allow an application to open both internal connections and external connections at the same time, this setting applies to all applications on the smartphone and the user is prompted to allow the connections each time an application starts. You can use the Are External Network Connections application control policy rule and the Are Internal Network Connections application control policy rule to specify the types of connections that each application can open and remove the prompts that a user receives each time an application starts. You can also configure a single application control policy rule for all applications that are running on the smartphone. For IT policy rule and application control policy rule descriptions, visit www.blackberry.com/go/serverdocs to see the BlackBerry Enterprise Server Policy Reference Guide. For more information about configuring IT policy rules and application control policy rules, visit www.blackberry.com/go/serverdocs to see the BlackBerry Enterprise Server Administration Guide. 14
Specifying the resources that applications can access on a smartphone Application permissions for applications that users install on a smartphone Users can set permissions that control how applications that users install on a BlackBerry smartphone interact with the other applications on the smartphone. For example, a user can control whether an application that the user installs on the smartphone can access data or the Internet, make calls, or use Bluetooth connections. If a user adds an application to the smartphone, the smartphone is designed to prevent the application from sending or receiving data without the user's knowledge. For a selected application or all your third-party applications, before an application sends or receives data, you can turn on a prompt that allows you to accept or deny the connection request for a specific location or resource. Smartphones permit users to make application permissions more restrictive, but never less restrictive, than the permissions that you specify. The following table shows the application permissions and their default settings: Permission Category Default setting Description USB Connections Allow A user can set whether applications can use physical connections, such as a USB cable, that a user set up for the smartphone. Bluetooth Connections Allow A user can set whether applications can use Bluetooth connections. Phone Connections Prompt A user can set whether applications can make calls or access call logs. Location Data Connections Prompt A user can set whether applications can use the GPS location information on the smartphone. Server Network Connections Allow (BlackBerry 7 and later) Prompt (BlackBerry Device Software 6.0 and earlier) Internet Connections Allow (BlackBerry 7 and later) Prompt (BlackBerry Device Software 6.0 and earlier) A user can set whether applications can access the Internet or your organization's intranet using your organization's network. A user can set whether applications can access the Internet through a wireless service provider (for example, using a direct Internet connection or WAP gateway). 15
Specifying the resources that applications can access on a smartphone Permission Category Default setting Description Wi-Fi Connections Allow A user can set whether applications can use Wi-Fi connections. Near Field Communication Connections Allow A user can set whether applications can use NFC connections. Cross Applications Communication Interactions Allow A user can set whether applications can communicate and share data with other applications on the smartphone. Device Settings Interactions Allow A user can set whether applications can turn on or turn off the smartphone or change smartphone options, such as display options. Media Interactions Allow A user can set whether applications can access media files on the smartphone. Application Management Interactions Allow A user can set whether applications can add or delete application modules or access module information such as an application name or version. Themes Interactions Allow A user can set whether the smartphone can use applications as a source for customized themes. Input Simulation Interactions Deny A user can set whether applications can simulate actions, such as pressing a key on the smartphone. Browser Filtering Interactions Deny A user can set whether applications can register browser filters with the browser on the smartphone to add, change, or delete website content before it appears in the browser. Recording Interactions Prompt A user can set whether applications can take screen shots of the smartphone screen or use other applications on the smartphone to take pictures or recordings. Security Timer Reset Interactions Deny A user can set whether applications can reset the duration that the smartphone remains unlocked after the user stops using it. 16
Specifying the resources that applications can access on a smartphone Permission Category Default setting Description Display Information While Locked Interactions Deny A user can set whether applications can display information while the smartphone is locked. Email User Data Allow A user can set whether applications can access email messages, SMS text messages, MMS messages, or PIN messages on the smartphone. Organizer Data User Data Allow A user can set whether applications can access organizer data such as contacts, calendar entries, tasks, or memos on the smartphone. Files User Data Allow A user can set whether applications can access files that the user stores on the smartphone. For example, a user can set whether applications can access files that a user transfers to the smartphone using the media manager tool of the BlackBerry Device Software or Bluetooth technology. Security Data User Data Allow A user can set whether applications can access certificates or keys in the key store on the smartphone. Secure Element User Data Allow A user can set whether applications can access confidential information, such as credit card numbers, coupons, loyalty cards, and public transit passes, that are stored on the smartphone's secure element. Depending on the smartphone model and wireless service provider, the smartphone might not use a secure element. Application permissions for applications that users install as trusted applications on a smartphone Some applications that a user installs on a BlackBerry smartphone prompt the user to install the application as a trusted application. If the user accepts the prompt and installs the application as a trusted application, all permissions for the application are set to Allow except for the following permissions: 17
Specifying the resources that applications can access on a smartphone Permission Input Simulation Browser Filtering Recording Security Timer Reset Display Information While Locked Secure Element Setting Deny Deny Prompt Prompt Deny Prompt Application control policy rules You can configure the following application control policy rules to control applications on BlackBerry smartphones. For more information about application control policy rules, visit www.blackberry.com/go/serverdocs to see the BlackBerry Enterprise Server Policy Reference Guide. Rule Description Default value Are External Network Connections Are Internal Network Connections Are Local Connections This rule specifies whether an application can make external network connections. You can configure this rule to prevent the application from sending or receiving any data on a smartphone using an external protocol (such as WAP or TCP). You can also configure this rule so that an application prompts a user before the application makes external connections through the smartphone firewall. The List of External Domains application control policy rule affects this rule. The List of External Domains application control policy rule takes precedence over this rule. This rule specifies whether an application can make internal network connections. You can configure this rule to prevent the application from sending or receiving any data on a smartphone using an internal protocol (for example, the BlackBerry MDS Connection Service). You can also configure this rule so that an application prompts a user before the application makes internal connections through the smartphone firewall. The List of Internal Domains application control policy rule affects this rule. The List of Internal Domains application control policy rule takes precedence over this rule. This rule specifies whether an application can make local network connections (for example, connections to a smartphone using a USB or serial port). Prompt user Prompt user 18
Specifying the resources that applications can access on a smartphone Rule Description Default value Can Device Settings be Modified Can the Security Timer be Reset Display information while locked Disposition Is Access to NFC Is Access to the Browser Filters API Is Access to the Corporate Data API Is Access to the Email API Is Access to the Event Injection API Is Access to the File API Is Access to the GPS API This rule specifies whether an application can change configuration settings and user settings on a smartphone. This rule specifies whether an application can reset the amount of time that must elapse before a smartphone locks automatically. This rule specifies whether an application can display information on a smartphone screen when the smartphone is locked. This rule specifies whether an application is optional, required, or not permitted on the smartphone. You can use this rule to make a specific application required on the smartphone or to prevent unspecified or untrusted applications from being installed on the smartphone. This rule specifies whether an application can access NFC on a smartphone. This rule specifies whether an application can access browser filter APIs to register a browser filter on a smartphone. You can use this rule to permit applications to apply custom browser filters to web-page content on a smartphone. This rule specifies whether a third-party application or an add-on application developed by Research In Motion can access work data on a smartphone. You can configure this rule to prevent third-party applications or add-on applications developed by RIM from accessing work data on the smartphone. The smartphone checks this rule to determine which applications can access work data. This rule specifies whether an application can send and receive email messages using a smartphone. This rule specifies whether an application can simulate input events on a smartphone, such as pressing keys or performing trackpad actions. This rule specifies whether an application can access, change, delete, and move files on a smartphone. This rule specifies whether an application can access the GPS APIs on a smartphone. You can configure this rule to prevent the application from accessing the GPS APIs on a smartphone or to prompt the user before an application can access the GPS APIs. Not permitted Not permitted Optional Disallowed Prompt user 19
Specifying the resources that applications can access on a smartphone Rule Description Default value Is Access to the Handheld Key Store Is Access to the Interprocess Communication API Is Access to the Media API Is Access to the Module Management API Is Access to the PIM API Is Access to the Phone API Is Access to the Screen, Microphone, and Video Capturing APIs Is Access to the Secure Element This rule specifies whether an application can access the key store APIs on a smartphone. The Minimal Signing Key Store Security Level IT policy rule affects this rule. If you configure the Minimal Signing Key Store Security Level IT policy rule to use the high security level, this rule does not apply. The smartphone prompts a user for the keystore password each time that an application tries to access the private key. The Minimal Encryption Key Store Security Level IT policy rule affects this rule. If you configure the Minimal Encryption Key Store Security Level IT policy rule to use the high-security level, this rule does not apply. The smartphone prompts the user for the key store password each time that an application tries to access the private key. This rule specifies whether an application can perform crossapplication communication operations. You can use this rule to permit two or more applications to share data or for one application to use the connection permissions of another application. This rule specifies whether an application can run or create multimedia files on a smartphone. This rule specifies whether an application can add, change, or delete Java.cod files on a smartphone. This rule specifies whether an application can access the smartphone PIM APIs, which control access to a user's personal information, such as contacts, on a smartphone. If you permit an application to access PIM data APIs and use network connection protocols, the application might be able to send all of the user's personal information from the smartphone. This rule specifies whether an application can make calls, answer incoming calls, and access call logs on a smartphone. You can configure this rule to prevent an application from making calls on a smartphone or to prompt a user to permit calls before the application makes calls. This rule specifies whether an application can record media, such as audio and video, using the BlackBerry Browser or other applications on a smartphone. This rule specifies whether an application can access the secure element on a smartphone. Prompt user Not permitted 20
Specifying the resources that applications can access on a smartphone Rule Description Default value Is Access to the Serial Port Profile for Bluetooth API Is Access to the User Authenticator API Is Access to the Wi-Fi API Is Key Store Medium Security Is manage connections allowed Is media control allowed This rule specifies whether an application can access the Bluetooth SPP API. The Disable Serial Port Profile IT policy rule affects this rule. If you configure the Disable Serial Port Profile IT policy rule to Yes, this rule does not apply. A smartphone cannot use the Bluetooth SPP to establish a serial connection to a Bluetooth enabled smartphone. This rule specifies whether an application can access the user authenticator framework API. The user authenticator framework permits the registration of drivers that provide two-factor authentication to unlock a smartphone. This rule applies to the BlackBerry Device Software and applications. For smartphones that are running BlackBerry Device Software 5.0 and later, this rule applies to drivers for smart card readers and to custom twofactor authentication methods that are created by developers in your organization. This rule specifies whether an application on a smartphone can send and receive data over a Wi-Fi connection and access information about the Wi-Fi network. This rule specifies whether an application can access key-store items that are stored at the medium security level. The application must prompt a user for the key store password when it tries to access the private key for the first time or when the private key password timeout expires. The Minimal Signing Key Store Security Level IT policy rule affects this rule. If you configure the Minimal Signing Key Store Security Level IT policy rule to use the high security level, the smartphone does not use this rule. The smartphone prompts the user for the key store password each time that an application tries to access the private key. The Minimal Encryption Key Store Security Level IT policy rule affects this rule. If you configure the Minimal Encryption Key Store Security Level IT policy rule to use the high security level, the smartphone does not use this rule. The smartphone prompts the user for the key store password each time that an application tries to access the private key. This rule specifies whether an application can manage connections and connection-related information on a smartphone. This rule specifies whether an application can open or manage media files on a smartphone. Prompt user 21
Specifying the resources that applications can access on a smartphone Rule Description Default value Is Theme Data List of Browser Filter Domains List of External Domains List of Internal Domains This rule specifies whether a user can use custom theme applications that are developed using the Plazmic Content Developer's Kit as themes on a smartphone. This rule specifies the list of domains that an application can apply browser filters to web-page content for on a smartphone. For example, you can specify www.google.com and www.yahoo.com as domains for which an application can use a browser filter for search engines. This rule specifies the external domain names that an application can connect to. This rule does not support wildcard characters. You must separate different domains with a semicolon (;). You can configure this application control policy rule and a pull rule that the BlackBerry MDS Connection Service uses to control whether a user can access an external domain. If you configure this rule and a pull rule for an external domain, the user cannot access the external domain unless this rule and the pull rule permit access. This rule affects the Are External Network Connections application control policy rule. The application on a smartphone can connect to domains that you specify in this rule even if you set the Are External Network Connections application control policy rule to Not permitted. This rule specifies the internal domain names that an application can establish a connection to. This rule does not support wildcard characters. You must separate different domains with a semi-colon (;). This rule affects the Are Internal Network Connections application control policy rule. The application on a smartphone can connect to the domains that you specify in this rule even if you set the Are Internal Network Connections application control policy rule to Not permitted. Null Null Null 22
Specifying the resources that applications can access on a smartphone How code signing controls the resources that applications can access on a smartphone Some APIs in the BlackBerry Java SDK are protected APIs. Protected APIs expose methods that can access user data or other information on BlackBerry smartphones that is considered sensitive. When an application uses protected APIs, the application must be digitally signed with code signing keys before the application can be deployed. Application developers can request access to a set of code signing keys from blackberry.com/signedkeys/. The developer must digitally sign the application before it can be installed on a smartphone. Code signing does not certify or approve an application, but it allows Research In Motion to identify the author of a potentially malicious application that uses sensitive APIs. In addition to API control, code signing can be used to restrict or share access to application data by other applications on a smartphone. For more information about code signing and applications, visit www.blackberry.com/go/serverdocs to see the BlackBerry Java SDK Security Development Guide. Permitting an application to encode data on a smartphone A developer can use the Transcoder API to create an encoding scheme for data that a BlackBerry Enterprise Server and BlackBerry smartphone send between each other. The Transcoder API is part of the BlackBerry Java SDK. The BlackBerry Enterprise Server and the smartphone can use the encoding scheme to encode and decode all gateway message envelope packets that the BlackBerry Enterprise Server and the smartphone send between each other. The encoding scheme adds a transcoder ID to the beginning of the encoded data. The BlackBerry Enterprise Solution encrypts the encoded data using BlackBerry transport layer encryption. Before an application can access the Transcoder API, the BlackBerry Signing Authority Tool must digitally sign the.cod file. The BlackBerry Signing Authority Tool uses the code signing keys to authorize and authenticate the Transcoder implementation code. To permit the BlackBerry Enterprise Server and the smartphone to use the encoding scheme, you must specify the hash of the application's.cod file in the Security Transcoder Cod File Hashes IT policy rule. If the RIM Cryptographic API does not support a specific algorithm, the developer can use the Transcoder API to add the algorithm to the encoding schemes. The BlackBerry Enterprise Solution applies the encoding schemes to any outgoing 23
Specifying the resources that applications can access on a smartphone data that the BlackBerry transport layer encryption applies to. By default, the Transcoder API supports all algorithms that the RIM Cryptographic API supports. If you permit applications to use the Transcoder API on the smartphone, the applications might impact the security, usability, and performance of the BlackBerry Enterprise Solution. It might also cause the smartphone to lose data. Best practice: Controlling the resources that applications can access in your organization's network An attacker could potentially use applications on a BlackBerry smartphone to access and attack internal servers in your organization's network. Consider the following best practices to help minimize the risks of such attacks. Best practice Prevent a user from installing applications on a smartphone Allow a user to install only specific trusted applications on a smartphone Configure the smartphone to prompt the user each time an application tries to connect to an external network Configure the smartphone to prompt the user each time an application tries to connect to an internal network Description Set the Disallow Third Party Application Download IT policy rule to True. Consider the following guidelines: Assign an application control policy with the Disposition application control policy rule set to Required or Optional for specific trusted applications only. Assign an application control policy with the Disposition application control policy rule set to Disallowed for unspecified applications or untrusted applications. Consider the following guidelines: Assign an application control policy with the External Network Connections application control policy rule set to Permitted or Prompt User for specific trusted applications. Assign an application control policy with the External Network Connections application control policy rule set to Not Permitted for unspecified or untrusted applications. Consider the following guidelines: Assign an application control policy with the Internal Network Connections application control policy rule set to Permitted or Prompt User for specific, trusted applications only. 24
Specifying the resources that applications can access on a smartphone Best practice Description Assign an application control policy with the Internal Network Connections application control policy rule set to Not Permitted for unspecified or untrusted applications. Protect your organization's network from a malware attack Use your organization's network security tools to protect your organization's network. For example, to control outbound access, set the port numbers on the firewall that protects your organization's network. 25
Managing third-party applications on a smartphone that a user uses for personal purposes Managing third-party applications on a smartphone that a user uses for personal purposes 7 By default, a BlackBerry smartphone classifies all applications as work applications that can access work data. After you set the Enable Separation of Work Content IT policy rule to Yes, if you do not want specific third-party applications to access work data such as work contacts, you can consider performing any of the following actions: Create a software configuration for all unlisted applications and set the "Is access to the corporate data API allowed" application control policy rule to Deny. This prevents all third-party applications from accessing work data. If you want to allow specific third-party applications to access work data, you can create a software configuration that allows only third-party applications that you specify to access work data. Create a software configuration for each application that you want to prevent from accessing work data and set the "Is access to the corporate data API allowed" application control policy rule to Deny. This prevents third-party applications that you specify from accessing work data and allows all third-party applications that you do not specify to access work data. Create a software configuration and set the disposition for unlisted applications to Disallowed. This prevents a BlackBerry smartphone user from installing any third-party applications on the smartphone that you did not specifically list in the software configuration. Create a software configuration that lists specific applications and set the disposition to Disallowed. This prevents a user from installing the third-party applications that you listed in the software configuration. For more information, visit www.blackberry.com/go/serverdocs to see the BlackBerry Enterprise Server Administration Guide. 26
Removing applications from smartphones Removing applications from smartphones 8 You can use software configurations to remove applications from BlackBerry smartphones. Users can also delete applications from smartphones. You can create an allowed list of applications by creating a software configuration and setting the disposition for unlisted applications to Disallowed. This removes all add-on applications developed by Research In Motion that are preloaded on the smartphone and any third-party applications that you do not list as Required or Optional within the software configuration. You can also create a custom software configuration to remove one or more third-party applications or add-on applications that are preloaded on a smartphone but allow other add-on applications to remain on the smartphone. To remove specific applications, you must add them to the application repository, then add them to the software configuration, and set the disposition for the applications to Disallowed. After you associate the software configuration with a group, multiple user accounts, or a single user account, the applications are removed from the smartphone and the user cannot reinstall them. The specific version of the application that you are removing must be included in the software configuration; versions other than the one you specify (for example, earlier and later versions) are not removed. Users can also remove applications from the smartphone by deleting them from the application list on the smartphone. For more information about using software configurations to remove applications from smartphones, visit www.blackberry.com/go/serverdocs to see the BlackBerry Enterprise Server Administration Guide. For more information about how to control third-party applications and add-on applications and how to remove third-party applications and addon applications from a smartphone, visit www.blackberry.com/support to read KB05392. For more information about which applications are add-on applications developed by RIM, visit www.blackberry.com/support to read KB24317. Removing applications that a user installed when a user deletes all smartphone data If a user clicks Security Wipe in the security options on a BlackBerry smartphone, the user can select the User Installed Applications option at the same time. If the user selects this option, when the smartphone permanently deletes user data, it also removes all applications that a user installed on the smartphone, along with the application data. 27
Using a segmented network to help prevent the spread of malware Using a segmented network to help prevent the spread of malware 9 To help prevent the spread of malware in your organization s network, you can use firewalls to divide your organization s network or LAN into segments to create a segmented network. Each segment can manage the network traffic for a specific BlackBerry Enterprise Server component. A segmented network is designed to improve the security and performance of the segments by filtering out data that is not sent to the correct segment. To configure the BlackBerry Enterprise Server in a segmented network, you must install each BlackBerry Enterprise Server component on a computer that is separate from the computers that host other components and then place each computer in its own network segment. If you configure the BlackBerry Enterprise Server in a segmented network, you create an architecture that is designed to prevent the spread of potential attacks from one computer that hosts a component to another computer within your organization s LAN. A segmented network architecture is designed to isolate attacks and contain them on one computer. To permit communication with other components, when you install each component in its own segment, you open only the port numbers that the components use. The BlackBerry Enterprise Server and components, with the exception of the BlackBerry Router, do not support installation in a DMZ. For more information about configuring the BlackBerry Router in the DMZ, visit www.blackberry.com/go/ serverdocs to see Placing the BlackBerry Router in the DMZ. For more information about the port numbers that the components use, visit www.blackberry.com/go/serverdocs to see the BlackBerry Enterprise Server Administration Guide. Using a segmented network to help reduce the spread of malware on a work Wi-Fi network that uses a VPN When a Wi-Fi enabled BlackBerry smartphone connects to a work Wi-Fi network that uses a VPN, the smartphone might permit the VPN concentrator to send data directly to a BlackBerry Enterprise Server over your organization's network. The VPN concentrator sends data over port 4101. Only the VPN concentrator connects to the work Wi-Fi network. 28
Using a segmented network to help prevent the spread of malware To configure your organization s VPN concentrator to prevent it from opening unnecessary connections to your organization s network, you can configure a segmented network. In a segmented network, you can divide components of your organization s network using firewalls to help reduce the spread of malware. 29
MAPI attacks MAPI attacks 10 A successful MAPI attack replaces a BlackBerry smartphone with an attacker's smartphone on a BlackBerry Enterprise Server in your organization's network. The attacker can then receive email messages that were intended for the user whose smartphone was replaced. Also, if the IT policy for the smartphone allows it to access internal servers in your organization's network, the potentially malicious user can do this by using the BlackBerry MDS Connection Service. To perform a MAPI attack, an attacker must run malware that is designed to replace a smartphone PIN and device transport encryption key with new values from a computer inside your organization's network. If the attacker knows the PIN of a smartphone and can determine its device transport encryption key, the potentially malicious user can use malware to send a preconstructed MAPI request to change the smartphone PIN and device transport encryption key values and send the new values to the messaging server. The malware then notifies the attacker that the BlackBerry Enterprise Server added the smartphone with the new values. Best practice: Protecting your organization's network from a MAPI attack An attacker can try to carry out a MAPI attack on your organization's network. Consider the following best practices to help minimize the risks of such attacks. Best practice Limit the ability to add user accounts and manage roles only to administrators who require it Prevent a user from switching smartphones Description Consider the following guidelines: Assign the Security preconfigured administrative role only to administrators who require it. This role is the only role that can manage role membership. Assign the Security, Enterprise, User only, or Senior Helpdesk preconfigured administrative roles only to administrators who require them. These roles are the only roles that can add user accounts to a BlackBerry Enterprise Server. Set the Desktop Allow Device Switch IT policy rule to False to prevent users from switching BlackBerry smartphones. 30
Related resources Related resources 11 To read the following guides, visit www.blackberry.com/go/serverdocs. Resource BlackBerry Enterprise Server Administration Guide Description Instructions for creating user accounts, groups, roles, and administrator accounts Instructions for managing security Instructions for creating software configurations Instructions for creating and applying application control policies Instructions for creating and applying IT policies Instructions for configuring extended messaging encryption Instructions for protecting lost or stolen BlackBerry smartphones BlackBerry Enterprise Server Policy Reference Guide Descriptions of IT policy rules and application control policy rules Information about using IT policies and application control policies BlackBerry Enterprise Solution Security Technical Overview Information about preventing the decryption of information at an intermediate point between the smartphone and the BlackBerry Enterprise Server or organization's LAN Information about managing security settings for smartphones Information about permitting users to use smartphones for both personal use and work use Information about deleting only work data from smartphones Information about protecting data in transit between smartphones and the BlackBerry Enterprise Server Information about the algorithms that the RIM Cryptographic API provides Information about the TLS and WTLS standards that the RIM Cryptographic API currently supports Information about the memory scrubbing process that occurs on the smartphone when content protection is turned on 31
Related resources Resource BlackBerry Application Web Loader Developer Guide Description Instructions for installing applications from a web page Instructions for using the application web loader on a web server Security for BlackBerry Devices with Bluetooth Technology Security Technical Overview Description of Bluetooth wireless technology Information about using and protecting Bluetooth enabled smartphones Information about the risks of using Bluetooth wireless technology on mobile devices BlackBerry Java SDK Security Development Guide Instructions for using controlled APIs Instructions for using code signatures BlackBerry Signing Authority Tool Administrator Guide Description of the BlackBerry Signing Authority Tool implementation of public key cryptography Instructions for installing, configuring, and managing the BlackBerry Signing Authority Tool Instructions for restricting access to APIs Placing the BlackBerry Enterprise Server in a Segmented Network Technical Note Securing Devices for Personal Use and Work Use Security Note Instructions for using a segmented network implementation for the BlackBerry Enterprise Server Information about protecting BlackBerry Enterprise Solution components Information about protecting non-blackberry components on an organization's network Descriptions of BlackBerry Enterprise Server connectivity requirements Instructions for customizing the port numbers that the BlackBerry Enterprise Solution uses Information about permitting users to use smartphones for both personal use and work use Instructions for deleting only work data from a smartphone www.blackberry.com/security Information about BlackBerry Enterprise Solution security 32
Glossary Glossary 12 API CLDC DMZ GPS HTTP IrDA IT administration command IT policy IT policy rule LAN MAPI MIDP MMS NFC PIM PIN SMS SPP application programming interface Connected Limited Device Configuration A demilitarized zone (DMZ) is a neutral subnetwork outside of an organization's firewall. It exists between the trusted LAN of the organization and the untrusted external wireless network and public Internet. Global Positioning System Hypertext Transfer Protocol Infrared Data Association An IT administration command is a command that you can send over the wireless network to protect sensitive information on a BlackBerry device or delete all BlackBerry device data. An IT policy consists of various IT policy rules that control the security features and behavior of BlackBerry smartphones, BlackBerry PlayBook tablets, the BlackBerry Desktop Software, and the BlackBerry Web Desktop Manager. An IT policy rule permits you to customize and control the actions that BlackBerry smartphones, BlackBerry PlayBook tablets, the BlackBerry Desktop Software, and the BlackBerry Web Desktop Manager can perform. A local area network (LAN) is a computer network shared by a group of computers in a small area, such as an office building. Any computer in this network can communicate with another computer that is part of the same network. Messaging Application Programming Interface Mobile Information Device Profile Multimedia Messaging Service Near Field Communication personal information management personal identification number Short Message Service Serial Port Profile 33
Glossary TCP TLS VPN WAP WTLS Transmission Control Protocol Transport Layer Security virtual private network Wireless Application Protocol Wireless Transport Layer Security 34
Legal notice Legal notice 13 2012 Research In Motion Limited. All rights reserved. BlackBerry, RIM, Research In Motion, and related trademarks, names, and logos are the property of Research In Motion Limited and are registered and/or used in the U.S. and countries around the world. Bluetooth is a trademark of Bluetooth SIG. IrDA is a trademark of Infrared Data Association. IBM, Domino, and Lotus are trademarks of International Business Machines Corporation. Microsoft is a trademark of Microsoft Corporation. Novell and GroupWise are trademarks of Novell, Inc. Java is a trademark of Oracle America, Inc. Plazmic is a trademark of Plazmic Inc. Wi-Fi is a trademark of the Wi-Fi Alliance. All other trademarks are the property of their respective owners. This documentation including all documentation incorporated by reference herein such as documentation provided or made available at www.blackberry.com/go/docs is provided or made accessible "AS IS" and "AS AVAILABLE" and without condition, endorsement, guarantee, representation, or warranty of any kind by Research In Motion Limited and its affiliated companies ("RIM") and RIM assumes no responsibility for any typographical, technical, or other inaccuracies, errors, or omissions in this documentation. In order to protect RIM proprietary and confidential information and/or trade secrets, this documentation may describe some aspects of RIM technology in generalized terms. RIM reserves the right to periodically change information that is contained in this documentation; however, RIM makes no commitment to provide any such changes, updates, enhancements, or other additions to this documentation to you in a timely manner or at all. This documentation might contain references to third-party sources of information, hardware or software, products or services including components and content such as content protected by copyright and/or third-party web sites (collectively the "Third Party Products and Services"). RIM does not control, and is not responsible for, any Third Party Products and Services including, without limitation the content, accuracy, copyright compliance, compatibility, performance, trustworthiness, legality, decency, links, or any other aspect of Third Party Products and Services. The inclusion of a reference to Third Party Products and Services in this documentation does not imply endorsement by RIM of the Third Party Products and Services or the third party in any way. EXCEPT TO THE EXTENT SPECIFICALLY PROHIBITED BY APPLICABLE LAW IN YOUR JURISDICTION, ALL CONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS, OR WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION, ANY CONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS OR WARRANTIES OF DURABILITY, FITNESS FOR A PARTICULAR PURPOSE OR USE, MERCHANTABILITY, MERCHANTABLE QUALITY, NON-INFRINGEMENT, SATISFACTORY QUALITY, OR TITLE, OR ARISING FROM A STATUTE OR CUSTOM OR A COURSE OF DEALING OR USAGE OF TRADE, OR RELATED TO THE DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NON-PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES REFERENCED HEREIN, ARE HEREBY EXCLUDED. YOU MAY ALSO HAVE OTHER RIGHTS THAT VARY BY STATE OR PROVINCE. SOME JURISDICTIONS MAY NOT ALLOW THE EXCLUSION OR LIMITATION OF IMPLIED WARRANTIES AND CONDITIONS. TO THE EXTENT PERMITTED BY LAW, ANY IMPLIED WARRANTIES OR CONDITIONS RELATING TO THE DOCUMENTATION TO THE EXTENT THEY CANNOT BE EXCLUDED AS SET OUT ABOVE, BUT CAN BE LIMITED, ARE HEREBY LIMITED TO NINETY (90) DAYS FROM THE DATE YOU FIRST ACQUIRED THE DOCUMENTATION OR THE ITEM THAT IS THE SUBJECT OF THE CLAIM. 35
Legal notice TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, IN NO EVENT SHALL RIM BE LIABLE FOR ANY TYPE OF DAMAGES RELATED TO THIS DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NON- PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES REFERENCED HEREIN INCLUDING WITHOUT LIMITATION ANY OF THE FOLLOWING DAMAGES: DIRECT, CONSEQUENTIAL, EXEMPLARY, INCIDENTAL, INDIRECT, SPECIAL, PUNITIVE, OR AGGRAVATED DAMAGES, DAMAGES FOR LOSS OF PROFITS OR REVENUES, FAILURE TO REALIZE ANY EXPECTED SAVINGS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, LOSS OF BUSINESS OPPORTUNITY, OR CORRUPTION OR LOSS OF DATA, FAILURES TO TRANSMIT OR RECEIVE ANY DATA, PROBLEMS ASSOCIATED WITH ANY APPLICATIONS USED IN CONJUNCTION WITH RIM PRODUCTS OR SERVICES, DOWNTIME COSTS, LOSS OF THE USE OF RIM PRODUCTS OR SERVICES OR ANY PORTION THEREOF OR OF ANY AIRTIME SERVICES, COST OF SUBSTITUTE GOODS, COSTS OF COVER, FACILITIES OR SERVICES, COST OF CAPITAL, OR OTHER SIMILAR PECUNIARY LOSSES, WHETHER OR NOT SUCH DAMAGES WERE FORESEEN OR UNFORESEEN, AND EVEN IF RIM HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, RIM SHALL HAVE NO OTHER OBLIGATION, DUTY, OR LIABILITY WHATSOEVER IN CONTRACT, TORT, OR OTHERWISE TO YOU INCLUDING ANY LIABILITY FOR NEGLIGENCE OR STRICT LIABILITY. THE LIMITATIONS, EXCLUSIONS, AND DISCLAIMERS HEREIN SHALL APPLY: (A) IRRESPECTIVE OF THE NATURE OF THE CAUSE OF ACTION, DEMAND, OR ACTION BY YOU INCLUDING BUT NOT LIMITED TO BREACH OF CONTRACT, NEGLIGENCE, TORT, STRICT LIABILITY OR ANY OTHER LEGAL THEORY AND SHALL SURVIVE A FUNDAMENTAL BREACH OR BREACHES OR THE FAILURE OF THE ESSENTIAL PURPOSE OF THIS AGREEMENT OR OF ANY REMEDY CONTAINED HEREIN; AND (B) TO RIM AND ITS AFFILIATED COMPANIES, THEIR SUCCESSORS, ASSIGNS, AGENTS, SUPPLIERS (INCLUDING AIRTIME SERVICE PROVIDERS), AUTHORIZED RIM DISTRIBUTORS (ALSO INCLUDING AIRTIME SERVICE PROVIDERS) AND THEIR RESPECTIVE DIRECTORS, EMPLOYEES, AND INDEPENDENT CONTRACTORS. IN ADDITION TO THE LIMITATIONS AND EXCLUSIONS SET OUT ABOVE, IN NO EVENT SHALL ANY DIRECTOR, EMPLOYEE, AGENT, DISTRIBUTOR, SUPPLIER, INDEPENDENT CONTRACTOR OF RIM OR ANY AFFILIATES OF RIM HAVE ANY LIABILITY ARISING FROM OR RELATED TO THE DOCUMENTATION. Prior to subscribing for, installing, or using any Third Party Products and Services, it is your responsibility to ensure that your airtime service provider has agreed to support all of their features. Some airtime service providers might not offer Internet browsing functionality with a subscription to the BlackBerry Internet Service. Check with your service provider for availability, roaming arrangements, service plans and features. Installation or use of Third Party Products and Services with RIM's products and services may require one or more patent, trademark, copyright, or other licenses in order to avoid infringement or violation of third party rights. You are solely responsible for determining whether to use Third Party Products and Services and if any third party licenses are required to do so. If required you are responsible for acquiring them. You should not install or use Third Party Products and Services until all necessary licenses have been acquired. Any Third Party Products and Services that are provided with RIM's products and services are provided as a convenience to you and are provided "AS IS" with no express or implied conditions, endorsements, guarantees, representations, or warranties of any kind by RIM and RIM assumes no liability whatsoever, in relation thereto. Your use of Third Party Products and Services shall be governed by and subject to you agreeing to the terms of separate licenses and other agreements applicable thereto with third parties, except to the extent expressly covered by a license or other agreement with RIM. Certain features outlined in this documentation require a minimum version of BlackBerry Enterprise Server, BlackBerry Desktop Software, and/or BlackBerry Device Software. 36
Legal notice The terms of use of any RIM product or service are set out in a separate license or other agreement with RIM applicable thereto. NOTHING IN THIS DOCUMENTATION IS INTENDED TO SUPERSEDE ANY EXPRESS WRITTEN AGREEMENTS OR WARRANTIES PROVIDED BY RIM FOR PORTIONS OF ANY RIM PRODUCT OR SERVICE OTHER THAN THIS DOCUMENTATION. Research In Motion Limited 295 Phillip Street Waterloo, ON N2L 3W8 Canada Research In Motion UK Limited 200 Bath Road Slough, Berkshire SL1 3XE United Kingdom Published in Canada 37