Study into the Implications of Smartphone Operating System Security

Study into the implications of Smartphone operating system security
BlackBerry
BlackBerry is renowned for its device and operating system security. In a recent interview
with BlackBerry, a spokesperson told Goode Intelligence that “BlackBerry has a moral
obligation to protect their user’s security and privacy”.
It is still the only Smartphone that has been accredited by CESG, using CESG’s Assisted
Products Service (CAPS), for handling UK Government (HMG) ‘Restricted’ information. 81
In an interview with BlackBerry in March 2013, Goode Intelligence was informed that for
vulnerability management:
BlackBerry holds regular security meetings and conferences where independent
security researchers will attend and discuss the latest vulnerabilities and threats
BlackBerry has a security team of around 160 people and a good proportion of these
will be security researchers (white hats). They will be looking at the latest threats and
exploits
Enterprise users will be pushed vulnerability advisories, using RSS, and these
advisories will also be sent to national CERTs and other vulnerability databases "as
soon as possible”
Consumer users will be notified using public notification channels including
BlackBerry’s Knowledge Base
Goode Intelligence discovered only three unique CVE entries whilst performing a search on
the CVE vulnerability database for ‘BlackBerry OS’, 33 entries were discovered for ‘RIM’ and
41 when ‘BlackBerry’ was used. The search term ‘BlackBerry’ also included vulnerabilities
recorded for the BlackBerry Enterprise Server (BES).
The BlackBerry Security Incident Response Team (BSIRT) provides 24/7 monitoring,
vulnerability analysis, remediation and guidance in order to help keep BlackBerry customers
protected from security issues.
BBISRT addresses both internally and externally identified vulnerabilities through a triage
and monitoring process. Once a potential issue is identified, BBSIRT uses the Common
Vulnerability Scoring System (CVSS) internally to rank and prioritise security vulnerabilities
in BlackBerry products. If an issue is classified through CVSS as critical or severe,
BlackBerry will begin the process to develop a security update to address the issue.
Depending on BlackBerry’s analysis on the threat landscape, they may release a security
notice while the security update is being developed to help protect customers by providing
them with available mitigations.
Once the security update is ready for customers, they will release a security advisory that
details the vulnerability, the fix, and any applicable mitigations and workarounds.
BlackBerry follows the ‘Patch Tuesday’ schedule for releasing software updates by releasing
on the second Tuesday of the month. The security update information is widely shared
through several communication channels, such as the external BlackBerry website,
81 BlackBerry OS 7.1 was accredited by CESG in November 2012:
http://www.cesg.gov.uk/News/Pages/BlackBerry-7.1-OS-now-Approved.aspx
Goode Intelligence © 2013 P a g e | 86 www.goodeintelligence.com