BlackBerry: Here’s Why We’re Better at Security

The celebrity nude picture iPhone scandal. The payment systems hackings of KMart, Neiman Marcus, Target and Home Depot.

An attempt to hack nearly seven million DropBox accounts.

BlackBerry has always talked up its security advantage, but with online safety moving from the middle of the newspaper to the front page, are we finally living in an environment in which mobile device users will listen?

In a blog piece called “Four Key Ways that BlackBerry Protects Your Privacy” BlackBerry took aim at business users who fear the next security scandal could arrive on their doorstep.

“For over 15 years, BlackBerry has been synonymous with mobile privacy and security. We’ve already examined what makes BlackBerry so secure, so let’s look at what BlackBerry does to protect us as individuals,” said BlackBerry Security Services Manager Alex Manea.

Manea says the first thing the company tries to do is limit infuriatingly difficult password requirements. You know the ones: “Password must include a capital letter, six numbers and the lyrics to a Smiths song, pre-1985 era.”

Manea says data proves BlackBerry’s solution to the password problem is better.

“We limit password attempts so that after 10 incorrect tries, your device automatically wipes to protect your information,” he says. “This makes short, simple passwords much safer on BlackBerry. If a random lower-case 4-letter password requires an average of 228,000 guesses to break, the odds of someone guessing it in 10 tries is around 0.002%.”

Another hot-button security issue with consumers is the collection of data. Manea says that while this information can sometimes provide a more useful and relevant experience, it can also be a slippery slope. BlackBerry’s motto is “Ask for Permission, Not Forgiveness”.

“When you first boot your BlackBerry 10 device, you’ll see a screen that asks if you want to enable Location Diagnostics,” explains Manea. “We securely collect anonymous data to do neat things like improve turn-by-turn navigation in BlackBerry Maps and learn which BBM Emojis are the most popular, which is why most people choose to enable this. But if you change your mind later on, you can disable it anytime from Settings -> Security and Privacy -> Diagnostics.”

The third thing BlackBerry does is scan all apps you download and make sure the information they request cannot interfere with personal information.

“When you install an app, it gets put in its own sandbox separate from your personal data, and the only way to access things like your location, camera, or BBM is by asking your permission. And for BlackBerry apps, you can choose to deny individual permissions and still run the app,” says Manea.

Lastly, Manea says BlackBerry avoids the temptation of putting vendors above users.

Some vendors want to silently collect and sell our data, while others want to capitalize on our worries by selling privacy “features.” At BlackBerry, consumer privacy is not a new and exciting feature; it is, and has always been, an intrinsic part of our culture and technology.”

BlackBerry isn’t alone in touting its security features, but it appears to have a clear leadership position over its now much larger competition.

Samsung introduced an enterprise mobile security solution called Knox last year that aimed to separate the personal and professional data of business users. The US Department of Defense approved Samsung Knox-enabled devices in May, 2013 for use in its networks. But recent revelations by security researchers suggest Knox’s architecture may be weak.

Security experts also have concerns about Apple’s iOS8. Joseph Bonneau, a fellow at the Center For Information Technology Policy, Princeton, says iPhones are vulnerable because Apple won’t limit the frequency or total of log in attempts, for fear of inconveniencing its customers.

“By default, iOS devices are configured to be locked with a “Simple Passcode” which is only a 4-digit PIN,” explains Bonneau. “Once again, we have data showing that users pick a highly-skewed distribution of 4-digit PINs, but that doesn’t even matter here. The entire space of 10,000 possible PINs can be exhausted in just over 13 minutes at 12.5 Hz or 14 hours at 0.2 Hz. The average user will be at most half of this, and of course it will be faster in practice due to non-uniform user choices. In any case, users with any Simple Passcode have no security against a serious attacker who’s able to start guessing with the help of the device’s cryptographic coprocessor.”