> BlackBerry Ltd. is preparing to turn its once-proprietary BBM secure-messaging system into a subscription service that app developers can build into their software to allow for seamless, encrypted communications.
> Developers who deploy the BBM SDK will be asked to generate their own encryption keys, meaning BlackBerry will not have the ability to turn over to law enforcement any messages sent through this system, even if compelled by a court order.
Essentially it appears that they are turning it into a Secure Messaging As A Service so that people can quickly add messaging into their apps without requiring the infrastructure.
> Developers who deploy the BBM SDK will be asked to generate their own encryption keys, meaning BlackBerry will not have the ability to turn over to law enforcement any messages sent through this system, even if compelled by a court order.
Doesn't the entire security of BBM rely only on a very short code, one which Blackberry can easily swap with a different key which they posses in practice? Very similar to Apple iMessage.
Also last time I checked their enterprise offering was essentially static Triple DES key only - is their public offering any better?
Even a company with as many blunders as BlackBerry must know that publicly saying it can't be decrypted, when in fact it could easily be decrypted, would be a terrible blow to the product.
Yeah, seems fairly ridiculous given how much they push being a security company. Apparently hard-coded 3DES key that anyone can reverse engineer = security.
I'm tempted to pop their Android app up in IDA and see if it's really as bad as it sounds.
Assuming their crypto is legit and not horribly broken, Blackberry could push out backdoored apps via updates for certain user ids or update a whitelist remotely via data push. Then package the mirrored plain text data in an encrypted format that looks the same on the wire as normal messages or contact syncing going to the Blackberry controlled transit server.
There's a ton of trust involved that go beyond generating your own keys if Blackberry is making the app itself, closed source, and controls the servers.
Blackberry/RIM openly bragged about giving law enforcement real time access, for the first time, to any messages for targeted individuals during G20 in Toronto. That was in 2010. At this point I wouldn't trust Blackberry with any data you wouldn't already be willing to hand over to government agencies.
Isn't this an SDK that developers would put in their own apps? I don't thin BlackBerry would have the ability to push updates to those apps without the app developers being involved.
Ah I didn't know they were planning on allowing 3rd party apps as part of the commercialization process. This would depend more on how the SDK interacts with their service then. I'm curious to hear more then.
> BlackBerry Ltd. is preparing to turn its once-proprietary BBM secure-messaging system into a subscription service that app developers can build into their software to allow for seamless, encrypted communications.
> Developers who deploy the BBM SDK will be asked to generate their own encryption keys, meaning BlackBerry will not have the ability to turn over to law enforcement any messages sent through this system, even if compelled by a court order.
Essentially it appears that they are turning it into a Secure Messaging As A Service so that people can quickly add messaging into their apps without requiring the infrastructure.