- BlackBerry® smartphones
Turning on the content protection feature allows the BlackBerry® smartphone to be configured to encrypt stored user data and data that it receives while it is locked. One of the main security benefits of this feature is that if a malicious individual were to obtain forensic hardware with the capacity to read data from a smartphone, the encryption that content protection provides is designed to prevent the malicious user from successfully reading that data. For more information on the security benefits of content protection, see the BlackBerry Enterprise Solution - Security Technical Overview guide.
Under certain conditions, content protection also has a potential impact on some aspects of smartphone performance.
Performance considerations when content protection is turned on
BlackBerry smartphone processing during encryption
When an administrator, or a user, turns on content protection for a smartphone, it forces the encryption of several items on the smartphone. This may slow down smartphone processing while the initial encryption process completes depending on the number of items to be encrypted and the amount of memory on the smartphone.
The locked BlackBerry smartphone can use content protection to encrypt items such as the following:
- Subject, location, meeting organizer, attendees, and any notes in all appointments or meeting requests
- All contact information in the contact list except for the contact title and category
- Subject, email addresses of intended recipients, message body, and attachments in all email messages
- Title and information that is included in the body of a note for all memos
- Subject and all information that is included in the body of tasks
- If software tokens are used, contents of the .sdtid file seed that is stored in flash memory
- All data associated with third-party applications that a user installs on the smartphone
- In the Internet browser, content that web sites or third-party applications push to the smartphone, any web sites that the user saves on the smartphone, and the browser cache
- All text that automatically replaces the text the user types on the smartphone
For a comprehensive list of the data that is encrypted within each of the preceding items, and operations to exclude items, see the BlackBerry Enterprise Solution - Security Technical Overview.
Decryption time: When a content-protected smartphone decrypts a message that it received while locked, the smartphone uses an Elliptic Curve Cryptography (ECC) private key in the decryption operation. When a user unlocks a smartphone, the smartphone decrypts the content protection key and ECC private key in flash memory. When the user wants to view data, the smartphone uses the content protection key, or ECC private key, to decrypt the data before the smartphone displays it. An unlocked smartphone uses the content protection key to encrypt new data that the user types or adds to the smartphone, or that the smartphone receives.
The longer the ECC key, the more time the ECC decryption operation takes to unlock the smartphone. Older BlackBerry smartphones running less than 256 MB of memory are most likely to be affected by the length of the ECC key, but newer smartphones may also have a tendency to slow down. Visit http://na.blackberry.com/eng/devices/features/ for more information about smartphone memory.
BlackBerry smartphone memory
Smartphones with 256 MB of memory or less are susceptible to a greater impact on smartphone performance by content protection.
The longer the ECC key used, the longer the decryption process can take.
The smartphone may close any open applications when the smartphone locks and begins to encrypt data.
Multiple SMS text messages
SMS text messages longer than 160 characters (text messages that are sent as multiple messages) are displayed as multiple messages if the smartphone is locked and encrypted when the smartphone receives them.
Set Password and Lock Handheld
On smartphones that are running BlackBerry® Device Software 4.3 and later, the administrator can reset the smartphone password using the BlackBerry® Enterprise Server 4.1 SP5 or later. The BlackBerry® Enterprise Solution uses the remote password reset cryptographic protocol to reset the smartphone password when content protection is turned on. Smartphones that are running BlackBerry Device Software 4.5 and later do not prompt the user for the old smartphone password.
BlackBerry Device Software 4.7 and later displays a notification when the smartphone is encrypting data.
Strengthening transport key
Administrators can turn on content protection for device transport keys on the smartphone by configuring the Force Content Protection of Master Keys IT policy rule. The smartphone uses the ECC key strength that the administrator specifies in the Content Protection Strength IT policy rule to encrypt the device transport keys.
Loss of wireless connection
When content protection of device transport keys is turned on, the wireless connection turns on after the smartphone undergoes a hard reset (the user removes and replaces the battery) unless the smartphone is running BlackBerry Device Software 4.2.2. In BlackBerry Device Software 4.2.2, the wireless connection should not turn on, under these specific circumstances, until the user unlocks the smartphone. See KB15860 for documentation of the specific BlackBerry Device Software in which, when the BlackBerry smartphone loses and regains power, the wireless connection does not start automatically.
Memory cleaning and garbage collection
When a user or administrator turns on content protection, the smartphone automatically turns on the memory cleaning function and the secure garbage collection process of the memory cleaner. See KB19371 for details of potential performance issues related to this feature.
BlackBerry device logging
When content protection is turned on, debug level logging cannot be enabled on the smartphone because the design of content protection impacts the ability of Research In Motion to efficiently troubleshoot some smartphone issues.
Access to the contact list
For smartphones running BlackBerry Device Software 4.2 or later, the administrator can change the content protection of the contact list on the smartphone. If you change the content protection of the contact list IT policy rule to Required, the smartphone does not permit call display to display any accompanying contact information apart from the incoming phone number. Also, with contacts information encrypted when the device is locked, accessing contacts over a Bluetooth® connection will not function.
Manual content protection settings
Content protection cannot be disabled over the wireless network from the BlackBerry Enterprise Server. Once content protection is enabled and enforced using an IT policy, it cannot be disabled without having users disable content protection on their smartphones.
Activations may fail or take longer than expected
With content protection enabled, the smartphone is unable to synchronize data while locked. If a smartphone becomes locked during an enterprise activation, the process will pause until the smartphone is unlocked. If the smartphone remains locked for a long period of time, the activation may time out and fail.
Battery life is decreased
With content protection enabled, the smartphone will have to constantly encrypt and decrypt any data it is attempting to access. This extra process requires the smartphone to run more often, and will reduce the battery life.
By downloading, accessing or otherwise using the Knowledge Base documents you agree:
(b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.
Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.