It's ironic to think that one of the main selling points of Blackberry was end-to-end security (the devices talked to an on-premises server via a dedicated mobile APN which had to comply with a number of requirements), and yet its on-device security model allowed an app to take over such critical functionality _by design_.
I have a number of fun stories about RIM (I was one of the BB product managers at a telco), and this post reminded me that it might be a good time to record them for posterity... :)
I'd be interested in hearing about it. From the (limited) amount I do know, it seemed like BB was a mix of "security by obscurity" with some memory safety (Java) and so called "internal code audits" by RIM.
The security of the BlackBerry came from the fact that an organization could deploy their own data message servers, the “BES” that’s connected directly to your intranet. It was a bit vpn-like, but at the application layer. IT guys liked it because it made them feel like they were in charge, which is the main feature enterprise IT guys shop for.
This is an extremely accurate statement that can be complemented by the telco side - telcos that sold BlackBerry devices saw it as a great way to "lock in" customers in the business/corporate sector, add an extra data service to the customers' bill, and reduce the number of bandwidth-guzzling PDAs (and PCs) on the fledgeling GPRS networks (which were a far cry from the [3-5]G networks we have today).
It was initially played as an exclusive (not many telcos wanted to devote APNs to manufacturers or set up the tunnelling to the BES), which helped cement that worldview.
From an IT perspective again, you also had pretty decent device management (activation/restriction/lockout/wipe) features.
Customers, on the other hand, loved having usable e-mail and calendaring on their pockets (and later IM, but that's part to RIM's failed attempt at going mainstream, and I do thing I will write that post soon...).
Oh, and they also loved week long battery life. Sad that is now a thing of the distant past.
> It's ironic to think that one of the main selling points of Blackberry was end-to-end security (the devices talked to an on-premises server via a dedicated mobile APN which had to comply with a number of requirements), and yet its on-device security model allowed an app to take over such critical functionality _by design_.
While true, the initial versions of iOS and Android represented a step down in security. (BlackBerry at least encrypted the phone, by default - maybe even required?)
I was always baffled that the tech media would never mention how insecure Android or iOS were.
> Maybe because Android and iOS came out at the same time as people were learning that Blackberry's "security" was a pastiche.
> In order to operate in some countries, all Blackberry traffic had to be routed through that country's government servers.
> It's been a long while, but I'm pretty sure that India was one such country. And at least one Middle Eastern country.
This was only related to the BlackBerry Messenger (BBM), and even then only on the standard consumer phones. The corporate servers had their own keys, IIRC. Plus, it was only for messages traversing Indian or Pakistani networks, and my memory was that BlackBerry did not hand the keys over, just answered all of their requests.
Even at that, this level of encrypted communications was not otherwise widely available for consumers. The actual migration from BBM to whatever iPhone and Android were offering were downgrades.
I'm not aware that BlackBerry devices were ever rooted, and they were default encrypted with 128-bit AES. The OS required users to grant permission for apps to access resources, such as GPS. This took something close to a decade to be installed and enabled by default in iOS and Android.
There was a big story where 3rd-party apps installed by providers contained malware. It was a huge story run everywhere and headlines made it sound as if every single phone had this vulnerability. However, they didn't mention the vulnerability could not affect BlackBerry devices because BlackBerry had a contract with all providers that the provider could not install any software to the device.
Not security-related, but a big complaint from devs at the time was that BlackBerry had so many different devices that it was very expensive to develop for. Apple, for sure, and maybe Android promised this would never happen on their platforms. Only the truly naive could believe this.
My takeaway was that BlackBerry somehow pissed-off all of the tech journos and suffered appropriately. That's why they got nothing but bad press.
The other thing they suffered from was this "co-CEO" nonsense. For whatever reason, it seems nearly universal that if more than one person is in charge, nobody is accountable.
Edit:
And something even I forget about is that prior to the Snowden releases, concerns over government snooping were only for the tin-foil hat donned black-helicopter dodging conspiracy theorists. It just wasn't on the public's radar.
>it was only for messages traversing Indian or Pakistani networks, and my memory was that BlackBerry did not hand the keys over, just answered all of their requests
> >it was only for messages traversing Indian or Pakistani networks, and my memory was that BlackBerry did not hand the keys over, just answered all of their requests
> They jumped from "most secure" to "least secure" effectively immediately once they did that.
That article is an absolutely fantastic example of how the press treated BlackBerry (average consumers might come away thinking that BlackBerry devices are insecure).
It is after BlackBerry was dead from a market share perspective, so this isn't really applicable to the period I am referring to, which was from iPhone launch to maybe as late as 2012, when BlackBerry went from hero to zero.
Well, maybe see my comment below for more, but backdoor implies a backdoor was required. With no encryption, as was the case with iOS and Android, no backdoor was required for communication intercepts or device, and you're only referring to BlackBerry Messenger. Users could install their own messaging apps and larger customers could opt for BES.
> Critically, from that handler, it was then possible to get a reference to the current UI stack via the call to UiApplication.getUiApplication() - Once you had that reference, you could do whatever you want with any screens in the current display stack. You could pop screens from the stack, push new screens on the stack, and grab any screen in the stack and dig in and modify any of the UI components on any screen (deleting them, replacing them, etc.).
Give people extensibility and they can do things you'd never imagine: just take a look at the early jailbreaking community, who had neither APIs nor support from Apple but were able to do quite a bit just by being able to inject code into system applications to augment them. (I like to think that a faint echo lives on today in Mail plugins for macOS.) Sadly, we seem to be moving away from this for reasons that are touted to be for security…
Security issues arise when extensibility is paired with the absence of a good sandbox and permissions model.
DOS is the other example -- it was amazingly extensible to the point multitasking operating environments like DESQview[1] was available for it, but was also very susceptible to malware.
In the case of email on any given platform, it should be possible for an application to add functionality to email, but also to ensure (to use the author's example) that it cannot peek into your bank app.
I suspect given email's not as popular as it once was, and so email plugins are too much trouble for first-party mail clients, given their attack surface. Platforms like Slack and Teams do offer extensibility though.
The security issue is very real. Ultimately the distinction between a useful capability-adding hack and an exploit is whether the end user wanted it to do what it does. And there's a big supply of what are euphemistically called "potentially unwanted programs" (PUPs) which trick the user into installing keyloggers, etc.
I think the Android model is perfectly good here. You get the option to load unsigned apps or unlock the bootloader, etc, but those options are all off by default and full of warnings to the user.
The analog to UAC on Android is permissions, which work pretty similarly to ios. You could argue that the user gets used to just clicking agree and that not much is gained for the average user.
Sideloading apps and unlocking the bootloader is much different. It requires the user to actively go through the settings to enable the options, which would only happen if the user knew what they were doing in the first place. And after you try to enable the settings, you are bombarded with warnings before the settings actually apply.
An app can't trick you into flipping these switches. Most of them are actually hidden in developer mode anyway.
I challenge you to prove these have ever been a vector for attack. It's just not practical.
The security lost is zero, and the freedom gained is immense.
> It’s also not working too well to keep Android devices secure.
There is no evidence that malware is utilizing these vectors to any measurable degree.
If you don't want to control your device, that's fine, but don't spread FUD that carefully design6 user-controllable devices are less secure than closed devices, when the opposite is true in practice. See XCodeghost and others.
It’s unfortunate that having true control over the software on your device no longer exists in that form: but it’s good that users aren’t infected with malware. These are not mutually exclusive opinions I don’t think?
Sadly as Windows, Office and Android have proven multiple times, extensibility without security knobs comes with an heavy price.
Hence Win32 and UWP containers, Android black listing of NDK and SDK APIs, with hardware sandboxes, plugins removal on browsers, moving stuff back into multi-processes with IPC,...
Original BlackBerry os was just bare metal programming on an embedded x86. Before they went with Java there was not even the pretense of protection, you just read other apps’ data if you wanted to.
The development scene for is still alive and kicking, but it definitely have reduced in the amount of "WOW" software being released throughout the years.
The jailbreaking scene? As far as I could tell, it had been reduced to a shadow of its former self, with an ever-larger share of toxic people stirring up drama as the "old guard" left the community.
The glory days are definitely over both in terms of creativity, talent and motivation. But there's been a bump in the past 1/1.5 year so with the more frequent jailbreaks coming out, which is quite nice.
Drama, yes there is a lot I guess. But I've been an active developer since 2012 and I think it is easy to not involve yourself in it.
Perhaps it's just nostalgia, but I miss my BlackBerry Bold.
A buzz in the pocket, email symbol on the screen, main button to open the email, right-click button to forward, physical scroll to a recent colleague and select, lock & back in pocket.
All that before 3G. Easy, quick and no fuss, muscle memory took care of most of it.
I was watching the movie "Up in the Air" last night. There is a scene where George Clooney's character is chatting on his blackberry, and the buzzing sound made me feel super nostalgic. RIP BBM.
The FxTec Pro 1 is a landscape KB-based Android phone with an unlocked bootloader and support for Sailfish and LineageOS. It's made by a small company, so while the phone is available and shipping, production batches are small, and you might have to wait a bit to receive your order.
Yeah, I saw that other comment just after I posted. Checked out their website and I got a somewhat strange feeling about their fake product image where they run GMail and a browser window in desktop mode in split-view mode. Somewhat fishy.
I must agree, the images on their website do look slightly staged, but being a new Pro1 user (since my order finally arrived in January) I can honestly say its the best phone I have every had.
That keyboard looks really hard to use compared to the ones people associate with classic models like the 850. Isn’t space between keys important for usability?
I'm using a Key 2 LE. The keyboard is perfectly usable. The main usability downside is that all punctuation and digits requires pressing a modifier key.
The 9000 was a decent BlackBerry but my nostalgia kicks in for the scrollwheel devices, not the scrollball. I have no idea how people used them left-handed, is that was even possible.
It was bloody hard. I used many of the GPRS devices, and even though I'm not left-handed I usually picked up the phone with my left, and resorted to my middle finger (index around the top of the device).
If you work in a position that requires prompt, professional responses, the UX apex was the Bold 9900. With the touchscreen, touchpad, and highly ergonomic physical keyboard, profession email responses were a cinch.
The only times it was required to "reply when I get back to my computer" was when document editing was required.
Plus replaceable batteries and especially high capacity batteries meant pretty much never worrying about charging while out and about.
Oh yeah. The Bold was my favourite device until the Pearl came along (I didn't exactly love the Pearl 5-key-per-row layout, but it worked well enough and was a tad slimmer).
blackberry was the case of 'not knowing any better'.
i never had to use one for work but blackberry was my first smart phone, it came with a truly unlimited plan from verizon.
here are some fond memories of it:
- i got notification that new OS was available, i did an over the air update and it wiped 90% of my contacts. i came from dumbphones and remember i had to re-enter 100 or so contacts by hand, i don't think i ever upgraded the SW on it again.
- went out to HH with some friends and getting ready to go home i thought of using the internet on my fancy BB to look up the bus schedule, i pulled up the cttransit website and it would not open the .pdf with the bus time natively, it pointed me to buying some pdf viewer for something like $25. at the same time, my co-workers iphone 3G or whatever it was, opened the pdf without any additional apps.
so much for a "computer" in your pocket and being all about "business and not play", the stereotypical mantra of old crackberry.com. i think the next year on valentines verizon got the iphone 4 and that was the end of blackberry for me.
i can't believe people have nostalgia for this garbage phone.
This obviously requires contextualization and I naturally assume it was stated with that context implicit, but I'm not entirely sure what the connotation is. Don't implement OS-level features, so when the OS (re)does them (potentially better, notwithstanding incompetence) you die?
Ha, snap! We did the same with the PhoneListener(?) class and our PBX client. Allowed us to cancel and make calls, send DTMF for call-back and call-through. I also had my own app which sent calls straight to speakerphone.
I look back on BB with alot of nostalgia, you really had to work to make things look good. If you didn't want your Views (widgets) black, white and blue then you were making them from scratch.
BB10 and Windows Phone 8 were the victims of the apple Google duopoly but both were individually far ahead of them. I still have hope Microsoft would make a comeback. I could hope that BB open sources BB10 but that is not going to happen.
I mean, no. BlackBerry was a victim of having a terrible product going head to head with the iPhone. As a development platform it was garbage. I vividly remember the inaugural BlackBerry developer conference where one of the sessions devolved into a revolt. People had written apps for the iPhone and they were not pleased with the APIs on the BB. Every attendee at that conference was supposed to receive a 9000 but they shipped a year late. RIM needed no duopoly to kill them. They died of natural causes.
Yep, I think people tend to forget how bad the blackberry line up was compared to the iPhones and even androids they were competing against. Their flagship in ~2011 was the Bold, which could barely browse the internet, had a horrible camera and an extremely dated UI. Going up against the iPhone 4s which is still functional to this day.
Sometimes some companies just deserve to fail. The current duopoly formed because the competition just couldn't keep up, and that's on them
The API for BB app development allowed you to have UI elements like text labels or buttons, stacked vertically on the screen. That was the whole thing. If you wanted a table you were on your own. The web browser was very similar to MSIE 3, or NetPositive: it laid everything out vertically, didn’t support tables or CSS. When the iPhone came out with a real web browser it was like it came from another galaxy.
Same revolt happened with users, including executives.
There was tons of pressure to stay with Blackberry (it WAS the monopoly incumbent - almost every major IT department had invested in it - telcos loved it for the $$$).
Seriously - someone like Obama or Trump would be told they could only use a blackberry because it was more "secure" supposedly. Users told the same thing.
From top to bottom after folks got to try out the iphone from apple (no telco lock in at start at all - I bought the iphone 1 full price in cash when sold) just would not go back to blackberry.
It actually worked out for a while. people carried two phones. The blackberry required by their work and an iphone.
The crazy thing is blackberry just kept on falling behind in huge leaps backwards. It was nuts.
Apple's execution was really pretty good given the ramp they had.
Windows Phone was a victim of Microsoft for the most part.
Windows Phone 7 was incompatible with Windows Mobile 6, so developers had to start over. Windows phone 8 had a new prefered app framework, so developers needed to support two apps. Windows mobile 10 had a new prefered app framework that was ironically called universal; but windows mobile 10 was released without any of the polish of previous windows phone releases and without any low end phones, so it never had more users than windows phone 8 or 7.
If windows mobile 10 had a well organized release, it might still be a thing. The only company to blame for that is Microsoft.
That was only possible because BlackBerry cut their prices to the bare bones. They basically resorted to only competing with basic non feature phones. As such they enjoyed a fair bit of popularity, they were better than phones with only basic call and text capabilities, but they weren't making any money.
Thing I remember most about my BlackBerry was a system update taking the better part, if not more, of an hour. A power cycle would take 10-15 minutes. Everything was just ... treacle. The iPhone 4 was no speed demon but it was night and day to the BlackBerry.
I have a number of fun stories about RIM (I was one of the BB product managers at a telco), and this post reminded me that it might be a good time to record them for posterity... :)