The Blackberry Security Story

As a fan of technology and, in particular, mobile technology I’ve long been intrigued by RIM.  Trailblazers for sure, but do they continue to deserve a place at mobile’s top table? Ask most people, particularly those of a corporate persuasion, and they will likely be quick to offer up the fact that “Blackberry is the mobile of choice for business because it’s far more secure”; but press even those with significant relevant expertise and experience and the actual evidence to back that statement up starts to get a little hazy.  It would seem (to me at least) that the continued dominance of RIM is more a result of fear of change than any real value proposition they continue to bring. 

I’ve spent some time looking for hard evidence to confirm or deny this, and I’ll detail my findings in a bit.  But to paraphrase from the outset,  I remain unconvinced that the RIM security story is still valid – at least for 95% of mobile users across the planet.  I’ll caveat this post right now with the usual “it’s just my opinion” and it is only based on my experiences and access to information.  To be honest I’m writing this post in part as I still need more concrete information to firmly resolve things in my mind.  So if you read this and have an opinion (either one that agrees with my position or, more interestingly, conflicts) I’d love to hear your thoughts and comments.  I know Blackberry, like Palm and Apple, can elicit strong emotions….

I’ll start by  recapping the Blackberry story as I understand it, as I think it’s highly significant in describing why RIM gained such popularity and also why I’m sceptical as to the legitimacy of it’s model in todays world.  According the Wikipedia, the first Blackberry mobile phone appeared in 2002 (several BB branded pagers had been sold prior to this, since 1998).  A number of non-RIM produced handsets have also come to market utilising the Blackberry email client, which is important as part of the security story these days focuses on the fact that RIM controls the end-to-end experience.  It’s important to remember that the world was a very different place back in 2002.  No 3G, not a great deal of WiFi or broadband penetration either.  What RIM did well (better than ANYBODY by a long shot) is two fold.  They delivered a fantastic push-email experience on a mobile device.  Their architecture ensured that emails arrived in an incredibly timely way.  Secondly, they managed to get the significant amount of data in emails through the narrow pipes that were available back then.  Their compression technology and, again, architecture was way ahead.  These 2 factors added up to really give them an advantage – and rightly so.

But roll on almost a decade.  4G is being rolled out.  And mobile integration that ensures emails arrive immediately is commonplace.  Those 2 critical advantages are no longer relevant.  So Blackberry, in a relatively dominant position, look at what else they have in their toolbox to take on the young pretenders in Apple and Google.  Two things emerge – a fantastic hardware experience for email (RIM has learnt – and patented – a thing or 2 when it comes to hardware keyboards) – and security.  Now keyboards will only take you so far, especially as the way people interact with mobiles is changing to include so much more than just email.  Touchscreens are on the rise for all but the most gnarly of emailers.  Digital natives are using email for less (and rightly so in my opinion, but that’s for another time).  So that leaves security.  And RIM know it.

I’m not disputing they have a great story.  Their architecture was developed and has grown in such a way that it is naturally secure.  They control the process end to end which gives them an advantage over others looking to use more open standard.  However, as I’ve already mentioned, a number of non RIM devices have been introduced in the past with the Blacjberry email client which would somewhat contradict this.  Not that these devices are still appearing, but I do find it a slight anomoly in the “end-to-end” security story.  

But my question really is how relevant is that architecture in todays world?  As I mentioned, my understanding is that much of the architecture was built to deliver timely email over narrow pipes, and security (at least initially) was secondary to those critical success factors.  They had a head start and when Android and the iPhone started making waves back in 2007, 2008 and 2009 they certainly understood that side of things far far better.  But with every new release of software and hardware, Apple, Google and the various partners have learnt lessons.  And quickly.  Hardware encryption, software encryption, remote wipe, auto device locks, certificate security and high level encryption standards are all now in place for both of those platforms.  

I read an article that explained the “extra” level of security RIM has in their solution.  In this article the extra level is likened to hearing a conversation spoken in code when the FBI has tapped into a phone call.  Blackberry provide the ability to speak in code (although crucially don’t control that code and so couldn’t break it themselves – only the people on the conversation has the ability to decrypt the message).   Whilst the likes of Apple and Google could provide the same protection against tapping the call, if someone was able to do that only RIM provides the additional security measure of coding the messages within that.

That sounds great.  But in reality having someone tap into your messages whilst in transit given todays security standards in this area would not only require considerable resource and ability, but also significant motive to do it.  To my mind, there are only a few sectors, companies within those sectors and even workers within those companies that would even be a target, let a lone be at risk.  To me it’s like having armed guards and a vault at a supermarket.  Sure, that kind of security is important for a bank, but do retailers on the same high street all need that level of security?  No, because they’re not likely to be targeted in the same way.  

So I’m at a point where I think, for 95% of the potential mobile population (be that consumer or business), Blackberry Enterprise encryption is not required.  Moreover, it may even be detrimental on a number of levels (just look at the issues RIM has in Saudi Arabia and India).  Having no visibility and not being able to monitor communications at all is a potential business risk.

But the other side of the coin is the adage “you’ll never get fired for going with IBM”.  Same rules apply – RIM is proven.  Big time.  They have more experience of mobile in enterprise than any other company out there.  My argument is that their success was primarily as a result of reasons other than security, reasons that have all but gone away.  Security is all they have left from an architecture that isn’t relavent today.  But it’s the only card they have left to play other than undertaking a major shift in direction.  And in playing it, they create enough doubt in peoples minds to retain a strong position.

But it’s clear things are changing.  Demand is there to do more for less, for more flexibility in how and where we work and with the line between business and pleasure blurring more each day I think this change will continue.  I hope RIM has a strategy.  My issue isn’t that RIM are bad, I like their devices and their shift towards a younger audience with focus on their BlackBerry Messenger (BBM) is brilliant.  I’m just hoping that there is more by way of innovation and
leadership – areas where RIM has historically excelled – than by a strategy of creating fear and doubt.

For me, I’m unconvinced by the story that anything other than Blackberrys are unfit for enterprise use.  Mobile is happening and the way we’re using mobile technology is changing in the most unbelievable and creative ways imaginable.  That is what I love, that is what is driving enterprise 2.0.  And to my mind, businesses should be open minded and look at all the options, not just those that have worked in the past.