The security of BlackBerry Balance

By Adam Zeis on 2 Aug 2013 09:52 am EDT

It's security week at Talk Mobile and what better security than BlackBerry Balance? Most users know a bit about what Balance  and how it separates work and personal space on BlackBerry 10, but aside from that there are many who don't know much else.

For a little insight into what makes BlackBerry Balance tick, we tapped out own Sith_Apprentice to give us a bit of a breakdown how it all works and just how secure your data is.

What is BlackBerry Balance?

According to BlackBerry, BlackBerry Balance is "designed to separate and secure work and personal information on BlackBerry devices so users can stay connected to the important people and things in their life. Whether users are using their own device or one provided to them, BlackBerry Balance technology helps give them peace of mind that their privacy is respected while their sensitive work information is protected.”

BlackBerry Balance – A Brief History

Balance isn’t a new feature and has actually been around for several years. It was first introduced with BlackBerry Enterprise Server 5.0.3 with devices running BB OS 6.0 MR2 or newer. At the time the options were very limited, and provided only the most basic of rules (3 IT policies rules). The data was not segregated on the device, but was rather “tagged”. There were not any significant improved with BB OS 7 or 7.1.

The major improvements to Balance arrived with the QNX based OS in PlayBook 2.0. For the first time, data was completely segregated and no longer just “tagged” based on the domain. Any information that came through  in that work space was automatically stored in the Work mode of the device, and kept separate from anything personal.

From the PlayBook OS 2 to BB10 there are not significant back end changes, though obviously there have been a number of changes to the user experience.  Balance is also now baked into every BB 10 device, and all it requires is an activation on BES 10 or higher in order to access it.

Well that’s all fine and dandy, but why should I care?

Well, for the first time, you can truly have a separation of work and personal lives. Your personal data is isolated to ONLY the personal space (unless work data is allowed to access it, and then it can be brought into the work side). You can also download and run any applications you want on the personal side, without worrying about any sort of compromise to work data. You also get a single, unified view for all of your emails, contacts, tasks, and notes, without having to keep switching in and out of applications. You get this powerful security tool in the palm of your hands, without the entire unnecessary burden of “VISIBLE” security.

How BlackBerry 10 devices protect work data

BlackBerry 10 devices encrypt data stored in the work file system using XTS-AES-256.

A device randomly generates an encryption key to encrypt the contents of a file. The file encryption keys are protected by a hierarchical system of encryption keys as follows:

  • The device encrypts the file encryption key with the work domain key and stores the encrypted file encryption key as a metadata attribute of the file
  • The work domain key is a randomly generated key that is stored in the file system metadata and is encrypted using  the work master key
  • The work master key is also randomly generated. The work master key is stored in NVRAM on the device and is
  • encrypted with the system master key
  • The system master key is stored in the replay protected memory block on the device
  • The replay protected memory block is encrypted with a key that is embedded in the processor when the processor is manufactured.

The file encryption keys, the work domain key, the work master key, and the system master key are generated using the BlackBerry OS Cryptographic Kernel, which received FIPS 140-2 certification for the BlackBerry 10 OS

How BlackBerry 10 devices protect personal data

BlackBerry 10 devices allow the encryption of personal files on devices.

You can use the Personal Space Data Encryption IT policy rule to turn on encryption for the personal space of devices. If the Personal Space Data Encryption rule is set to Yes, files stored in the personal space of the device are encrypted. If this rule is set to No, users can choose to encrypt files in the personal space using the Device Encryption option in the Security and Privacy settings on the device.

If encryption is turned on for the personal space of the device, the device encrypts files stored in the personal file system using XTS-AES-256. A device randomly generates an encryption key to encrypt the contents of a file. The file encryption keys are protected by a hierarchical system of encryption keys, as follows:

  • The device encrypts the file encryption key with the personal domain key and stores the encrypted file encryption key as a metadata attribute of the file
  • The personal domain key is a randomly generated key that is stored in the file system metadata and is encrypted using the personal master key
  • The personal master key is also randomly generated. The personal master key is stored in NVRAM on the device and is encrypted with the system master key
  • The system master key is stored in the replay protected memory block on the device
  • The replay protected memory block is encrypted with a key that is embedded in the processor when the processor is manufactured

If you set the Personal Space Data Encryption IT policy rule to Yes, you should also set the Apply Work Space Password to Full Device IT policy rule to Yes so that the work space password applies to the entire device. If you set the Personal Space Data Encryption IT policy rule to No and the user chooses to turn on encryption for the personal space, the device prompts the user to type a new password if the device does not already have a password.

Devices can also encrypt all files stored on media cards that are inserted in devices (only personal data can be saved to media cards). You can set the Media Card Encryption IT policy rule to Yes, to require that a device automatically encrypt all files stored on media cards using a device key.

The file encryption keys, the personal domain key, the personal master key, and the system master key are generated using the BlackBerry OS Cryptographic Kernel, which received FIPS 140-2 certification for the BlackBerry 10 OS.

Still want more? You can read more on BlackBerry security on BES 10 here.

Adam Zeis Adam Zeis "Mobile Nations Content Strategist" 3740 (articles) 2892 (forum posts)

Reader comments

The security of BlackBerry Balance


Totally agree. I'm a small business owner who would looooove to be able to turn my work stuff off when I get home, but only use one devise. BlackBerry, please please make this feature available to all.

Sometimes BlackBerry confuses me. On one hand they say that the Z & Q 10's aren't just a business device, that they are great for person use and entertainment, then on the other hand they say here is this great feature that is only available to BES users. My organization only has two users of work phones and aren't on a BES but have a huge need to keep personal and business information completely separate and confidential. If BlackBerry made this accessible to all, and got the notifications put back to they way they were on 7.1, my Z would be PERFECT!.

BlackBerry is making it "accessible to all," you just have to pay for it :)
The one thing that is generating good margin for BlackBerry, you want for free. I don't think that's going to happen anytime soon.

A super awesome feature that would actually make BlackBerry sell well again and set it apart from the competition - they'd be better off making it be free (not BES, but we're talking just the 'balance' feature)... but no... they won't.. until the 'others' make it free to consumers and BlackBerry once again loses more market share. brilliant.

I would willingly pay €5 every month like on legacy devices... they got rid of it all together... instead they should have made it optional...

Anyone who wants it for free needs to stop smoking what they're smoking... It wasn't free on legacy devices... It won't be free with BlackBerry 10...

From the Z...

So the real advantage over something like KNOX is maybe the BlackBerry OS Cryptographic Kernel?
It seems that one still needs to switch between a corporate and personal dashboard.

I believe that the big advantage is that the encryption goes all the way to the processor where as the competition can only have encrypted containers sitting on top of the filesystem.

Posted via CB10

This is correct. Completely seperate, encrypted seperately (if you want on personal side) file systems within the device. The data from them also travels different routes when sent/received.

I believe that once a user switches to the corporate side and opens an app the app will be open in the active frames along with all other apps. So both personal and business apps will be running in the active frames at the same time and there will be no need to switch back and forth between sides other then opening apps. This will also allow a user to run two instances of the same app, personal browser and business browser with access to corp. intranet for example. The business apps have a briefcase in the lower right hand corner of the active frame.

This is something that I think will set it apart from iOS and Android as well.

If I am wrong on this, someone, please correct me.

You are correct, you can run both at the same time. While this is a benefit, it is more an inherited benefit of Balance rather than a primary reason. BlackBerry wanted to keep the user experience the same for work and personal, and allowed for it to show both sides simultaneously (if the IT admin allows) and gave the hub a single pane of glass look into all messages.

The first thing I tried when booting up my Z for the first time was balance...... Only to find out you had to be connected to BES to use it.... That was a sad day for me... In all the advertising leading up to launch I didnt read or hear that you needed to be connected to BES(like so many others). I have read in the forums that the use of Balance may be coming in 10.2 for non BES users.. Not sure how reliable that info is though... fingers crossed!

Balance is awesome, and yes you have to switch between a Work and Personal desktop. The switch is very simple and it's very nice to keep things separate from each other. My only real complaint is if the SD card is fully encrypted, why not allow a segregated part of it to be used for Work storage? Otherwise no real complaints.

As for non-BES users, 1/2 of the reason there is a Work space on BB 10 devices is that all of the apps run in that space a proxied back through the BES as if the user was on the corporate network. If you don't have a BES then the Work space would just be a form of organization really and I'm not sure what exactly it would buy you as I don't think you could do selective work side only wipes from corporate w/o a BES.

It would be a benefit because I could organize my phone from my business and personal life, and essentially turn off the business 'stuff' when I get home, and not have to be bothered by emails, and such all day... would be an awesome feature to make available for everyone.

Could an NFC tag work for that? Essentially "tap" to turn off all notifications and remove from the hub all work email accounts.

I don't know how feasible this might be but, it's a possible work-around.

Via Q10

You don't need to remove the Work email from the Hub, just turn off the default display of it. I do this for Facebook now, and when I want to read my Facebook messages I switch to that email account in the Hub and it shows them to me (just not in the global Hub view).

Small business wish list:
1) Add a separate contacts list for work that synced and updates with my work outlook only
2) Add a time setting for each email account. Ex. Work monday to Friday 7am to 5pm
3) Maybe a feature in the calendar also to quick select ( vibrate only, silent, no notifications) when creating an appointment.

#1 - You can't do this with two ActiveSync accounts now?
#2 - What do you want this time setting to do exactly. I have Balance now myself and I get email from both Personal and Work accounts now all the time. The only advantage off hours is that the Work email is pseudo hidden because the work space is locked (until I unlock it).
#3 - That sounds like an interesting idea, but would be separate from the Balance discussion.

Yes, I should have clarified that it would be nice to have the three options baked into the phone because most people will not have a bes/balance
setup for 1 or 2 phones.

I guess I should have been clearer - I don't know what you mean by "turn off". If you mean stop receiving email altogether, I'm not sure what the advantage there would be when your phone has to download all the new stuff come Monday morning. Also ActiveSync was designed to be a syncing technology, not a batch download technology. I.E. I am not sure that would be wise long term.

If you meant simply turned off in the default display of the Hub, then that's probably a good idea for an app someone could write to give a Balance like "locked" work view experience.

I think you have an misunderstanding of how Balance works/what the Work Space buys you.

When I "get home" my work space is locked because of a time out, and while I don't see the work messages in the Hub, I do see the fact that I have new work messages and I have the option to unlock the work space to see them from within the Hub. While that is nice, you could simulate this view segregation in the Hub by simply turning off the default display of your work email when you get home from work, and turn it back on when you go back. If you ever wanted to see the work messages when the default view is turned off in the Hub, you could navigate directly to the Work email folder in the Hub.

Even with the work space locked I still see my work contacts, and the other messaging aspects are not consider work space (SMS, BBM, Phone, etc...) to be locked out ever, so Balance doesn't really change things there.

Beyond that the work space just stores duplicates of the core apps, plus any apps your work enviornment pushed out to you. The difference with the apps in the work space is they run through your BES 10 server to be proxied through to your enviornment, but this is because you have a BES 10 server. I.E. Unless you want the apps proxied through your work enviornment, there is no real benefit to the "Work space" over the personal space because you could put all of your "work" apps on your personal space in a "Work" folder if you didn't want to see them on a day to day basis (but they wouldn't be proxied through a BES).

So to recap the work space lockout auto-"hides" your work email in that you still see a count of them in the Hub but have to unlock the work side to see them, otherwise the apps on the work space are there so that you can run them in a BES proxy enabled enviornment. I'm not sure what other organization you are looking for that you can't simulate by turning off your work email display by default in the Hub.

Interesting your work contacts are not removed/hidden along with your work Email and Calendar when you lock your work space. I think what people are looking for is this same principle with a Work EMail account, or Exchange ActiveSync account, without the need for BES 10.

It's probably because we leave "Personal Apps Access to Work Contacts", because there really isn't a reason to block access to your work contacts at any point in time. I.E. There is no security issue there with knowing your boss's phone number w/o having to switch to the work mode.

I think the work email dissapearing could be faked, maybe facilitated with an app with a timer built in. The calendar was one I forgot that is locked, but again I am not sure that needs to be turned off over the weekends/off hours because I doubt people have meetings during those time frames that require being blocked so they don't see it, and even then I see those entries on my calendar, just not the details. Reminders for work calendar entries come up whether the work side is locked or not, it's just the details are hidden while they are locked, so I don't think there is any value to segregating the calendar.

As for separate contacts, mailboxes, calendars, etc... don't you get that with two ActiveSync accounts now in the non-Balance personal side? I.E. Balance would only facilitate blocking the view of some of the data, and not in the way most of the people here responding would think.

activesync is not treated any where the same and is generally the same as other email accounts with slightly better security and baseline management policies.
 as for the balance policies they are much more robust and for those in high security environments no work data should be inadvertently shown. I come from one of those environments and having that data shown in personal mode is absolutely not allowed. Some of my users have contact information for government officials. this can absolutely not be public.

I think you were missing my point that two ActiveSync accounts = segregated contacts, calendars, mailboxes, etc. The only difference with Balance is the storage of that data is in a completely different partition versus just a different bucket and the additional security policies and mechanisms around it, which if you didn't have Balance wouldn't stop you from having a separate work and personal data on teh device stored in separate buckets (but on the same "personal" side of the device).

My work place deals with government regulations and polices both from a federal as well as health care perspective (we get it coming and going when it comes to policies and regulations) and there is no policy here about not seeing work data in a "personal mode", so I am unclear what agency would have this requirement or even why especially since personal mode split identity devices is a relatively new concept. There is a federal policy about not "storing" work data on personal devices, but there are exceptions such as when the location they are stored is an approved FIPS 140-2 capable encrypted loation and the data is controled by the federal agency.

Having two activesync accounts on the personal side does not segregate the data properly. It only keeps messages and other PIM data seperate. Where do you store pictures you get in emails, how about cut/copy/paste, or screen shots, etc. How do you protect your data from malicious applications that users download or even sideload?
Balance provides all of those protections and more. Activesync is woefully lacking in general, and even less robust on BB10.
As for regulations, some Agencies go above and beyond the published guidelines. Having come from an agency like yours (government medical), I definitely understand the situation you are in. I ran an evironment like that for 3 years.

All ActiveSync accounts are stored in separate buckets, whether all on the personal storage or split between personal and work storage. I'm not sure what your definition of "properly" is in regards to storing data separately, and if these individuals have the same work requirements your work place has, then their work should be deploying BES, but most of these users saying "that would be nice" or "I wish I had Balance" don't have those requirements.

You are now arguing that where you store >other< data such as saved pictures isn't separate and that was not my point nor was that what these people were saying they wished Balance would give them.

Yes if you want your work data completely walled off and separate from your personal data, then you need Balance. But that isn't what these other people have been asking for in regards to "shutting off work email", or keeping their contacts and calendar data separate (which they are with two ActiveSync profiles). And technically you could store your work and personal data in different root folders on your storage card - which is an important point to make to people that they can't even access the storage card from work mode so with Balance they are limited to the shared 16GB of on-device storage which is worse IMHO because you have to fit two identities (work and personal desktops, apps, etc...) and ALL work storage inside one 16GB bucket, and most personal apps don't store their data outside of this space so the space gets really tight.

All Balance would give these non-BES people is a forced completely separate storage area for all work data and a separate time-out for work data (it wouldn't turn it "off" like one user keeps asking for). I'm trying to show these people that they would get no real additional security or protections without the BES, and 90% of what they are asking for can be simulated without the Balance method.

Lets not confuse your very hard core security requirements with what the users who are wishing they had Balance are asking for.

Wow that's quite informative. Thanks Sith!

I knew my Q10 had encrypted layers, but it didn't realize it had that many :)

Posted via CB10

The only way this could work is with a Bes plan. Unfortunately I use Microsoft Exchange. Wish I could use it :(

Posted via CB10

That is incorrect - I have a standard data plan on my personal AT&T BlackBerry Z10 and I am able to run Balance just fine. The Work only/Regulated mode is what requires a special BES plan from the carrier, and honestly I think that's just a revune stream with nothing special about it.

It is that and more. It REMOVES the personal side of the device, which is (for lack of a better term) enabled by service books. All of those apps that operate on the personal side (BBM, SMS, etc) are moved into the work perimeter.

I don't think a specific BES plan does anythign to your device, the fact that you are making it Work Only/Regulated does.

Even if you set it regulated on the BES, unless provisioned it wont apply properly to the device (at least on AT&T and Verizon). The carrier blocks this feature until the proper plan is activated (which for lack of a better term send the service books to the device). Thats all I was saying :)

All that encryption only to have someone set their password as 1111
Thanksfully the BES takes care of that ;)

Yes it does. I love being able to set complexity rules. Forcing two factor authentication is best of course. (See the talk mobile from today)

Smart Card or RSA token + PIN/Password

Want Balance without BES. Please

I was so excited when balance was announced would of been perfect for my small business to keep it separate from personal but then I was disappointed.

Posted via CB10

Currently, Balance is limited to activation on BES only. There is a reason for this, and it goes back to the business environment. Balance was created to assist with BYOD, and allow users to bring their devices, and IT to manage it securely, but keep a STRICT seperation between the two.
While there are definitely use cases for Balance on a personal device, without work, it is a bit of overkill if you think about it. With all of the additional layers of security, and key negotiation, encryption, etc that is included in Balance, this really doesnt make sense in a strictly personal sense.
What COULD make sense is something similar to balance, without the additional encryption, data at rest protection, and in transit encryption. Something that is a "limited" profile or space on the phone that you can swipe in and out of similar to balance. For those on BES it would be a third tab/pane. It could operate as a segregated view, and be turned on/off, but not rely on BES and the security therein. This could be something for small businesses definitely (unless they want to do a BES express type thing).
Also keep in mind that BlackBerry works with Office 365 and hosted BES providers. Being able to extend this server to BES 10 would be a great boon for them in terms of allowing end users customize their device with Balance, and manage it themselves.

I think most people here just want a guest partition that they can swipe into, just like the work partition of balance. The guest partition has access to core apps and not personal content such as but not limited to apps, pictures, videos and documents. Each parameter could be toggled on/off for viewing for the guest. In order to access the owner partition again, a password would have to be entered, which is also optional.

posted via CB10

That would be exceedingly difficult to do. What happens when you get a phone call from someone not in your contacts. Is that work or personal? Who holds accountability for tagging those calls?

What I really want to see is the ability to attach pictures taken with the camera to work email.

In my line of work sometimes I have to send in reports with photo evidence. With the great camera on the z10/q10, I rarely use my digital camera anymore.

Perhaps there is a way to change this through bes policies? Essentially allowing camera to be run under work mode and save those pictures in the work space?

Mashed from my BlackBerry ZED TEN.

I personally think Balance works fine. I just wait for the new policies to be rolled out to stop seeing private mails in work hub and vice versa.

BTW I have currently no problem sending data e.g camera photos, from private space over work space email, only when I try to send work stuff through private channels policies block access.

Posted via CB10

Hmm. Are you able to view a photo taken previously, attach it to your work email, and send it out? I am not talking about using personal email (eg gmail), attach photos and send to work email.

Mashed from my BlackBerry ZED TEN.

I agree with nearly everyone! This feature needs to be activated at all times!! Even if you don't wanna separate BES data or don't have the ability to. It would be an awesome feature to be able to use as a consumer, i would love to seperate my work or school data from my personal info. It would add a much nicer and higher lever of uniformity and organization. Please listen BlackBerry we want to help!

Posted via CB10

Seriously it is a pita. Adding contacts on the phone will often put them on the personal side, which means they don't sync to outlook. Not handy at all.

My Ford sync has a had a bugger of a time downloading contacts. Guess why? Yup - balance. It often can't download from the work side whether it's open or not.

As a user I find no real advantage, only limitations of being able to legitimately copy and paste stuff to send via text (again, texts seem to be considered personal, or its the contact thing mentioned above), etc. If they didn't segregate contacts in a ridiculous way, I would probably not notice it.

Posted via CB10