BlackBerry

This article applies to BlackBerry® smartphones based on Java® technology.

The BlackBerry® Browser and BlackBerry applications are able to make use of Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS) connections. The following are the three possible routes available for making HTTPS connections:

Wireless service provider’s WAP Gateway

When creating a connection through a Wireless Application Protocol (WAP) 1.x Gateway, the gateway can be configured to create HTTPS connections to origin servers. In this configuration, the connection between the BlackBerry smartphone and the WAP gateway is encrypted with Wireless Transport Layer Security (WTLS).

In WAP 1.x, the WAP security gap occurs when WTLS is used over WAP. WTLS-encrypted Hyptertext Transfer Protocol (HTTP) requests are decrypted at the WAP gateway and then re-encrypted using HTTPS before they are sent to the origin server. HTTPS-encrypted HTTP responses are decrypted at the WAP gateway and re-encrypted with WTLS before being sent back to the BlackBerry smartphone.

WAP 2.0 supports Secure Sockets Layer (SSL) over HTTP (HTTPS), which secures the connection between the BlackBerry smartphone and the target server. Support for HTTPS connections through a WAP gateway may depend on the wireless service provider. Contact your wireless service provider for details on connections permitted using the WAP gateway.

Direct TCP Connection

Direct Transmission Control Protocol (TCP) connections are supported with BlackBerry® Device Software 4.0 and later. When creating an HTTPS connection using a direct TCP connection, data is encrypted between the BlackBerry smartphone and the origin server and is not decrypted at any point in transit.

BlackBerry MDS Connection Service

When connecting to the wireless network using the BlackBerry® Mobile Data System (BlackBerry MDS), the following connection modes are possible:

Proxy mode

In Proxy mode (the default setting), the connection between the BlackBerry smartphone and the BlackBerry® Enterprise Server is encrypted using the same Advanced Encryption Standard (AES) algorithm that is used for messaging by default. This configuration also includes a security gap. AES-encrypted HTTPS requests from the BlackBerry smartphone are decrypted at the BlackBerry Enterprise Server, passed unencrypted to the BlackBerry MDS Connection Service and HTTPS-encrypted before they are sent to the origin server. HTTPS-encrypted HTTP responses are decrypted at the BlackBerry MDS Connection Service, then passed unencrypted to the BlackBerry Enterprise Server where they are AES-encrypted again before they are forwarded to a BlackBerry smartphone.

A significant difference between the BlackBerry MDS Connection Service configuration and the WAP configuration is that in the WAP configuration the security gap is often at the wireless service provider. In the BlackBerry MDS Connection Service configuration, the security gap is behind the corporate firewall and is usually considered to be more secure.

End-to-end (Handheld) mode

End-to-end (Handheld) HTTPS mode is supported in BlackBerry Device Software 3.6.1 and later. The TLS Default option appears in the Security Options for Transport Layer Security (TLS) on the BlackBerry smartphone. BlackBerry smartphone users can set the TLS Default option to Handheld which is the mode using a direct TLS or SSL connection. This setting applies to all HTTPS connections that the BlackBerry Browser makes.

All traffic between the BlackBerry MDS and the BlackBerry smartphone is AES- encrypted. Therefore, traffic between the BlackBerry Enterprise Server and the BlackBerry smartphone will be encrypted twice, once by HTTPS and then in AES by the BlackBerry MDS and the BlackBerry smartphone. This will lead to a small increase in bandwidth usage and battery usage by the BlackBerry smartphone. In addition, since traffic is HTTPS-encrypted prior to arrival at the BlackBerry MDS, no optimizations will occur, which can significantly affect performance.

To use end-to-end (Handheld) mode from within a BlackBerry smartphone application, the application developer can add one of the following parameters to the connection string passed to Connector.open():

For example, the following parameter sets the application to use end-to-end HTTPS connections:

HttpsConnection stream = HttpsConnection)Connector.open("https://host:443/;EndToEndDesired");

When the SSL/TLS connection options on the BlackBerry smartphone are set to use end-to-end (Handheld) HTTPS mode, the BlackBerry MDS Connection Service opens the TCP connection with the origin server. It also maintains a separate connection with the BlackBerry smartphone. When those connections have been established, the BlackBerry MDS Connection service passes the SSL/TLS-encrypted packets back and forth between the BlackBerry smartphone and the origin server. The encrypted packets are not decrypted at the BlackBerry MDS Connection Service, maintaining security from the origin server to the BlackBerry smartphone.

Installing the SSL/TLS Security Package - BlackBerry smartphones running BlackBerry Device Software versions earlier than 3.6.1

The SSL/TLS Security Package is an optional component that the BlackBerry smartphone user can choose to install from the Browser components in the Application Loader. This package can also be specified in the application loader Extensible Markup Language (XML) (ALX) file of an application to load the required files when the application is installed on the BlackBerry smartphone.

https, secure connection, end to end, proxy mode