What is the BlackBerry Enterprise Store and why would I want to use it? What is a BlackBerry Container?
The BlackBerry Enterprise Store is where an organization approves authorized applications that users can download and use.
The BlackBerry (BB) container is a protected location (encrypted) that allows administrators to enforce certain restrictions such as copying and pasting data into or out of other apps, including apps outside of the container. It is also able to keep personal and work content separately. Which is really nice for BYOD use cases.
If a user loses the phone or no longer works at the organization, you can revoke access to the container and wipe it, the data within the container will be gone, and it does not affect the user’s device. This container-style method can significantly reduce pushback from BYOD users as we do not control the entire device but just the organization-owned applications within the container.
In addition, the container can be configured to backhaul all network traffic over a VPN connection back to your corporate network to ensure consistent and secure connectivity to external and internal resources via your firewall infrastructure and security policies.
What happened?
Over a year ago, I was working on a project where the IT teams were implementing single-sign-on for a particular mobile application built for the BlackBerry Enterprise Store. One of the issues the team was encountering was that SSO requests were not working correctly, our pilot users could not authenticate.
Expected Behavior
- iPhone (BB Container App) > BB VPN Tunnel > Corp FW > ADFS Server (Accessible Internally Only)
The team had calls with the SaaS provider, and they could not figure out the issue. They had spent several weeks to no avail on reviewing BB policies, firewall configurations, etc. Eventually, I was brought in to help check the issue. Our SSO team is top-notch as well as our other teams, so I already knew there was a more significant issue at play. The team already ensured the internal network was forwarding the requests from our firewall to the SaaS provider.
During testing, I had our team remove IP Office allow-listing from the vendor IDP SaaS service and noticed that authentication requests for SSO would work. This change resulted in unexpected behavior because we backhaul all traffic from the BB Container over the BB VPN Tunnel to our corporate firewall and this application is no different. The teams confirmed that the BB policies were correct and even had BB Support review them. BB Support even provided us logs showing data was going across the BB VPN tunnel. However, I thought that maybe BlackBerry did not see the whole picture; could that be possible?
I ended up reaching out to our SaaS vendor and asked if they could provide a list of all the IPs they saw from our SSO requests. They were very adamant that their configuration was correct and something had to be wrong on our side but did state they would get back to me with the logs, though it could be a few days. During the same period, I decided to fire up BurpSuite and review the network connections requests.
I performed SSL/DPI inspection from my iPhone using Burp, and low and behold, I noticed that this custom-designed BB App was leaking data out of the VPN tunnel!!! This behavior is a big no-no for us, even if this was just SSO SAML data. Still, for our purposes, we wanted all data to route over our BB VPN connection so we could continue to use IP Office Allow-listing with SSO and still leverage our existing firewall security policies. The vendor also provided the log details confirming the issue we were seeing.
Actual Behavior (SSO Requests Split)
- Some Requests: iPhone (BB Container App) > BB VPN Tunnel > Corp FW > ADFS Server > SaaS Vendor
- Some Requests: iPhone (BB Container App) > Cell/WiFi Non-VPN Tunnel > SaaS Vendor
Further Analysis/Vendor Assistance
We had several calls with the application vendor, spoke with other customers and also opened a case with BlackBerry Enterprise. The other customers who we reached out to which were also leveraging the vendors app just figured it was normal in which they had to disable IP Office Allow-listing to get their SSO to work. If they had insight to delve deeper they could have uncovered this issue. Our calls with BlackBerry Engineering (Application Development) were extremely professional and with knowledgeable engineers. I worked with several BB engineers including developers from the Vendor SaaS service for couple days to explain the issue I had uncovered and also to understand the root cause of how this particular app was able to leak data out of the VPN tunnel. During this process I learned some aspects to iPhone/SDKs that I did not know about. The BB engineering team later worked with the SaaS provider to fully uncover and resolve the issue. I really enjoyed these technical discussions even though I wish we didn’t have to spend all this time on this issue.
BlackBerry SDK and External Library Risks
In order for the BB container features to work including intercepting network communication via an iPhone, the application has to be built and utilize the BlackBerry SDK. As it turned out, the Mobile Application did not use the SDK for all network communication. It was also using a third-party library for part of the network calls. This other network library is ultimately why the application did not fully utilize the VPN backhaul and why we saw split network requests, some going over the VPN Tunnel and some leaking out over the local network provider.
In addition, the vendor that created the Mobile Application had no way to test or even simulate a BB VPN network since they did not operate any BB infrastructure. Unfortunately, I still believe there is no way to perform a simulated test, even if you wanted to. The only way is to test is in production.
The vendor eventually was transferred over to work with BlackBerry Engineering to resolve their application issues and released an update a few months later. We confirmed this updated app worked.
Recommendations/Lessons Learned
- Always verify your applications
- Ask questions, test and validate vendors claims and your controls
- BB should perform better analysis / vendor app review to ensure the BB SDK is fully utilized. Especially for critical security features.
- BB should provide customers with the ability to test VPN Tunnel to ensure data is not leaking out.
- Vendors building applications need to fully understand the BB enterprise store is more then just an approved app list but enables many more features including VPN backhaul.
How can I test to see if network data is leaking out of the VPN Tunnel?
One quick way you can test this is by performing the following steps.
- Use BurpSuite or another proxy tool and install the app’s SSL/DPI inspection cert onto your phone.
- Next, initiate network-based actions via BlackBerry Browser or from other applications.
- If you See Network Requests in BurpSuite, then there are network requests leaking out. However, that does not constitute a problem if configured via BB policy. So just keep that in mind.
- If you Do Not See network requests, then no network data is leaking. You can verify by toggling a BB policy on and off for testing to ensure you do not have a False Negative. Such as not properly using SSL decryption when testing.
- Note: You can also create BB policies to bypass data from going through the VPN tunnel so that you may have applications in this state for specific work scenarios.
Conclusion
As we have learned, just because an application is in the BlackBerry Enterprise Store does not mean it is fully taking advantage of all the BB features correctly. Like anything in security, the motto remains “Trust but Verify“. Unfortunately, other apps may exhibit this behavior in which networking requests are not going through the VPN tunnel. It is also essential to take away from this that the BlackBerry Enterprise store is not just for approving applications for organizational users but also to ensure existing security controls that are in place are being fully utilized to secure data.
.