All BlackBerry Dynamics ISV apps that are sold on public app stores (e.g. the Apple App Store, Google Play) or published to the BlackBerry Marketplace must be certified. Certification testing ensures a consistent security level within apps and across apps in the BlackBerry ISV ecosystem. Customers of BlackBerry Dynamics expect and require apps to be certified. Results of pen-tests performed by customers have shown significantly less issues with BlackBerry Dynamics secured applications than those secured by competitors. For these reasons BlackBerry Dynamics certification benefits customers, ISVs and BlackBerry.
BlackBerry Dynamics applications are structured as in the diagram above using either the Native or Hybrid approach. A large portion of the code (red boxes), typically well above 90%, is developer or framework code independent of BlackBerry Dynamics. The rest of the application consists of the SDK API library from BlackBerry Dynamics (orange boxes) and the device OS APIs (orange-blue box).
The 3-step certification process is designed specifically for this structure:
- Static binary testing is performed using a service provided by Veracode which scans apps looking for security vulnerabilities. A policy of more than 100 tests is applied to the app binary. The tests correspond to a subset of the vulnerabilities found in the Common Weakness Enumeration on the site maintained by Mitre (see https://mitre.org/data/slices/2000.html). An example is CWE 391 which is failure to check return codes that can result in a device being rooted. ISVs upload their apps to Veracode for scanning, address any flaws identified and submit results to BlackBerry for review. The BlackBerry Dynamics SDK is also scanned.
- Dynamic functional testing is done to ensure that the ISV has integrated the BlackBerry Dynamics APIs and implemented data leakage requirements correctly. Functional test use cases are provided by BlackBerry for the ISV to test against. All applicable tests must be passed. Video clips of the test runs are sent to BlackBerry for review.
- The Security Team Review is the final step in the process. ISVs present a checklist indicating which APIs and data leakage rules are applicable to their app and indicate compliance or request exceptions. The exception process is designed to address issues outside the scope of the BlackBerry Dynamics architecture or security rules. The granting of exceptions is fairly rare.
The steps above ensure that the entire app is tested for vulnerabilities, the APIs are integrated correctly and any exceptional situation is addressed. Overall, the process is reasonably light weight, but has been very successful in meeting the needs of our customers. BlackBerry recommends that customers do more extensive testing including pen-testing as appropriate to meet their security needs. BlackBerry works closely with ISVs and customers to resolve any issue that might arise.