Image By Taavi Adamberg (Own work) [CC-BY-SA-3.0 (www.creativecommons.org/licenses/by-sa/3.0)], via Wikimedia Commons

Did you know that you can use your debug token for much, much more than just debugging? In fact, utilizing it properly can improve the security of your application development process.

There are four key roles that the debug token plays in the BlackBerry® application development lifecycle:

• Allows loading of unsigned applications on a BlackBerry® PlayBook™ tablet
• Enables debugging tools to connect to a BlackBerry PlayBook tablet
• Helps to protect your organization’s Code Signing Keys
• Facilitates controlled beta programs

Allows Loading of Unsigned Applications

Using a debug token for loading unsigned applications is the most common use case for a debug token and one that most developers use unknowingly because many of the BlackBerry Development Tools automate this process for you. This scenario is a major improvement over the workflow used for developing for BlackBerry® OS 7.1 and lower, which does not support the use of debug tokens. When developing for 7.1 and lower, you had to sign every build of an application before loading it on a BlackBerry smartphone. This required connections to be made to the RIM® signing servers for every build you wanted to test, which could take an inconvenient amount of time for a very large application. It also rules out developing without an Internet connection.

Debug tokens came to the rescue here, removing the signing requirement when testing and allowing for offline development. Simply create the debug token and load it onto your BlackBerry PlayBook tablet, and you will now be able to install and test your BlackBerry PlayBook applications without signing them. The initial creation of the debug token does require an Internet connection, but once created, it is valid for 30 days, giving you lots of time to develop while you’re away from an Internet connection.

Enables Debugging Tools to Connect to a BlackBerry PlayBook tablet

Having a debug token installed along with an unsigned development build of your applications enables all sorts of tools that can be used to debug your application. The tools available will vary depending on the type of application you are developing. For BlackBerry® WebWorks™ applications, it allows the use of WebInspector. Adobe® AIR® and Android™ applications can make use of the debugger and debugging tools in their respective SDKs. Developers using the BlackBerry NDK can use the standard debugging tools along with some more specialized features; such as views for memory and process information as well as code coverage. It also allows you to copy files to and from your application’s private sandbox area when running an unsigned development version of the application.

Protect your organization’s Code Signing Keys

You can run an unsigned application on a BlackBerry PlayBook tablet by using a debug token, removing the need to have access to the keys to sign the application. Debug tokens allow you to separate the process of application creation and publication. You can create and test an application using a debug token, then deliver the application to a supervisor or a client for signing and publication. This enables you to keep your code signing key on a secure central build machine or in the hands of the client who will own the application. Remember, your code signing key is the component that uniquely identifies you as a developer. It’s very important to keep this safe because anyone with access to your code signing key is able to distribute upgrades to your application that appear to come from you. You should also back up your keys because if you lose them you lose the ability to release updates for your applications.

Facilitate Controlled Beta Programs

This is likely something you haven’t thought of using your debug token for. You can use debug tokens to assist with running controlled beta. Recall that debug tokens are tied to an application developer and BlackBerry PlayBook tablet PIN(s). They also expire after 30 days. Put these together and you have the means to create a time bombed release that can only be installed on a BlackBerry PlayBook tablet whose PIN you whitelist. The beta testers would first need to install the debug token you provide and then the unsigned version of your application. Having the debug token tied to their BlackBerry PlayBook tablet PIN makes it difficult for them to share the application with others. You can also supply them with the BlackBerry Tablet OS Graphical Aid so that your users don’t have to install these using the command line.

Wrapping It Up

As you can see there are many uses for your debug token. If you don’t yet have a set of BlackBerry Code Signing Keys to use to create a debug token, head on over to the BlackBerry code signing key registration form and get signed up today. You’ll want to be ready for part 2 of this article where we explain how to configure your debug token to explode when it expires, as captured in the image above*.

*Debug tokens cannot actually be configured to explode.

There are many great things about developing for the BlackBerry platform – including our commitment and support of open source technologies and multiple development languages (Native, HTML5 with BlackBerry® WebWorks™, Adobe® AIR®, Java®). One thing we’ve really invested in over the last year is to respond to developer feedback and requests, in order to enable you to build the way that’s best for you. One of the areas we’ve been focusing on especially is code signing.

What is Code Signing anyway, and why does BlackBerry code sign?

Code signing has been designed to provide security for consumers. They can feel confident that the application they are installing has not been modified after it was signed by the application developer. Code signing is also a means for applications to protect their data.

Code signing has many benefits for both developers and consumers. Developers can distribute an unsigned version of their application along with a debug token to a limited set of beta testers. The debug token helps to ensure that only those beta testers that a developer has issued a token to can run the application. I’ll walk through this process in more detail in a future blog post.

Debug tokens also allow for central key management, allowing for a single code signing key to be used by a team of developers testing an application. Debug tokens can be issued to each developer, allowing them to test builds on their BlackBerry® PlayBook™ tablet. The code signing key can be deployed to a secure build server, protecting it and ensuring that only official builds of the application are signed for public distribution.

BlackBerry® Tablet OS applications each have their own sandboxed private data area that only the application itself can access, which is protected in part by the code signing key. This can prevent a malicious application from impersonating another application. If a malicious application – signed with a different code signing key – were to attempt to masquerade as an upgrade to an existing application the user has installed, it would install it as a new, unique application and it would not have access to the private data area of the original application. This makes it important to back up your code signing key because if you lose it, you’ll be unable to provide upgrades to your application.

Data protection isn’t just limited to BlackBerry Tablet OS applications. BlackBerry® 7 OS (and lower) support similar data access control through the use of a custom code signing key. You can read all about that here.

What We’ve Been Doing over the Last Year

We’ve made a number of improvements to code signing over the last year and we will continue to build on this in 2012. Here is a rundown of what we’ve done so far:

• Made code signing keys easier to obtain by removing the credit card requirement for ordering them
• Reduced the order time for code signing keys from 7-10 days to approximately 1-2 hours so you can start building right away!
• Created Configuration Wizards to walk you through configuring and backing up your keys
• Automated many previously manual steps by integrating Debug Tokens into the SDKs
• Updated the hardware for our code signing servers
• Created the Code Signing Supportsite to walk through the ordering, configuration and signing process

This is by no means the end of the road when it comes to improvements. The golden age of code signing will arrive when you can request keys instantly from the SDKs themselves and have the tools take care of all the dirty work for you. We’re actively re-writing the code signing infrastructure to accommodate this in the future.

The Future Is Secure AND Easy

These are just some of the major benefits that code signing provides. Of course, in any situation, the benefits have to outweigh the effort. We hope to achieve a near zero effort for code signing for both developers and consumers.

Got questions about the code signing process? Let us know in the comments!