DEVELOPERS BLOG

New to the BBM Enterprise SDK? Here are Answers to Some FAQs

Welcome to the BBM Enterprise SDK! Whether you’re a seasoned veteran or never worked with Messaging Software Development Kits, I’ll be answering the most Frequently Asked Questions!

The Security

How are Messages Stored?

The BBME (BlackBerry Messenger Enterprise) Server stores encrypted messages, conversations and threads, and all message content is encrypted and decrypted by the clients only.  Messages on the clients are stored encrypted, and they only leave the clients encrypted. While in transit or stored on the server, they are still encrypted, and the server has no access to the keys or method to decrypt the messages.

Where are Users’ Public and Private Keys Stored?

In our Rich Chat sample, we store the user’s keys on the Firebase console attached to the user’s REG ID and Google Account, which is queried at login, allowing for data decryption.

How does BBME Secure the chat, and how is the data in motion protected?

The BBME Chats are encrypted by the client and stored encrypted on the BBME infrastructure. Only the metadata on the payloads is visible, so that they can be routed though the BlackBerry Network Operations Center (NOC) to their respective BBME server and  designated clients. Note:  encrypted payloads are stored in a database which itself is encrypted on the BBME Servers.

The Upshot:

How secure is the BBME SDK? We follow three security principles

  • Messages are digitally signed, so you’re assured of who sends each message in your app
  • Messages are encrypted, so you’re assured that only the intended recipient can read the message
  • Messages are subjected to integrity signature checks, so you’re assured the message isn’t modified in transit.

If you are interested in the cryptography that powers security in the BBM Enterprise SDK, check out this white paper on it.

The Users

You have users and you have keys –  they both have to be stored somewhere. Appropriately, in our RichChat sample, we use Firebase, so you might ask:

What is Firebase, and do I have to use it?

Firebase is a cloud platform, including database and push notifications, for application development on iOS, Android and Web. You DO NOT have to use Firebase with the BBME SDK. We only use it in our samples for simplicity’s sake.

You can use any identity, storage, and authentication provider of your choice to store contact, key or chat details. They just need to have a token Info endpoint for token introspection and a user Info endpoint for user detail capture.

Do I have to use Google as an authenticator?

No, you do not. We only use Google as an authenticator in our Rich Chat samples (iOS / Android) for consistency and simplicity. You can leverage any identity provider you like such as Facebook, Twitter, GitHub or your own custom internal system (as long as it conforms to the OpenID Connect and OAuth standard).

The Upshot:

Our sample Rich Chat utilizes Firebase with Google as an authentication system. They are used because they have quick setup times for learning purposes. You can use Firebase and Google if you’d like, but you can use any provider that conforms to the OpenID Connect and OAuth standard.

Here’s a helpful reference regarding these identity management platforms and protocols.

Other FAQs

What is a ‘Domain’?

In the case of BBME, the domain is a string that identifies a realm of messaging which you can control. The domain is also the medium through which all your applications (iOS, Android) will communicate securely. You create this domain here.

What are Token Info and User Info Endpoints?

These endpoint URLs are used for token introspection, a point on an authorization server used to authorize and verify tokens against their distributer. The User Info Endpoint URL can be leveraged to return a payload including user details.

Can I update my Domain?

Yes, you absolutely can! Once a domain is created, you can repurpose and update it to your heart’s content. Go here to do this.

You can always go back and update your domain to add features like Push Notifications, multiple Client ID support and much more. If you are creating it for the first time you may like to leave it bare bones and come back as you get features configured.

What is a ‘RegID’, and how does it work?

A unique hash identifier for individually registered users.

No two users share a REG ID. As shown in the Rich Chat samples, when the user logs in with their Google account, it pulls in their relevant data, which includes their decryption keys and REG ID. This REG ID is used to uniquely identify users under your domain when connecting to the BBME Servers.

Can I Setup Push Notifications through BBME SDK?

Yes, you can. At the bottom of the domain creation or update form there are both ‘Google Push Type’ and ‘Apple Push Type’ fields.

Why am I Getting the Setup State of ‘Ongoing’ in RichChat?

One of the most common pitfalls when trying to run the RichChat samples is misconfiguring your Google Sign-In information within your domain. If you have configured the RichChat samples and received the ongoing connect status label, you have misconfigured your connection variables.

Here’s an example of me problem solving this on iOS:

  1. I received an ‘ongoing’ status for my Setup State. I also did not receive a RegID, as the field is empty. What can I infer? This is a sign that the BBME servers are not able to authenticate the users with the identity provider you configured. I’ve likely misconfigured my Client ID’s, or another field during setup.
  2. I then realized that I had previously changed my domain’s client ID for another application. That means the current client ID that I am trying to establish the connection with does not match the other client ID in my domain. Furthermore, the client ID currently configured with the Domain is not the same as the one I initiated the connection with.
  3. I went to the ‘Update Domain’ form and saw that the client ID field contained a client ID that doesn’t match the one in my GoogleService-Info.plist.
  4. After updating the domain with the correct client ID from the GoogleService-Info.plist the connection was a success and I was delegated a REG ID.

The Upshot:

  • Look at every place you have a CLIENT ID, double check that they are correct.
    • Since there is more Client ID work on Android, it is more than likely that you have misconfigured them.
  • Check the configuration of your Domain, and what Client ID you placed there (to see your domain’s variables, ‘update’ it without changing anything).
  • Check your identity provider to see if valid tokens are being returned before you send them off to BBME Servers for Token and UserInfo authentication.

With a heightened understanding of the SDK’s jargon and technologies, you can apply your development skills with confidence towards your BBM Enterprise application. Download the SDK here. Happy coding!

Matthew Falkner

About Matthew Falkner

I work in Enterprise Solutions Development at BlackBerry.