Secure Work Space – Enterprise and Partner Wrapping

HOW-TO / 12.03.14 / shikhir

BlackBerry Secure Work Space (SWS), a containerization solution that is part of BlackBerry Enterprise Service (BES), allows enterprises to manage devices powered by Android and iOS. Secure Work Space apps protect their data by encrypting their app data in transit and at rest. Enterprise apps that leverage Secure Work Space can securely access data behind their companies’ firewall without any additional code for authentication or encryption, by default their local app data automatically becomes encrypted. In order for a new iOS or Android app to leverage Secure Work Space, it must first be wrapped.  Wrapping an app will secure its data and facilitate the management of the app. After an app is wrapped, standard network and system calls are intercepted and replaced with secure calls from SWS libraries.

Figure 1: Internals of the Wrapping Process


The wrapping process is completely automated. The developer does not need to rebuild an app.  During the wrapping process, the iOS or Android app is unpacked, then a unique wrapping layer is injected into the app. This new layer is responsible for secure data transfers, app communications, jailbreak checks, and other security related enhancements. Once this new layer is injected into the binary, the app is repackaged and one binary is produced. Prior to wrapping an app, the developer needs to decide which type of app wrapping he wants to use.

Figure 2: Injected SWS Layer is responsible for secure data transfers, app comms, jailbreak checks & other security enhancements

Types of App Wrapping:

There are two types of app wrapping, Enterprise wrapping and Partner wrapping. Enterprise wrapping is used for updating an enterprise app to leverage SWS so that it can be deployed to the employee’s device by uploading and deploying the app via BES. This is the most commonly used type of wrapping. All apps that are developed inhouse for enterprise employee use should use this process. To wrap an app using Enterprise wrapping, the app is simply uploaded to the BES, then the wrapping process begins automatically. The process to wrap an enterprise app is outlined here. All Enterprise wrapped apps are locked onto the BlackBerry Domain(the SQL database used by BES) of the BES on which they were wrapped. This security feature helps ensure that the app that was deployed in your company’s environment, is not stolen and then deployed in another company’s environment. The entire enterprise wrapping process can be completed in about 5-10 minutes.

Partner wrapping is used for updating a partner app to leverage SWS so that it can be deployed via a public app store such as Google Play or Apple Appstore. This process is commonly used by third party developers so that they can make their productivity apps available to enterprises. It is possible that partner apps may charge a licensing fee. To deploy a partner app, the BES admin has to whitelist the partner wrapped app which is available for download from the public appstore. Once the app is whitelisted, the employee has the option to download the app via the app store and the app will work with the installed instance of SWS on the device. Unlike Enterprise wrapping, partner wrapped apps need to work with many enterprises. As such they are not locked onto any particular BlackBerry domain. As a consequence, if you have a partner app binary, it is possible to push that app to any SWS BES connected device, just like an enterprise app. This may be advantageous because the BES admin can now push out the app directly to the employee’s device. Binaries of partner wrapped apps should only be obtained by the permission of the vendor. A list of partner wrapped apps available in public app stores is available here. Contact your BlackBerry representative if you would like to begin the process of wrapping your third party app for the public appstore. The partner wrapping process usually takes 7-14 days.


Table 1: Explains the difference between Enterprise Wrapped Apps and Partner Wrapped Apps

Signing Wrapped Apps:

After an app has been wrapped, it will need to be signed before it is deployed via BES or put on an app store. For iOS, Apple requires apps which are to be deployed via BES to be signed using iOS Enterprise signing keys. iOS Enterprise signing keys are not the same as the iOS Developer signing keys used to deploy an app on the Apple App Store. Enterprise keys need to be bought separately from Apple and as of this writing sell for $299 and take about a week or two to obtain from Apple. Partner wrapped apps which are deployed using the Apple App Store still need to be signed using the developer signing keys.

Android apps can be signed using the regular Android signing keys and don’t have any unique signing key restrictions.

The process to resign an app is documented here. If you are re-signing an app for iOS, be sure to check out the following script that simplifies the signing process.

About shikhir