• 0

Blackberries


Question

Our company has just given us blackberries. They are connected to an enterprise server and utilize the sprint network for data.

My boss asked me if a public website was created, could I restrict access based on the user, ID, phone number or some other form of data held on the blackberries.

What pieces of data can one obtain from a blackberry to assist in validating the device and/or operator?

Thanks!

Link to comment
Share on other sites

2 answers to this question

Recommended Posts

  • 0

Connect to your server with your blackberry and dump the headers: they don't behave different form any other cellphone.

A web browser shouldn't be in the business of exposing unique information about a person whenever it connects. You can expect some information like browser strings, IP address, and maybe some cookie data but anything personal (like user names, device IDs, the phone number assigned, etc) should not be readily available.

You can identify that a person is on a blackberry (or pretending to be on one) but there's not much information beyond that. Anything you

can come up with would be flakey and unreliable.

If you want to restrict access to a given set of people: use the standard security options available (like HTTP passwords for IIS and Apache).

The most obvious ways of solving this problem are:

  • Don't use a web browser - it doesn't have the features you're looking for. Write a 1-off piece of blackberry software that interacts with a web service (REST/SOAP) - tightly control who has access to this software. A custom application has much more access to user data than the standard web browser. This application could be a simple wrapper around a webview or something more like the iPhone front-ends to twitter.
  • Use a standard web page and standard security features like HTTP authentication. Just ask the user for a name and password: the server can verify they are who the say they are.

The second choice is much more flexible (ie: it can work with iPhones / Android / Windows phones and desktop browsers), it's cheaper (because you don't have to re-invent the wheel writing custom software), and more reliable (HTTP authentication has been employed for more than a decade decade). It'll also be more secure because you stop relying on something you have and start relying on 'something you know'.

It's trivial to tie a web server to the authentication servers used to verify names/passwords used for email, local desktop log in, etc. If you can't do this for one reason or another it's painless to simply create http-only users for all of the popular web servers. For example, google "htpasswd" if you're using Apache.

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.