views:

468

answers:

2

I have an application which stores data to the persistent store by setting the contents of the PersistentObject as a hashtable, e.g. saving preferences is done by entering strings as the keys and values of the hashtable and then setContents is called on the PersistentObject with the Hashtable passed as the parameter.

I understand that the data is saved unencrypted. If I enable content protection in the IT policy for the device will this implementation of persistent storage automatically start encrypting the data or do I have to change the implementation to use for example the ContentProtectedHashtable for saving the contents?

All the information I have found so far about content protection has been with regards to the BES IT policy and nothing about implementation in the application, which makes me think that the standard implementation (i.e. just commiting a Persistable object to PersistentObject object) is adapted automatically to encrypt the data??

Any ideas?? Thanks.

A: 

I don't think it has something to do with IT policy, it's rather PersistentContent which has encryption/decryption functionality:

This API was designed to allow applications to protect data in a database if the user has enabled Content Protection/Compression in their device's security settings. It consists of two main methods (encode and decode), as well as a number of helper methods.
...
Note that encoding can be performed anytime, whether the device is locked or unlocked. However, an object that was encoded using encryption can only be decoded if the device is unlocked. This can pose a problem if the device locks while an application is performing a potentially long operation during which it requires the ability to decode encrypted data, such as sorting encrypted records. In this case, the application can obtain a ticket. So long as a strong reference to a ticket exists, decoding encrypted data is allowed. Thus, applications should release tickets as soon as possible to allow the device to reach a locked and secure state.

See riccomini - code blackberry persistent store for encryption implementation.

Max Gontar
Thanks for the info. I am not too sure about the info contained in that link though. As far as I am aware using the ControlledAccess class in conjunction with the CodeSigningKey doesn't do encryption, it just locks the PersistentStore so that only application signed with that key can access it.
DaveJohnston
+1  A: 

See the documentation for net.rim.device.api.util.ContentProtectedHashtable for one way to implement content protection.

Also see this document for a more in depth discussion of content protection.

Richard
I have seen the documentation, but what I am trying to find out is, do I just need to replace the Hashtable that I am currently commiting to the PersistentStore with a ContentProtectedHashtable? Will doing this automatically encrypt the data (if the content protection is turned on, or will it always encrypt, regardless of the IT policy setting)??
DaveJohnston
See the document link I've added. The question you're asking though seems to be answered by:Also note that the following two steps must be completed in order to enable content protection: 1. On the BlackBerry device, click Options > Security and set the Password to Enabled. 2. On the BlackBerry device, click Options > Security and set Content Protection to Enabled.If an IT policy forces a password and enables content protection then the content will always be protected, otherwise it would be at the discretion of the user.
Richard
So the content protected Hashtable handles all of the stuff talked about in that document, i.e. encrypting and re-encrypting etc?? So all I would have to do is store my data in the ContentProtectedHashtable (I assume my data has to be persistable), then set the contents of the PersistentObject using the hashtable then commit that to the PersistentStore?
DaveJohnston
Also, do you know if it is possible to read the raw data from the persistent store, so that I can check that the data is actually being encrypted?
DaveJohnston
Not that I know of. You seem to be swimming upstream. You may have very valid reasons for pursuing the course you are, but running with content protection on, or off is a decision made by the BES admin (if any) and the user. If you want to control the encryption yourself to that degree then you may have to develop your own encryption system in the manner of the Password Keeper. That, of course, comes with its own can of worms.
Richard
Oh, and for your first comment in this bunch. Yes you seem to have the gist of it.
Richard
I'm writing an application that must conform to certain security standards. Part of the standard is that content protection must be enabled on the BES. The implementation I inherited was a Hashtable wrapped in a Store class that is used throughout the application. Whenever something is added to the hashtable it is also commited to the persistent store. I am thinking I should be able to just replace it with a ContentProtectedHashtable and it will be fine. But since I can't see the data I can't verify that it is being encrypted, so I just need to be sure that what I am doing is correct.
DaveJohnston
I can't offer any magic bromide. I suppose you either trust the API is performing per the documentation, or you roll your own security layer.
Richard
It is not a case of trusting that the API is performing as per the documentation, but trusting that I have interpreted the documentation correctly and implemented the functionality correctly.
DaveJohnston