February 24, 2014

Avoid BBM

BBM was never slated to be a part of my secure mobile messaging comparison. But the recent release of BBM 2.0 revealed that there are far too many people who still consider it to be secure. This is a mistake. BBM is closed source, it is not suitable for sensitive communication, and it does not deserve to be considered alongside proper encrypted messaging applications.

It has only been about a year and a half since the news first broke that BlackBerry Limited (formerly known as Research In Motion) had reached an agreement to provide India’s government with access to its customer’s communication details. These details would not be accessible if the system were using true end-to-end encryption, and the following quote from the Wall Street Journal demonstrates that for most BBM users this type of encryption is not present (emphasis added):

India’s focus in the talks has been on data routed through RIM’s system for corporate email, BlackBerry Enterprise Server, and its instant messaging service, BlackBerry Messenger, which has high levels of encryption. RIM already has provided the government with solutions to conduct lawful surveillance of emails held by individuals and BlackBerry Messenger. But the company says it can’t decrypt the corporate emails.

Other media outlets have separately confirmed how readily accessible BBM messages are. The Register’s report on BlackBerry’s India agreement contains interesting details on BBM’s role in the London riots of 2011 (emphasis added):

When BlackBerry Messenger (BBM - an instant-messaging service unique to RIM) was implicated in the 2011 riots, the UK police were able to wander along to the UK-based BES server and peruse all the messages and emails exchanged by rioters without breaking any encryption. The Data Protection Act provided all the power they need, with RIPA providing police with similar access to companies running their own BES—though in that case, the biz owners themselves hold the keys, hence the problem with the Indian government’s claims.

If you are using BBM via your company’s BlackBerry Enterprise Server, then you might be OK. But if you are just a regular user who optimistically downloads BBM from the App Store or Google Play you do not fall into this category. “Security” and “encryption” are not mentioned at all in the new BBM feature list, nor are they mentioned in the FAQ. Plain and simple, this is not functionality that BBM provides.

In my opinion, BBM is on about the same level as WhatsApp or Facebook Messenger in terms of security. Don’t let nostalgia cloud your judgement. Choose something better.


comments powered by Disqus