RIM reveals security issue with BlackBerry browser

Maybe you’ve seen it on your desktop browser before. You click a link to a website and instead of loading the page your web browser calls up a dialog box. There’s a problem with the certificate: your browser is trying to open a certain domain, but the server’s certificate indicates a different domain name. On your normal browser you can see if the discrepancy, and if you’re not satisfied you can cancel the connection. There’s a chance that there’s a phishing scam behind that wall. Al Sacco explains. A software update is on the way, but until then it’s recommended that anyone who sees a security certificate dialog box selects Close Connection, even if it looks perfectly safe. The image to the right shows a sample security certificate error dialog. Notice that the domain the browser is attempting to open matches the domain on the security certificate. That looks fine, and most people would choose to continue. The problem is that the BlackBerry browser doesn’t show any possible null characters, so while the domain names might appear the same, they might not actually be. Your carrier should have a software update out sometime this week. Make sure you’re running the following OS version in order to have the most secure version:

• BlackBerry Device Software v4.5.0.x to v4.5.0.173 or later
• BlackBerry Device Software v4.6.0.x to v4.6.0.303 or later
• BlackBerry Device Software v4.6.1.x to v4.6.1.309 or later
• BlackBerry Device Software v4.7.0.x to v4.7.0.179 or later
• BlackBerry Device Software v4.7.1.x to v4.7.1.57 or later

Again, check your carrier’s page for the latest OS update. As Sacco notes, it is not yet available for some carriers, so be sure to check back frequently. I’ll agree with Ronen of BerryReview that the carrier approval system of OS patches might not be the best mode of distribution. This goes especially for security breaches. RIM needs to find a way to get these out to users quickly and simply. In any case, here are the links to some carriers’ software update pages:

• Verizon
• AT&T
• T-Mobile
• Sprint Nextel
• Alltel
• Rogers
• Bell
• Telus

You can find any others by Googling “[carrier name] blackberry software”. Again, until you have an OS version listed above (or higher), be careful when clicking links, and especially when you see a security certificate dialog.

About the Author

Joe Pawlikowski is the Senior Editor at MobileMoo.com and has been covering the mobile industry full time since 2007. When he's not writing about the tech scene, he can be found discussing his personal love - baseball (and more specifically the New York Yankees) as well as writing on his personal blog.