BlackBerry Developers At Work!

BlackBerry Programming is a new site I’m developing devoted to the ins and outs of BlackBerry programming. Unlike this blog, it’s strictly an essay-based site — no comments, no spam. I created it because I wanted to be able to present information in a specific order and it seemed best to get away from a blog for that (yes, yes, I know I could do that with a blog if I really wanted to…)

Please check it out. You can subscribe to an update notification list or the RSS feed to be notified when I publish new essays on that site.

Two days ago, at RIM’s Wireless Enterprise Symposium, Sybase 365 released a BlackBerry client for its free AvantGo mobile content service. Read Sybase 365 Launches AvantGo for BlackBerry for the official announcement.

As the lead developer for this project, I’m very happy to see the first version of the client move out of beta and into widespread circulation. Here’s how to get started with AvantGo for BlackBerry.

Device Requirements

AvantGo for BlackBerry works on all BlackBerry devices running version 3.8 or higher of the operating system software, including the latest devices like the Pearl (shown here) and the 8800.

The client requires network connectivity, which is normally achieved in one of two ways:

• Enterprise devices: If your device is paired to a BlackBerry Enterprise Server (BES), AvantGo for BlackBerry uses the BES’ MDS service for connectivity. (Note that some companies disable MDS or place restrictions on the sites that can be accessed via MDS.)
• Consumer devices: AvantGo for BlackBerry accesses the network using the BlackBerry Internet Service (BIS). Almost all carriers support this service.

The two scenarios above are proxied solutions that cover most of the devices in use today. On a very few networks (i.e. Nextel) it is also possible to make direct connections that bypass BES and/or BIS.

The AvantGo for BlackBerry client supports all three connection types (BES, BIS and direct) and will automatically detect and select the correct setting for your device.

Installing AvantGo for BlackBerry

Getting started with AvantGo is very easy and can be done directly from your BlackBerry. Open the browser on your device and go to http://www.avantgo.com:

Click the Sign Up button on the resulting page:

Fill out the information on the sign up form. You’ll need to provide an email address (the email address of your BlackBerry is the best choice here), a password, and some basic demographic information. (The latter is used to recommend content channels.) The form doesn’t take very long to fill out:

Your userid is the email address you specified during the sign up process, so make a note of it and the password you chose. You should see a confirmation screen like so:

Click the Download AvantGo button to download and install AvantGo for BlackBerry. The device will ask you to confirm the download first:

You’ll see the progress of the download:

When the download finishes, press the Run button:

The browser will close and AvantGo for BlackBerry will start.

Running AvantGo For The First Time

The first time AvantGo for BlackBerry runs it will ask you to enter a userid and password. Enter the email address and password you used during the registration process and press OK:

AvantGo for BlackBerry will now fetch your initial set of content from the AvantGo servers. This process is called a synchronization. The initial fetch will take some time, but subsequent syncs will be much shorter because only changed content gets downloaded.

First, however, the client determines what kind of network connection it can make:

Then the default set of content channels get downloaded:

When the initial sync is done, you’ll see the AvantGo home page:

The Default Channels

Your AvantGo account initially contains these content channels if you sign up with a US address:

• AccuWeather (weather forecasts)
• CNet News.com (tech news)
• New York Times (general news)
• Reuters - US Edition (general news)
• The Sporting News (sports news)

Yeah, we’re a bit heavy on the news. Let’s see what the a channel looks like. Move to the Reuters link and select either press the return key or select Get Link from the menu. You’ll see a page that looks like this:

You get the top news items automatically, but you can also customize your Reuters channel according to your own tastes and interests:

Customization is everywhere, in fact. The first time you enter the AccuWeather channel you’ll be prompted for a zip code. Here I’ll enter the only US zip code a Canadian knows:

When I submit the form, AvantGo for BlackBerry automatically goes online to fetch the updated data, which in this case is the current forecast for Beverly Hills:

This just scratches the surface of what’s available in terms of content. AvantGo supports hundreds of different content channels.

Content is Updated Automatically!

The best thing about AvantGo for BlackBerry is that you don’t need to do anything to get fresh content — it’s updated automatically in the background. The default is to sync the data every 12 hours, but you can change that quite easily from the options menu to one of several different scheduling options.

If you have a BlackBerry, please give AvantGo for BlackBerry a try. It’s a great application for your device!

I always thought there was something fishy about the name “SureType”…

(Relax, folks, it’s a joke!)

RIM will tell you that a COD file can be up to 128K in size. Or, more precisely, contain up to 64K of executable code and 64K of data. Experience tells me otherwise, however, at least for applications that are installed using over-the-air (OTA) download.

If you’re creating an OTA application, make sure that each module in your application does not exceed 64K (65535 bytes) in size. If you don’t, the application may misbehave on certain models. The symptom is that a JVM error occurs when the application runs, requiring the user to reboot the device. Rebooting a device is never acceptable, and certainly not something you’d expect from a Java application.

So if your BlackBerry application is mysteriously crashing the Java VM on certain device models, look carefully at the size of the COD files. If any of them are greater than 64K, move code and data into other modules (create new ones if necessary) until all the modules are less than 64K. The crashes will probably disappear.

I’ve published a new article titled BlackBerry Programming 101: How to Get Started With BlackBerry Software Development on the EzineArticles site. Just a basic description of what you need to learn (Java, J2ME, BlackBerry) in order to develop your own BlackBerry software applications.

Note that EZineArticle policies prevented me from placing too many links in the article, which meant I could only link to the first of the following articles and not to the entire series of articles:

• What Is Java ME?
• Java ME Core Concepts
• Understanding the Connected Limited Device Configuration (CLDC)
• Understanding the Connected Device Configuration (CDC)
• The Importance of the Mobile Information Device Profile (MIDP)

As mentioned in the article, it’s a good idea to get a firm understanding of what Java ME (formerly J2ME) is all about as it ultimately determines what you can and can’t do on the BlackBerry, even if you’re using the BlackBerry-specific API extensions that RIM provides.

A more detailed introduction to BlackBerry programming was found on the MobilizedSoftware.com site, but that site no longer exists. I may try to resurrect the article or (more likely) rewrite it entirely.

So apparently a lot of people were disappointed to discover that Apple and Research in Motion were not cooperating together to build a device that merged the capabilities of an iPod with those of a BlackBerry (presumably a variation of the BlackBerry Pearl) to create the so-called “AppleBerry”. (Or maybe “CrackPod” would be a better name.)

It’s no surprise to me, though. Both companies are run by micro-managing co-founder billionaires, which probably makes any co-operation more difficult to achieve. (Not impossible, but difficult.) And while RIM is pushing into the consumer space with the Pearl and other planned devices, the enterprise/corporate market is still their bread and butter — they just don’t have the same experience with consumers that Apple does.

Apple’s new iPhone is certainly a worthy challenger to the Pearl in many ways. The fact that they’ve been able to combine Bluetooth and Wi-Fi capabilities into a phone, something that BlackBerry users have wanted for a while now, is surely galling to RIM. As is the deal to do push mail with Yahoo!. Not to mention all the free press and publicity they’re getting from the launch.

RIM has some new devices in the pipeline, so it’ll be interesting to see what kind of counter-attack they’re able to launch. Right now the iPhone pricepoint is its biggest disadvantage, but that won’t last for long.

Unfortunately for developers, though, the iPhone is (yet again) a closed platform. That’s one area where the BlackBerry still shines in comparison. But with support for Google Widgets and possibly some other Apple-sanctioned applet-type mechanisms, will consumers care?

Technorati Tags: BlackBerry, Pearl, RIM, Apple, iPhone, iPod

So you’ve written the perfect BlackBerry application. It runs great in the device simulator and now you want to run it on a real device. You install it, but it won’t run — because you’re using controlled APIs. That’s right, a lot of the interesting APIs on the BlackBerry — for example, the persistent store — are protected by a security layer. To get past that layer you have to sign your application using certificates provided by RIM. Here’s a quick guide to the realities of BlackBerry code signing.

Applying for Code Signing Privileges

RIM is very security conscious, which is why developers must apply for code signing privileges. You do this by filling out this form. Note that there’s a US$100 charge for each application. You may need to apply more than once — see the gotchas below for the reason.

Once you’ve submitted the application, RIM will do some investigation to ensure themselves that you’re a legitimate developer. If you’re approved, you’ll receive the code signing certificates within 4 or 5 business days.

ISV Alliance partners can have the application fees waived, mail your ISV technical contact for the details. The turnaround time for ISV partners is quicker since RIM has already established a relationship with your company.

Code Signing Gotchas

Here are some interesting facts about code signing that won’t necessarily be obvious until you go through the process:

• There are three sets of controlled APIs, each of which requires its own certificate. RIM will therefore deliver you a certificate set. You must install all three certificates in the set in order to get full coverage of the controlled APIs.
• Each certificate set is per developer — or, more precisely, per machine. Either you’ll need certificates for each developer and each build machine or you’ll use one machine (the build machine) as a central signing machine that all developers use.
• Code signing requires an active Internet connection back to RIM’s certificate servers. No connection, no signing. If RIM’s servers are offline, you’ll also be stuck.
• Whenever code is signed with a certificate, the person who applied for the certificate set gets email from RIM’s servers with the status of the signature request and how many signings remain on the certificate. If you use the same email account and you’ve got a lot of developers doing code signing, the email account will get flooded with emails.

In other words, it’s not a good idea to apply using your CEO’s email address…

No Automated Code Signing!

Here’s the one that really annoys me the most, though:

• Code signing cannot be automated. The code signing tool pops up a dialog that prompts you for a secret key in order to access the necessary certificates. There’s no way to pass the key in from the command line. So if you automate your builds using Ant or makefiles, you’ll need to use some kind of tool that looks for the dialog and simulates the user entering the key via the keyboard.

I don’t know why they’re so hard-headed about this. When I’ve complained, the answer’s been that they do this for security, and that there’s no need to sign the code until you’re ready to deploy, at which point a developer can sit there and manually enter the signing key to prepare the final version. They think this is good enough because the application can run in the device simulator without being signed.

But those of us who use automated build processes with nightly builds and regression testing don’t want a separate manual signing step — the point is to automate everything and to test the actual version of the software that will be deployed. After all, the size of the .cod files changes because of the signing, and that can affect other things like the .jad files used for over-the-air (OTA) deployment (which, unfortunately, don’t get updated automatically by the signing tool, so you have to create your own tool/process to re-build the .jad files after the code signing is done).

If more people can complain to RIM about this, perhaps they’ll change their minds about this “security feature”.

Technorati Tags: BlackBerry, security, code signing, J2ME, Java ME

Security consultant Jesse D’Aguanno caused quite a stir recently when he revealed a way to attack a company’s internal network by installing an application on an employee’s BlackBerry. This vulnerability might have been new to the press, but it’s old news to anyone who’s ever installed a BlackBerry Enterprise Server (BES). However, it’s certainly true that RIM downplays the risk. Here’s what you need to know to understand and protect yourself from this security vulnerability.

The BES Connection

A BlackBerry’s access to corporate email and calendaring functions is proxied via a BES, as shown here:

The BES connects directly to the mail server (Microsoft Exchange, Lotus Notes, Novell Groupwise) to gain access to the user’s mailbox, calendar, and related data stores. The BES also connects to RIM’s network operations center (NOC) via an outgoing (client-initiated) socket connection on port 3101. Once the connection is established and the identity of the BES is authenticated (a unique authentication key is delivered with every BES) the connection then serves as a two-way tunnel for communication between the NOC and the BES. Since each carrier also connects to the NOC, this enables the NOC to relay data from the BlackBerry to the BES and vice-versa.

In order to secure the communication between the BlackBerry and the BES, the BlackBerry must be “paired” to the BES. The pairing — currently a device can only be paired to one BES at a time — generates a unique encryption key that only the device and the BES share. All communication between the device and the BES is encrypted using this key — even RIM can’t decrypt it. This end-to-end security is one of the BlackBerry’s big selling points.

Locating the BES

Because the BES requires administrative access to the mail server, the natural configuration for locating the BES is on the same network as the mail server. Assuming the existence of a DMZ (demilitarized zone), a typical BES configuration actually looks like this:

Notice that the BES is not in the DMZ, but is rather on the corporate intranet, just like the mail server. For the longest time this was the only recommended (and supported) deployment scenario. Moving the BES into the DMZ was certainly possible, and many companies did this as a matter of course, but it required special configuration of the inner firewall to allow the necessary protocols to pass back and forth between the BES and the mail server.

Placing the BES on the intranet is by itself not a huge security risk if it’s only email that’s involved. (Though there are some issues related to malicious users changing devices to get access to another user’s mail.) Where things get tricky is when the MDS service is enabled.

Enabling Browsing

MDS is an optional component that acts as a Web proxy server for the BlackBerry devices paired to the BES. With MDS enabled, users can browse the Web regardless of what network or carrier is being used. Page requests get sent to MDS via the BES; MDS fetches the actual page and delivers it to the device for rendering. In the simplest configuration the MDS proxy is also on the intranet and therefore has access to internal servers as well as (by going out through the firewalls) the Internet:

And this is where the security breach occurs: while unfettered access to the intranet is useful to employees, it also circumvents the perimeter security infrastructure that protects internal servers from attack by outside entities. In effect, a BlackBerry device in such a configuration becomes a direct hole into the corporate intranet. This is the problem that D’Aguanno highlighted: in these situations, untrusted third-party applications running on a BlackBerry can run amok accessing internal servers with impunity. And it’s not just limited to HTTP access: MDS also acts as a proxy for socket connections. No wonder the security guys were having a field day with it.

Multiple Solutions

As I said before, this security problem doesn’t have to be a problem. There are different solutions available to plugging this security hole:

• Turn off MDS. Probably the simplest solution, but it may prevent your users from browsing the Web if the carrier they’re using doesn’t support direct Internet access and does not use RIM’s hosted BIS solution for browsing.
• Use a proxy server. MDS can be configured to use a proxy server for Web access. By configuring the proxy server appropriately you can restrict what sites users can browse to.
• Put everything in the DMZ. Configure the firewalls to let the BES talk to the mail server. Users can’t browse the intranet but they can still browse the Internet.
• Use a segmented network approach. Instead of placing everything in the DMZ, use internal routers and firewalls to isolate the different parts of the BES architecture. RIM has a whitepaper on how to do this.

Of course, judicious use of the BlackBerry IT policies can also go a long way to plugging potential security breaches. See RIM’s malware whitepaper for more info on the relevant policies.

Conclusion

So there you have it. I’ve simplified the BES architecture somewhat for this discussion so as to not bog you down with too many details. The security documents that RIM publishes are very verbose, on the other hand, with most of the details of what you need to know to implement a good security solution. Note that versions 4.0 and higher of the BES software split the BES functionality into different components, some of which can be installed separately from each other, and so of course this complicates the final network architecture.

Mostly I just wanted to make sure that you understood the basics. You should read all the relevant RIM security documents to get all the details — a good place to start is with the BlackBerry Security Overview section of the BlackBerry website.

Technorati Tags: BlackBerry, BlackBerry+security, security, BES, BlackBerry+Enterprise+Server, MDS, firewall, DMZ

Today marks the release of the BlackBerry Pearl 8100 smartphone, the device pictured to the left. If you haven’t heard about this device yet, now would be a good time to read the press release announcing the BlackBerry Pearl. The Pearl is initially available on T-Mobile in the United States (starting today) and on Rogers in Canada (in October).

This new device is particularly significant to the BlackBerry developer because it’s Research In Motion’s first real attempt at cracking the consumer market. I’ve been able to play with it for the past month in preparation for the launch of the AvantGo for the BlackBerry beta — more on that in a later post — and now that the device has been released I can share some of my thoughts about it. (By the way, if you’re reading this and the CTIA show is still on, go to the iAnywhere/Sybase booth and ask to see AvantGo running on the Pearl.)

It’s a phone, not a wireless handheld

Up until now, RIM has always referred to its devices as wireless handhelds, except of course the earliest models which were referred to as interactive pagers. But the Pearl is labeled a smartphone. Here “smartphone” is used in the generic sense, not as a reference to the Microsoft Smartphone platform — application programming for the Pearl is still done in Java, just like the other BlackBerry platforms.

Unlike the previous BlackBerry models — even the 7100 series — the Pearl really looks and feels like a mobile phone. The keypad is similar to the 7100 and supports RIM’s SureType predictive typing system. The screen is gorgeous. The device is light. And, good grief, it includes a camera! (Longtime BlackBerry aficionados will remember how Mike Lazaridis once said that there’d never be a camera in a BlackBerry: “We will not offer such a device. Not that we could not do that. But because such a feature is a security risk for corporate and government environments.” But don’t expect the camera to show up on the traditional BlackBerry models.)

There’s no trackwheel!

And yet, the inclusion of a camera isn’t the biggest change from an application development viewpoint. Current BlackBerry users will be surprised to discover that the trackwheel on the side of the device — a signature feature since the early days of the Inter@ctive Pager — has been replaced with a trackball on the front of the device, right under the screen. It’s a bit disconcerting at first if you’re an experienced BlackBerry user, especially when you try to hit the key on the side of the device and end up taking pictures because the escape key is now on the front of the device:

The trackball makes navigation simpler for the user since it operates in two dimensions versus the trackwheel’s single dimension. To move left or right on the classic BlackBerry you had to hold the ALT key while scrolling; now you can just move the trackball in the right direction.

But wait, you say, will my existing applications work with the trackball? Yes, but the navigation may be awkward, because the ALT+up and ALT+down semantics will still be needed to move left and right in most cases. You need to adapt your code a bit to use the new APIs that RIM provides for transparently handling trackwheel and trackball input.

Latest OS is now version 4.2

The Pearl ships with version 4.2.0 of the BlackBerry operating system and includes a bunch of new APIs. Some are from Java ME JSRs (Java Specification Requests, community-developed Java standards) and some are obviously specific to the BlackBerry. And a bunch of bug fixes. You can read the JDE 4.2 release notes for more details. And be sure to download the JDE version 4.2 if you plan on doing any Pearl development.

The developer documentation — which has always been the weakest link — has been completely revised for the 4.2 release. I haven’t had enough time to look at it very closely yet, though, so I can’t comment on whether or not it’s a real improvement.

It has a filesystem!

The BlackBerry Pearl has a microSD slot on it, which is accessed through the standard JSR-75 FileConnection API. Until now all that was available was the BlackBerry persistent object store. Now applications can store and access files in the usual way.

You won’t find the microSD slot on the device, however. You have to pry off the battery cover and take out the battery to expose the slot. No plug-and-play here, you’ll be resetting your device every time you change the microSD card.

But it’s still a BlackBerry

Despite the obvious consumer focus of this device — it’s meant to be used with the BlackBerry Internet Service (BIS) — it’s still a “real” BlackBerry. That means you can pair the device with your BlackBerry Enterprise Server (BES) and access your corporate email, surf the intranet, etc. As usual, IT policies are available to control all aspects of the device.

Should you buy one?

The Pearl is definitely a sexy device. If you’re a 7100 lover, it’s probably a no-brainer to upgrade. If you like the full QWERTY keyboard of the other devices, though, spend some time playing with the Pearl and using the SureType system. Personally, I prefer the full keyboard, probably because I’m a touch-typist and so I don’t really have to hunt for the keys. Also, I find that selecting the SureType alternate phrases more difficult/awkward with the trackball versus the trackwheel.

Still, if you’re a developer who wants to sell outside the corporate market you’ll need to get your hands on one of these for testing, even if you don’t use it yourself. I’ll have more to say about the Pearl in later posts.

Technorati Tags: BlackBerry, Pearl, 8100, BlackBerry Pearl, BlackBerry 8100, smartphone