Today we finally review BBM Protected and as with Threema and Signal, there are a few issues with it. The main problem we have with BBM Protected is actually getting hold of BBM Protected. I was thinking of writing one of our rant articles about it, but instead I counted slowly to 10 and breathed in and out to stay calm. Well, a big thank you to Dr. A at Privacy Central, because without him we would still be waiting for a response from BlackBerry. For you guys at BB, if you have a product which people actually want, then sell it and don't make it so complicated to acquire. Asking your customers to send emails to you and then not responding might be one reason why others like Apple and Google are ahead of the game. It can't be blamed on the OS!
If you are interested in BBM Protected, either contact Dr. A or myself and we'll hook you up with someone at BB who can actually make things happen.
The next issue is that BBM and BBM Protected also do not publish the source code. In other words the code is not open source, so whatever the guys at BlackBerry tell us, we need to believe.
Now we've got that out of the way, let's take a look at BBM. We need to mention BBM before BBM Protected in order to explain what you will actually receive. BBM is an instant messenger/social network which is pre-installed on every BlackBerry device. It can be downloaded on iOS and Android as well. We tested all three versions and they work flawlessly on all devices. However, we should mention that on iOS you have less power from the channel notifications and group sounds. Android works perfectly, the same way BB10 does.
BBM is free and is a lot of fun! Let's be clear that from all the messengers we have in the race, BBM has the most features. You have a Timeline (Feeds), Channels, Groups and Stickers. It almost feels like Facebook but without the privacy issues. BBM also has a calling feature and thanks to the PIN on each channel and the PIN on your own account, BBM protects your privacy.
Let's explain the PIN first. Every user has a PIN, similar to Threema's QR-ID, so you can scan the code and connect to another person. If you know someone's email address and he has BBM linked to his email, you can also invite him to connect with you using the invite feature on BBM. Unlike with Threema, the other side needs to agree to make the connection. Therefore, regardless if someone knows your PIN or not, he won't be able to connect until you say it is ok. Channels can be open to the public or by invitation only. Each Channel has a PIN which is not linked to the Admin's account. Therefore the Admin is not known by the public. If an administrator comments on one of his posted feeds, he would be shown with the channel's name, not with his private account. On channels, you can enable a chat feature and comments or just post your links and stories.
This brings us to another complaint. The channels do not allow multiple administrators and they are limited to 400 characters per post. It does have more to offer than Twitter in terms of the number of characters, but it comes nowhere close to Facebook and other social networks. However, it's not accessible over the internet (website) and therefore can't be searched on Google and the like. This makes it a little more private when compared to a regular Facebook channel. To be fair, administrators can post articles and upload pictures over a Web UI if they feel inclined to do so. For people who are really concerned about their privacy, BBM would be a perfect replacement for their Facebook account since you can be sure BlackBerry is not meta mining and selling your information to advertisers and government agencies.
This was just a short introduction of what BBM is about, but since we are reviewing BBM Protected today, let's get started with that.
BBM Protected cost $29 per year. All communications receive an extra layer of encryption and participants exchange a PGP like key the first time they connect. This key is not known by BlackBerry and can be exchanged in person, via SMS or email. BBM Protected has also the option to auto approve the key and exchange it over BBM without complicated exchanges of keys. This feature can be enabled in your administration area and is called BBM Protected Plus. This is a great option but for security reasons, I would recommend exchanging the key in person or over another encrypted channel. The key can be a password or a phrase with multiple words. These words will generate the key to be exchanged for the protected chats.
The other side will receive a pop up and enter the phrase or password the first time a connection is made between the protected members. An outstanding feature is that only one participant in the chats needs to have BBM Protected. If you have Protected enabled, all of your contacts and chats will be BBM Protected. This is regardless of whether or not they have BBM Protected themselves. This includes Team Chat where teams can enjoy context-specific, secure BBM collaboration sessions, with a subject assigned to each session. BBM Protected works also with Group Chats in channels.
Participants will see the typing indicator saying "protected" and the typing is blue and not in the standard black color. With the latest update, you can also write priority messages which would ping the other end and be shown in red, indicating high priority.
In addition, BBM Protected offers an IT policy: "Restrict Copy/Paste". IT administrators can now restrict employees from using copy and paste functions within a BBM Chat through the Enterprise Identity by BlackBerry IT Admin Console.
BBM Protected is designed to provide full end-to-end message encryption from the time a BBM Protected user sends a message to when the recipient receives the message. It incorporates three layers of security.
• BBM Protected introduces a new layer of encryption to the existing BBM security model.
• Messages between BBM Protected users are encrypted using a PGP like model. The sender and recipient have unique public/private encryption and signing keys.
• These keys are generated on the device, by the FIPS 140–2 certified cryptographic library, and are controlled by the enterprise.
• Each message uses a new random symmetric key for message encryption.
• A Triple DES 168-bit BBM scrambling key encrypts messages on the sender's smartphone, and is used to authenticate and decrypt messages on the recipient's phone.
• TLS encryption between the smartphone and the BBM infrastructure helps protect BBM messages from eavesdropping or manipulation.
Another excellent feature is time based messages. Set a message to 6 seconds or any amount of seconds/minutes you like and the other side will not be able to continue to read the message after the given time. Also, the message can only be seen during this timeframe by actually holding the message on the screen. A counter indicates time remaining to view the message.
Within your BBM Protected administrator enterprise panel, you can also specify a time in minutes how long your messages stay posted. A 0 would be without time restriction but you could set 5 minutes for example, and the message would expire and be removed from the chat on both devices, whether or not it has been read.
Sent messages and pictures etc., can be retrieved from both ends, and can be removed from the chat. In other words if you make a mistake or wrong send a message, you can edit it or even delete it.
Another noteworthy feature is that a BBM Protected user would be informed if the other end makes a screenshot of your conversation.
Moving further into the world of privacy, let's say you want to have a conversation, and do not want that conversation to touch any cloud. Even if you have exchanged the key, you just feel like having extra security. You can establish a chat by clicking the green indicator on top of the chat, and the chat would establish an end-to-end connection, not touching the cloud. This would be set up with a call like ringing feature, with the other side accepting the call (it actually looks like a phone call) and a chat window would be opened. So all chats are fully end-to-end, and do not touch the cloud. This chat will not allow screen shots and the chat drops as soon one of the two closes the chat. This is by far the best way to chat, without any chance of a man in the middle attack.
BBM protected also has the BBM calling feature, working in the same way as BBM calls are working, but with the additional layer of encryption thanks to your key exchange.
From all of the messengers we have reviewed, BBM has the best and the most features. It compares well with business messengers such as Slack or even social networks like Twitter and Facebook. However, it has additional layers of privacy which disallow BB administrators and employees from spying on your conversations. BBM is a winner when it comes to business orientated team and group chats which link sharing and short blogging. The biggest problem BBM has, is that it carries the BlackBerry name. It seems BlackBerry can only get the word out to BlackBerry users. As we mentioned above, BBM and BBM Protected also work well on iOS and Android. If we explain to anyone to hit us on BBM they say, we don't have a Blackberry or is BlackBerry still around? Yes, Blackberry is still around! Try BBM and you will fall in love with it. But is it the most secure solution when compared with Signal and Threema? With BBM alone, not really. But BBM Protected is pretty much the top end when it comes to secure communications. Tomorrow we will find out which of the three is the best and most secure messenger.
NOTE! BBM discontinued!