Title

BlackBerry 10 OS must enable a system administrator to (i) select which data fields will be available to applications outside of the contact database application and (ii) limit the number of contact database fields accessible outside of a work persona in the case of dual persona phones. (Cat III impact)

Discussion

The contact database often contains a significant amount of information beyond each person's name and phone number. The records may contain addresses and other identifying or sensitive information that should not be revealed. There may be cases in which an organization has determined it is an acceptable risk to distribute parts of a person's contact record but not others. Enabling the system administrator to select which fields are available outside the contact database application (or to applications outside the work persona in the case of a dual persona device) assists with management of the risk.

Check Content

On BlackBerry Device Service: Ensure the IT Policy rule "Personal Apps Access to Work Contacts" is set to "Only BlackBerry Apps". Otherwise, this is a finding.

Fix Text

On BlackBerry Device Service, set the IT Policy rule "Personal Apps Access to Work Contacts" to "Only BlackBerry Apps". NOTE: This fix procedure affects both Personal and Work Spaces.

Additional Identifiers

Rule ID:

Vulnerability ID: V-47229

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.