How The Blackberry Tablet Os Uses Sandboxing To Protect Application Data; How The Blackberry Tablet Os Manages The Resources On The Tablet; How The Tablet Manages Permissions For Applications - Blackberry PlayBook Security Technical Overview

Security Technical Overview
How the BlackBerry Tablet OS uses sandboxing to protect
application data
The BlackBerry Tablet OS uses a security mechanism called sandboxing to separate and restrict the capabilities
and permissions of applications that run on the BlackBerry PlayBook tablet. Each application process runs in its
own sandbox, which is a virtual container that consists of the memory and the part of the file system that the
application process has access to at a specific time.
The BlackBerry Tablet OS evaluates the requests that an application's process makes for memory outside of its
sandbox. If a process tries to access memory outside of its sandbox without approval from the BlackBerry Tablet
OS, the BlackBerry Tablet OS is designed to end the process, reclaim all of the memory that the process is using,
and restart the process without negatively affecting other processes.
When the BlackBerry Tablet OS is installed, it assigns a unique group ID to each application. Two applications
cannot share the same group ID, and the BlackBerry Tablet OS does not reuse group IDs after applications are
removed. An application's group ID remains the same when the application is upgraded.
By default, each application stores its private data in its own data directory. The BlackBerry Tablet OS prevents
applications from accessing file system locations that are not associated with the application's group ID.
An application can also store and access data in a shared directory, which is a data directory that is available to
any application that has access to it. When an application that wants to store or access files in the shared directory
starts for the first time, the application prompts the user to grant access.
How the BlackBerry Tablet OS manages the resources on
the tablet
The BlackBerry Tablet OS is designed to manage the BlackBerry PlayBook tablet resources so that an application
cannot take resources from another application. The BlackBerry Tablet OS uses adaptive partitioning to reallocate
unused resources to applications during typical operating conditions and enhance the availability of the resources
to specific applications during peak operating conditions.

How the tablet manages permissions for applications

The authorization manager is the part of the BlackBerry Tablet OS that evaluates requests from applications to
access the capabilities of the BlackBerry PlayBook tablet. Capabilities include taking a photograph and recording
audio. The BlackBerry Tablet OS invokes the authorization manager when an application starts to set the
permissions for the capabilities that the application uses. When an application starts, it might prompt the
BlackBerry PlayBook tablet user to allow access to a capability. The authorization manager can store permission
that the user grants access to and apply the permission the next time that the application starts.
26

How the BlackBerry Tablet OS uses sandboxing to protect application data