Wednesday, January 28, 2015

Nobody thought BlackPhone was secure -- just securer

An exploitable bug was found in BlackPhone, a "secure" Android phone. This is wildly misinterpreted. BlackPhone isn't a totally secure phone, such a thing is impossible. Instead, it's a simply a more secure phone. I mention this because journalists can't tell the difference.

BlackPhone is simply a stock version of Android with the best settings and with secure apps installed. It's really nothing different than what you can do with your own phone. If you have the appropriate skill/knowledge, you can configure your own Android phone to be just like BlackPhone. It also comes with subscriptions to SilentCircle, a VPN service, and a cloud storage service, which may be cheaper as a bundle with installed separately on the phone.

BlackPhone does fork Android with their "PrivateOS", but such a fork is of limited utility. Google innovates faster than a company like BlackPhone can keep up, including security innovations. A true fork would quickly become out of date with Google's own patches, and hence be insecure. BlackPhone is still new, so I don't know how they plan on dealing with this. Continually forking the latest version of Android seems the most logical plan, if not convincing Android to accept their changes.

The upshot is this: if you don't know anything about Android security, and you want the most secure Android phone, then get a BlackPhone. You'll likely be more secure than trying to do everything yourself. Your calls over SilentCircle will likely be secure. You'll likely not get pwned at WiFi hotspots. But that doesn't mean you'll be perfectly secure -- Android is a long way away from that.


Unknown said...

You are 100% on point. Like I tell my datacenter customers, "security" is a feeling, not a thing. We can feel secure when we implement best practices settings, tight process controls while maintain vigilance towards emerging threats.

iamredshift said...
This comment has been removed by the author.
iamredshift said...

It is not that BlackPhone is secure or not, it is that they said they are about privacy, but it is easy to tag, track, and locate BlackPhones.

The biggest thing that many security people disliked about BlackPhone was they (Silent Circle and BlackPhone) were saying that is a phone all about privacy, and how journalist and other could use it without having to worry about information leaking. IDK if you have looked at what a BlackPhone looks like when it jumps on a cellular network (or an 802.11 based network) but the phone just screams out “I’m a BlackPhone, also look at my Silent Circle apps" every few seconds to connect to a server”.

The idea that the phone provides any real privacy is what people really had a problem with. All throughout BlackPhone’s site they claim to be about how your stuff is all private, etc, etc. When really it is super easy to target someone who has a BlackPhone.

This exploit shows why we need more open source solutions, and why you should really never trust a company which says they are all about privacy and security, and will not show it to you.

But I have to agree with what you are saying when people talk about BlackPhone being secure.

Unknown said...

I agree with you, if you want a secure phone with android you can do it if you have the skills! No needs to buy this phone! but if you don't have the skills buy this phone and you'll be equally unsafe.. Great info.