Securing Android: How Blackberry will lock down its upcoming Priv phone

When Blackberry announced that it was bringing an Android-based device to market, it promised that it could do so without compromising its own reputation for security. Yesterday, the company shared some of the changes it made to Google’s Android OS, and how those changes impact the upcoming Blackberry Priv.
The first thing to understand is just how fundamentally insecure Android actually is. Repeated studies have shown that the overwhelming majority of Android devices in the market today are critically insecure. A recent study from the University of Cambridge found that the average Android device receives just 1.26 software updates per year. This was before Stagefright, which impacts up to 95% of Android phones.
Here’s how Blackberry is going to lock down the Priv (and presumably future devices):
First, all hardware is cryptographically signed and verified. The CPU has an embedded boot ROM that verifies the digital signature of the boot ROM, which then verifies the OS signing key. The OS verifies the file system and the file system verifies the hashes of all loaded applications. Given that Blackberry devices are built on ARM processors, we can assume that the company uses ARM’s TrustZone technology. A diagram of the verification process is shown below:

Read :Amazon Reports Strong Q3 Earnings: AWS Income Closes In On North America Retail Business

Blackberry is also promising that its picture logins will be more secure than traditional methods. I’m dubious on that, especially since the government might be able to compel you to offer your head for a login photo (they can already compel you to give up fingerprints). Blackberry’s next point is that it supports a variety of communication services that are built on offering high levels of security, including WatchDox private file sharing, various BBM services, and SecurSuite for private voice calls. Blackberry also claims that none of its software is backdoored and all use cryptography schemes that have been certified by BlackBerry Certicom. Whether or not those services actually provide the security they claim to offer is an entirely different question. Claiming to offer cryptography is easy, actually certifying that code is bug-free is extremely difficult. Other features of the OS include “a hardened Linux kernel with numerous patches and configuration changes to improve security,” full disk encryption enabled by default, and full support for BES12, Blackberry’s enterprise security platform.
As for user privacy, Blackberry is claiming that its version of Android contains “privacy monitoring hooks deep within Android that provide users with powerful feedback and control over how applications make use of security-critical device resources. This includes the exclusive DTEK™ by BlackBerry warning system app, as well as other features. Privacy health is communicated in a simple and elegant manner, resulting in confidence instead of complexity.”

Read :Apple nixes over 250 apps that have been snooping on users

Screenshots of Dtek in action are shown below:

Read :Securing Android: How Blackberry will lock down its upcoming Priv phone

On the surface, Dtek looks like a simple privacy monitoring application that gives the user an at-a-glance summary of device privacy and security settings. There’s nothing wrong with that, to be sure, but Blackberry’s blog posts hints at additional functionality and per-application monitoring. This kind of flexibility and oversight could be a game-changer for the privacy conscious — other devices have tried to provide deep security protections within Android, but Blackberry (still) has much deeper pockets than the likes of Blackphone. Given that Google’s entire method of making money with Android relies on being able to monitor devices and gather user information, however, we’ll have to wait and see if the privacy protections discussed here are significant or snake oil.
If there’s reason to be optimistic, it’s this: Blackberry’s CEO has already admitted that if the Priv doesn’t sell well, the company will likely exit the hardware business. Companies that buy products specifically for security features don’t tend to give second chances, and the Canadian smartphone manufacturer is out of wiggle room. Under these circumstances, Blackberry is going to be exquisitely aware that they have to get this right the first time.

By Joel Hruska

http://www.extremetech.com