[ToniCipriani]

Take it FWIW:

Copperhead CTO: Nexus Phones Already More Secure Than BlackBerry Priv

[zocster]

Possible, M brings lots to Android security IMO...

[steffcip]

there is a comment on that site re rooting and Nexus phones are rootable on M so Priv is still most secure in my book
How to root Android 6.0 Marshmallow build MRA58K on Nexus 5, 6, 7, 9 and Nexus Player

[steffcip]

maybe Priv will be rootable on M

[nokia4life]

Possible, M brings lots to Android security IMO...

True once the PRIV gets marshmellow along with their own updates from BB it will be just as secure if not more, I am currently using the nexus 6p while I await my PRIV and man the 6p is great so far love the look and feel got the frost white 128gb model.

[Steve Rizla]

there is a comment on that site re rooting and Nexus phones are rootable on M so Priv is still most secure in my book
How to root Android 6.0 Marshmallow build MRA58K on Nexus 5, 6, 7, 9 and Nexus Player

This method of rooting requires switching out the default recovery tool with a custom recovery tool.
This is something that is pretty much encouraged on Nexus devices. You can't even get to the recovery tool on the Priv, let alone replace it.

Apples and Oranges.

[ce71]

Take it FWIW:

Copperhead CTO: Nexus Phones Already More Secure Than BlackBerry Priv

I'm not smart enough to vet everything the Copperhead CTO claimed. Maybe he's 100% correct. Maybe 50%. Or, maybe less.

But, I will say that he has a vested interest in bashing the Priv. Consider that Cooperhead is trying to carve out their niche in the "Secure Android" space. Therefore, every person who uses a Priv is one less who will use the CopperheadOS. So... make of it what you will.

[ToniCipriani]

I'm not smart enough to vet everything the Copperhead CEO claimed. Maybe he's 100% correct. Maybe 50%. Or, maybe less.

But, I will say that he has a vested interest in bashing the Priv. Consider that Cooperhead is trying to carve out their niche in the "Secure Android" space. Therefore, every person who uses a Priv is one less who will use the CopperheadOS. So... make of it what you will.

Yes, that's what I meant by take it FWIW.

One obvious point is that 5.1.1 is missing a lot of new security features in 6.0.

[ce71]

Yes, that's what I meant by take it FWIW.

One obvious point is that 5.1.1 is missing a lot of new security features in 6.0.

Ahhh... sorry... I'm a little slow sometimes.

Good point!

[mister2d]

I'm not smart enough to vet everything the Copperhead CTO claimed. Maybe he's 100% correct. Maybe 50%. Or, maybe less.

But, I will say that he has a vested interest in bashing the Priv. Consider that Cooperhead is trying to carve out their niche in the "Secure Android" space. Therefore, every person who uses a Priv is one less who will use the CopperheadOS. So... make of it what you will.

He's backing all of his arguments up with verifiable facts. The kernel he contributes to as well as AOSP are all open source. You may feel that he is "bashing", but at least it's verifiable. So, it's really no need for him to be wrong in anything he says because he can be easily called out. Blackberry on the other hand has closed parts of its operating system on the Priv--meaning no one can dispute their grand claims of being at the forefront of Android security (except this guy).

Great article and it's insightful if you have an open mind. The Priv has a terrible name and a terrible charter. If it was just marketed as a regular Android phone made by Blackberry, they would be fine. But they want to do this hand wavy thing to make you think there's some secret sauce going on, but really they are over-hyping a device that doesn't protect you like you think it does.

[Techno-guy]

Interesting read.

[cgk]

I raised this the other day - obvious I was a troll and that guy was a troll with a vested interest - so I'll ask the same question I asked there -

What are the holes in his actual claims?

[ce71]

He's backing all of his arguments up with verifiable facts. The kernel he contributes to as well as AOSP are all open source. You may feel that he is "bashing", but at least it's verifiable. So, it's really no need for him to be wrong in anything he says because he can be easily called out. Blackberry on the other hand has closed parts of its operating system on the Priv--meaning no one can dispute their grand claims of being at the forefront of Android security (except this guy).

Great article and it's insightful if you have an open mind. The Priv has a terrible name and a terrible charter. If it was just marketed as a regular Android phone made by Blackberry, they would be fine. But they want to do this hand wavy thing to make you think there's some secret sauce going on, but really they are over-hyping a device that doesn't protect you like you think it does.

I did read it with an open mind and I did not think he was lying. I just think he's making some assumptions. "A is better than B, because B isn't doing what we're doing." He wasn't a part of the process in determining how BlackBerry implements security on the Priv, so he's working with a lot of unknowns... and to pretend he doesn't have a strong interest in seeing the Priv fail is not accepting reality.

I assume if you sat down and talked to some of the high-level security folks at BlackBerry... they would probably have some input with regards to some of the things he mentioned.

BlackBerry is imposing on his turf... and seemingly picking up traction... he can't possibly be happy.

[randomroyalty]

Before you can root, you have to unlock the bootloader. I don't think this is possible with the Priv.

Posted via the CrackBerry App for Android

[cgk]

BlackBerry is imposing on his turf... and seemingly picking up traction... he can't possibly be happy.

His turf is releasing an open source alpha - he's not running apple or Samsung - he's got what is effectively a hobbyist OS brew which is only ever going to have a limited impact. The other problem with "well they are competing" is he points out that Nexus devices are more secure than the current version of his OS. So is he not competing against the more secure nexus devices?

[mister2d]

I did read it with an open mind and I did not think he was lying. I just think he's making some assumptions. "A is better than B, because B isn't doing what we're doing." He wasn't a part of the process in determining how BlackBerry implements security on the Priv, so he's working with a lot of unknowns... and to pretend he doesn't have a strong interest in seeing the Priv fail is not accepting reality.

I assume if you sat down and talked to some of the high-level security folks at BlackBerry... they would probably have some input with regards to some of the things he mentioned.

BlackBerry is imposing on his turf... and seemingly picking up traction... he can't possibly be happy.

It isn't a simple "A is better than B" statement. There's technical detail as well.

TH: What are the enhancements you think BlackBerry did to the Android kernel, and what do they mean for users?

DM: They have the PAX_USERCOPY feature from PaX to provide detection of buffer overflows for some copies to and from the kernel. They also have the PAX_PAGEEXEC feature, but it's not very useful on an architecture with NX support like ARM where it doesn't need to provide emulation of the feature. It simply turns a violation of the no-execute permissions into an unrecoverable failure.

FWIW he's only commenting on the open source kernel component of the Priv. But he also gives the contributions of the kernel he's made vs. what Blackberry did from the above quote.

TH:What are some of the enhancements you’re doing to your own kernel?

DM: CopperheadOS has a port of PaX with more of the features enabled. It has improved Address Space Layout Randomization (PAX_ASLR, PAX_RANDUSTACK, PAX_RANDMMAP), prevention of code injection (PAX_MPROTECT), and more of the kernel self-protection features enabled: PAX_USERCOPY, PAX_REFCOUNT, PAX_MEMORY_SANITIZE along with PAX_KERNEXEC and PAX_MEMORY_UDEREF for the upcoming Nexus 6 release). It has a custom system for setting fine-grained PaX exceptions for Android apps so it can actually have the features enabled for most apps, too.

That's not even covering the userspace vulnerabilities that Blackberry didn't address. Seems like an honest calling out to me no matter what his vested interest is in. So what BB is invading on his turf. That doesn't mean BB is doing a good service to its customers.

[cgk]

Possible, M brings lots to Android security IMO...

I mention this on another thread but the move into Android for BBRY isn't just about the fact that BB10 has been a sales bomb - it's also about the factor that with every generation Android security gets a little better and while it is not going to hit all of BBRY's remaining customerbase I bet the internal fear at BBRY is that that for the majority of their remaining customers it's "good enough" and that could happen quicker than they expect.

[Pinot2015]

All good news when guys like this compare to Priv. They are worried it will eat into their market share. And it will .. Security or not. 6p does not have a PKB or BlackBerry Experience Suite. Priv will soon have Marshmallow

Posted from my Priv!

[mister2d]

All good news when guys like this compare to Priv. They are worried it will eat into their market share. And it will .. Security or not. 6p does not have a PKB or BlackBerry Experience Suite. Priv will soon have Marshmallow

Posted from my Priv!

I don't think this guy works in the same space that a PKB or BES would invade in.

[gabbleratchet]

One of the important points he makes is that BlackBerry is not being collaborative in their security efforts.

I would like to see BlackBerry fund the grsecurity projects and similar efforts in userspace. That way they get the reputation of being a leader in the android security space, and everybody benefits from their work.

Posted via the CrackBerry App for Android

[Ment]

It was surprising to me that BB didn't produce a GRC sponsored/patched kernel when the GRC naming was part of the early test build photo shot. Perhaps it wasn't stable enough for ARM devices and GRC doesn't have a mobile kernel of its own AFAIK.

Fortunately BB has a layered security approach to its Android platform and Marshmallow is coming soon anyway so they can further build upon its improvements.

[ce71]

It isn't a simple "A is better than B" statement. There's technical detail as well.



FWIW he's only commenting on the open source kernel component of the Priv. But he also gives the contributions of the kernel he's made vs. what Blackberry did from the above quote.



That's not even covering the userspace vulnerabilities that Blackberry didn't address. Seems like an honest calling out to me no matter what his vested interest is in. So what BB is invading on his turf. That doesn't mean BB is doing a good service to its customers.

You make a good point... I think. I just know that when I read a sentence and it has all this... PAX_THIS and PAX_THAT... my brain shuts down. I have no idea what you... or the other people are talking about. I just know that I'm drinking the Kool-Aid! I've got a Priv... I'm happy... and this is the best phone ever!

[Steve Rizla]

It isn't a simple "A is better than B" statement. There's technical detail as well.



FWIW he's only commenting on the open source kernel component of the Priv. But he also gives the contributions of the kernel he's made vs. what Blackberry did from the above quote.



That's not even covering the userspace vulnerabilities that Blackberry didn't address. Seems like an honest calling out to me no matter what his vested interest is in. So what BB is invading on his turf. That doesn't mean BB is doing a good service to its customers.

True, it isn't a simple A is better than B statement. They took different approaches to securing the OS.
BlackBerry may have chosen to enable some features while disabling (or ignoring) others when building their kernel because they had the freedom of injecting some security into the hardware of the Priv. Copperhead doesn't have that flexibility with the Nexus 5.

You can skip some user space security enhancements when your phone is designed to simply brick itself if it detects certain problems.

[mister2d]

You make a good point... I think. I just know that when I read a sentence and it has all this... PAX_THIS and PAX_THAT... my brain shuts down. I have no idea what you... or the other people are talking about. I just know that I'm drinking the Kool-Aid! I've got a Priv... I'm happy... and this is the best phone ever!

I see. The ignorance is bliss avenue still works. Glad you're happy with it.

[mister2d]

True, it isn't a simple A is better than B statement. They took different approaches to securing the OS.
BlackBerry may have chosen to enable some features while disabling (or ignoring) others when building their kernel because they had the freedom of injecting some security into the hardware of the Priv. Copperhead doesn't have that flexibility with the Nexus 5.

You can skip some user space security enhancements when your phone is designed to simply brick itself if it detects certain problems.

I just read the post as bottomlining that the Priv's security model is overhyped and not at the forefront of Android security as it's marketed. I'm ok with that.