[unichips]

I purchased a Moto G4 for my son at the same time I got myself a DTEK 50.

It was half the price of my BlackBerry.

Guess which one's rocking Nougat?

And which one has a more current security patch date?

[Wmsi]

And which one has a more current security patch date?

Which OS is more secure, Marshmallow or Nougat?

[bb10adopter111]

People ask BlackBerry; BlackBerry answers; imo is the normal way to communicate. Not answering is just odd.

Posted via CB10

One can communicate with silence as well.

Posted with my trusty Z10

[bb10adopter111]

Which OS is more secure, Marshmallow or Nougat?

I doubt there is a significant difference between a currently patched M and new N phone when it comes to security.

Posted with my trusty Z10

[Wmsi]

I doubt there is a significant difference between a currently patched M and new N phone when it comes to security.

Posted with my trusty Z10

Depends on your view of significant I suppose.

Here's what we're missing:

(sorry for the long post, but makes interesting reading)

"Over the course of the summer, we previewed a variety of security enhancements in Android 7.0 Nougat: an increased focus on security with our vulnerability rewards program, a new Direct Boot mode, re-architected mediaserver and hardened media stack, apps that are protected from accidental regressions to cleartext traffic, an update to the way Android handles trusted certificate authorities, strict enforcement of verified boot with error correction, and updates to the Linux kernel to reduce the attack surface and increase memory protection. Phew! Now that Nougat has begun to roll out, we wanted to recap these updates in a single overview and highlight a few new improvements.

Direct Boot and encryption
In previous versions of Android, users with encrypted devices would have to enter their PIN/pattern/password by default during the boot process to decrypt their storage area and finish booting. With Android 7.0 Nougat, we’ve updated the underlying encryption scheme and streamlined the boot process to speed up rebooting your phone. Now your phone’s main features, like the phone app and your alarm clock, are ready right away before you even type your PIN, so people can call you and your alarm clock can wake you up. We call this feature Direct Boot. Under the hood, file-based encryption enables this improved user experience. With this new encryption scheme, the system storage area, as well as each user profile storage area, are all encrypted separately. Unlike with full-disk encryption, where all data was encrypted as a single unit, per-profile-based encryption enables the system to reboot normally into a functional state using just device keys. Essential apps can opt-in to run in a limited state after reboot, and when you enter your lock screen credential, these apps then get access your user data to provide full functionality. File-based encryption better isolates and protects individual users and profiles on a device by encrypting data at a finer granularity. Each profile is encrypted using a unique key that can only be unlocked by your PIN or password, so that your data can only be decrypted by you.

Encryption support is getting stronger across the Android ecosystem as well. Starting with Marshmallow, all capable devices were required to support encryption. Many devices, like Nexus 5X and 6P also use unique keys that are accessible only with trusted hardware, such as the ARM TrustZone. Now with 7.0 Nougat, all new capable Android devices must also have this kind of hardware support for key storage and provide brute force protection while verifying your lock screen credential before these keys can be used. This way, all of your data can only be decrypted on that exact device and only by you.

The media stack and platform hardening
In Android Nougat, we’ve both hardened and re-architected mediaserver, one of the main system services that processes untrusted input. First, by incorporating integer overflow sanitization, part of Clang’s UndefinedBehaviorSanitizer, we prevent an entire class of vulnerabilities, which comprise the majority of reported libstagefright bugs. As soon as an integer overflow is detected, we shut down the process so an attack is stopped. Second, we’ve modularized the media stack to put different components into individual sandboxes and tightened the privileges of each sandbox to have the minimum privileges required to perform its job. With this containment technique, a compromise in many parts of the stack grants the attacker access to significantly fewer permissions and significantly reduced exposed kernel attack surface. In addition to hardening the mediaserver, we’ve added a large list of protections for the platform, including:

Verified Boot: Verified Boot is now strictly enforced to prevent compromised devices from booting; it supports error correction to improve reliability against non-malicious data corruption.

SELinux: Updated SELinux configuration and increased Seccomp coverage further locks down the application sandbox and reduces attack surface.

Library load order randomization and improved ASLR: Increased randomness makes some code-reuse attacks less reliable.

Kernel hardening: Added additional memory protection for newer kernels by marking portions of kernel memory as read-only, restricting kernel access to userspace addresses, and further reducing the existing attack surface.

APK signature scheme v2: Introduced a whole-file signature scheme that improves verification speed and strengthens integrity guarantees.

App security improvements
Android Nougat is the safest and easiest version of Android for application developers to use.

Apps that want to share data with other apps now must explicitly opt-in by offering their files through a Content Provider, like FileProvider. The application private directory (usually /data/data/) is now set to Linux permission 0700 for apps targeting API Level 24+.

To make it easier for apps to control access to their secure network traffic, user-installed certificate authorities and those installed through Device Admin APIs are no longer trusted by default for apps targeting API Level 24+. Additionally, all new Android devices must ship with the same trusted CA store.

With Network Security Config, developers can more easily configure network security policy through a declarative configuration file. This includes blocking cleartext traffic, configuring the set of trusted CAs and certificates, and setting up a separate debug configuration.

We’ve also continued to refine app permissions and capabilities to protect you from potentially harmful apps.

To improve device privacy, we have further restricted and removed access to persistent device identifiers such as MAC addresses.

User interface overlays can no longer be displayed on top of permissions dialogs. This “clickjacking” technique was used by some apps to attempt to gain permissions improperly.

We’ve reduced the power of device admin applications so they can no longer change your lockscreen if you have a lockscreen set, and device admin will no longer be notified of impending disable via onDisableRequested(). These were tactics used by some ransomware to gain control of a device.

System Updates
Lastly, we've made significant enhancements to the OTA update system to keep your device up-to-date much more easily with the latest system software and security patches. We've made the install time for OTAs faster, and the OTA size smaller for security updates. You no longer have to wait for the optimizing apps step, which was one of the slowest parts of the update process, because the new JIT compiler has been optimized to make installs and updates lightning fast. The update experience is even faster for new Android devices running Nougat with updated firmware. Like they do with Chromebooks, updates are applied in the background while the device continues to run normally. These updates are applied to a different system partition, and when you reboot, it will seamlessly switch to that new partition running the new system software version. We’re constantly working to improve Android security and Android Nougat brings significant security improvements across all fronts."

[bb10adopter111]

Thanks for the detail. What I don't know is how many of the critical security features are making their way into the security updates, or were already addressed with Blackberry's implementation.

Posted with my trusty Z10

[Wmsi]

Thanks for the detail. What I don't know is how many of the critical security features are making their way into the security updates, or were already addressed with Blackberry's implementation.

Posted with my trusty Z10

I'm sure some concerns regarding the boot process are covered, and probably improved upon by BlackBerry.

I think what we'll both agree on is that the best security scenario for us and BlackBerry would be to have the most recent OS with the most recent security patch on all of their devices.

[bb10adopter111]

I think what we'll both agree on is that the best security scenario for us and BlackBerry would be to have the most recent OS with the most recent security patch on all of their devices.

Certainly that makes sense, I just don't know if that makes a device 50% more secure or 0.0001% more secure. In cybersecurity there's always a tradeoff between ideal and practical.

Posted with my trusty Z10

[johnsliderbb]

One can communicate with silence as well.

Posted with my trusty Z10

Sure. At home I also receive the "silent" treatment sometimes. Most of the times after this treatment I still have no clue what is supposed to happen though.

Posted via CB10

[bb10adopter111]

Sure. At home I also receive the "silent" treatment sometimes. Most of the times after this treatment I still have no clue what is supposed to happen though.

Posted via CB10

A reasonable rule of thumb is, if you ask for something, and are met with silence, the answer is "no."

Posted with my trusty Z10

[evodevo69]

Which OS is more secure, Marshmallow or Nougat?

According to John Chen and his "ambassadors" - that would be Android Nougat - this was mentioned consistently last summer.

When they "hardened" nougat it would finally make android just as secure as bb10 - that's what they said last year.

[conite]

According to John Chen and his "ambassadors" - that would be Android Nougat - this was mentioned consistently last summer.

When they "hardened" nougat it would finally make android just as secure as bb10 - that's what they said last year.

That much is obvious.

But is hardened-M more or less secure than vanilla-N? It's probably a mixed bag, and depends specifically on the attack vector.

There was little doubt at the launch of the Priv that BlackBerry argued hard that hardened-L was overall more secure than vanilla-M.

[HughJarsse]

Considering that BB have now declared the Priv, & both Dtek's as 'legacy' devices, that means NO OS upgrades, and limited security updates, according to BB UK who I have spoken to regarding the continual late updates received here in the UK.. (still no June one, now 21 days 'late' so now not expecting anything!!)

[conite]

Considering that BB have now declared the Priv, & both Dtek's as 'legacy' devices, that means NO OS upgrades, and limited security updates, according to BB UK who I have spoken to regarding the continual late updates received here in the UK.. (still no June one, now 21 days 'late' so now not expecting anything!!)

Yet DTEK50 got the update within 24 hrs of Google for March, April, and May. No reason to scuttle the ship yet.

[HughJarsse]

Yet DTEK50 got the update within 24 hrs of Google for March, April, and May. No reason to scuttle the ship yet.

USA & Canada might, but the UK & rest of Europe?? NO WAY!! As stated previously, only 2 of the 9 I should have got, arrived in less than 28 days....
The old BB forum was rife with EU users who had no updates at all, even after they had confirmed their IMES's with BB, and knew they were not 'carried tied'
Nobody's 'scuttling the ship' basically the ship's hit an iceberg, and the captain blithely tries to carry on regardless!!
BB really need to do a 'damage limitation' and quickly..Keyone users/potential buyers are certainly not going to buy into this, I know 2 people who were going for a Keyone, but...have now held fire after I showed them some of these posts on here...

[Chuck Finley69]

USA & Canada might, but the UK & rest of Europe?? NO WAY!! As stated previously, only 2 of the 9 I should have got, arrived in less than 28 days....
The old BB forum was rife with EU users who had no updates at all, even after they had confirmed their IMES's with BB, and knew they were not 'carried tied'
Nobody's 'scuttling the ship' basically the ship's hit an iceberg, and the captain blithely tries to carry on regardless!!
BB really need to do a 'damage limitation' and quickly..Keyone users/potential buyers are certainly not going to buy into this, I know 2 people who were going for a Keyone, but...have now held fire after I showed them some of these posts on here...

BB and BBMo have each probably done a damage assessment. BB doesn't care and BBMo is probably in agreement by now....