- So does the blackphone2 and Samsung know have secure root of trust?
http://crackberry.com/heres-how-blac...d-android-priv
What do you guys think of the priv's security now?
Is it as secure as BlackBerry 10?
And as far as privacy is concerned will DTEK allow permission control on 5.1.1 lollipop? Just like blackphone2?
Posted via CB1010-20-15 11:49 PMLike 0 - And it's not simply a matter of accessing that data, or even selling/sharing that data. The other problem is that whenever such data is collected - some of it quite sensitive personal material - it now is vulnerable to compromise and attack through a variety of other ways, including various Google "partners" and "partners of partners" and "partners of partners of partners" who may be (and most certainly many are) using fundamentally insecure stewardship and operational practices. It becomes essentially a timebomb waiting to go off, the more data is collected, and the more it is shared.
Q10/10.3.210-20-15 11:58 PMLike 0 - OmnitechDragon SlayerHowever, you can shut off permissions (in M native, in earlier revs using a third-party app) that for all intents and purposes "neuter" said apps ability to get to anything. If you do that, however, then any app that requires those components won't work -- much like is the case with BB10 now.
Not really. There are tons of non-blockable app permissions in Android, eg internet access.
I don't know how comprehensive the following are, but they provide a start (For example, apparently apps can declare custom permissions too):
Manifest.permission | Android Developers
https://github.com/android/platform_...idManifest.xml
Where can I get a list of Android permissions - Stack Overflow
Also, "App Ops" is fairly limited, there are a ton of app permissions that it doesn't have access/control over. BB10's new permission settings for Android are also very coarse - something like a half-dozen general groups that bundle dozens of raw permissions.
For example, here is a list of what permissions the Google Play Store app requests on my Nexus 7:
- read phone status and identity
- send SMS messages
- approximate location
- precise location
- modify or delete the contents of your USB storage
- read the contents of your USB storage
- add or remove accounts
- create accounts and set passwords
- find accounts on the device
- read Google service configuration
- use accounts on the device
- modify secure system settings
- change network connectivity
- control Near Field Communications
- full network access
- Google Play billing service
- receive data from internet
- view network connections
- retrieve running apps
- run at startup
- prevent tablet from sleeping
- delete all app cache data
- install shortcuts
- interact across users
- modify system settings
And Google Play services:
- read phone status and identity
- read instant messages
- write instant messages
- take pictures and videos
- record audio
- approximate location
- precise location
- modify your contacts
- read your contacts
- read your social stream
- write to your social stream
- activity recognition
- modify your own contact card
- read your own contact card
- modify or delete the contents of your USB storage
- read the contents of your USB storage
- add or remove accounts
- contacts data in Google accounts
- create accounts and set passwords
- find accounts on the device
- Google mail
- read Google service configuration
- use accounts on the device
- view configured accounts
- YouTube
- modify secure system settings
- read sensitive log data
- retrieve system internal state
- change network connectivity
- connect and disconnect from Wi-Fi
- download files without notification
- full network access
- receive data from internet
- view network connections
- view Wi-Fi connections
- access Bluetooth settings
- pair with Bluetooth devices
- make app always run
- run at startup
- draw over other apps
- control vibration
- prevent tablet from sleeping
- read sync settings
- read sync statistics
- toggle sync on and off
- interact across users
- modify system settings
- read subscribed feeds
- retrieve app ops statistics
- send sticky broadcast
- write subscribed feeds
Since Gplay is the "Holy Grail" as far as BlackBerry's interest in Android goes, I think it goes without saying that Gplay is going to be installed and fully-functional on the Priv.
Now see how many of those perms you can disable, using AppOps or Android M. Next, check to see if Gplay still works.
It's a requirement imposed by Google if you ship a device with any of their proprietary apps and frameworks. (Gplay, Gmail, G+, Hangouts, Gmaps, Google Now, etc etc etc.)
And as with the Microsoft antitrust litigation, any changes along those lines are years away, if any. Certainly not before the Priv ships in any case.
Since BlackBerry has never yet shipped a native Android device, and since pre-release product plans are quite sensitive competitive material, it's not particularly surprising to me that they do not show up in that list yet. Imagine the uproar if they showed up in the list when they first explored the Android option on the Priv, say, 6 or 9 months ago? Yeah.Last edited by Omnitech; 10-21-15 at 12:51 PM.
Superdupont 2_0 likes this.10-21-15 12:30 PMLike 1 - OmnitechDragon SlayerSo does the blackphone2 and Samsung know have secure root of trust?
Here's how BlackBerry secured Android on the Priv | CrackBerry.com
What do you guys think of the priv's security now?
Is it as secure as BlackBerry 10?
And as far as privacy is concerned will DTEK allow permission control on 5.1.1 lollipop? Just like blackphone2?
In a nutshell, none of the information I've seen so far, including the information contained on the linked page above, has led me to believe that the Priv is even close to the level of security/privacy offered by the Blackphone.
That said, there are some practical matters - eg, the Blackphone provides highly secure/private voice calls and messaging, but both sides need to use their service to fully take advantage of that. Which costs money on an ongoing basis. (Blackphone owners get free access to it for a year or two.) Given how few people on the other side of the link are likely to be subscribers, the realistic benefit for day-to-day usage is not high, unless you can convince all your correspondents to sign up. (In some cases there is a minor benefit of encryption on the Blackphone side of link with someone not using the SilentCircle service)
This is where BlackBerry potentially has an advantage, as about 80% of the security of the Blackphone voice/messaging security can be obtained with BBM Protected, and BBM still has millions of users. (Though most of them nowadays are in Islamic countries and Africa. )
But what the Priv does not provide, as far as I can tell from the silly leaks and tiny snippets of information that BlackBerry has been dribbling-out about the Priv so far, is the customizable secure containers that Blackphone has, which are a huge factor in making all the snoopery Google apps, frameworks and services tolerable. (Ie, you could potentially "wall off" all the snoopery Google stuff into a container which cannot see your actual personal data held in another, separate container. Though there are a variety of features and functions of Android that you would give up if you did this. Also, if you decide you want to have eg Gplay use your personal credit card to buy apps with, once you provide that you are giving them an opportunity to cross-link it with other personal info held somewhere else in the Googleplex, quite possibly making your efforts at keeping your personal info out of their hands moot.)Superdupont 2_0 likes this.10-21-15 01:13 PMLike 1 - In a nutshell, none of the information I've seen so far, including the information contained on the linked page above, has led me to believe that the Priv is even close to the level of security/privacy offered by the Blackphone.
That said, there are some practical matters - eg, the Blackphone provides highly secure/private voice calls and messaging, but both sides need to use their service to fully take advantage of that. Which costs money on an ongoing basis. (Blackphone owners get free access to it for a year or two.) Given how few people on the other side of the link are likely to be subscribers, the realistic benefit for day-to-day usage is not high, unless you can convince all your correspondents to sign up. (In some cases there is a minor benefit of encryption on the Blackphone side of link with someone not using the SilentCircle service)
This is where BlackBerry potentially has an advantage, as about 80% of the security of the Blackphone voice/messaging security can be obtained with BBM Protected, and BBM still has millions of users. (Though most of them nowadays are in Islamic countries and Africa. )
But what the Priv does not provide, as far as I can tell from the silly leaks and tiny snippets of information that BlackBerry has been dribbling-out about the Priv so far, is the customizable secure containers that Blackphone has, which are a huge factor in making all the snoopery Google apps, frameworks and services tolerable. (Ie, you could potentially "wall off" all the snoopery Google stuff into a container which cannot see your actual personal data held in another, separate container. Though there are a variety of features and functions of Android that you would give up if you did this. Also, if you decide you want to have eg Gplay use your personal credit card to buy apps with, once you provide that you are giving them an opportunity to cross-link it with other personal info held somewhere else in the Googleplex, quite possibly making your efforts at keeping your personal info out of their hands moot.)
How about this?
Protect Your Sandbox
PRIV integrates seamlessly with Android for Work to provide secure separation between work and personal data and applications. The Personal Space lets you download apps and protects your personal privacy, while the Work Space lets the enterprise secure its corporate data.
Taken from: http://blogs.blackberry.com/2015/10/...roid-platform/
Have you tried removing google services from your nexus?
http://www.xda-developers.com/settin...ithout-google/
Posted via CB10Last edited by The Big Picture; 10-21-15 at 01:59 PM.
10-21-15 01:44 PMLike 0 - OmnitechDragon SlayerIn that case here's hoping for the priv to have secure containers. I'll be looking out for that.
How about this?
Protect Your Sandbox
PRIV integrates seamlessly with Android for Work to provide secure separation between work and personal data and applications. The Personal Space lets you download apps and protects your personal privacy, while the Work Space lets the enterprise secure its corporate data.
Taken from: PRIV is for Private: How BlackBerry Secures the Android Platform | Inside BlackBerry
All Blackberries are compatible with BES, which provides the secure containers.
But BES is typically only used by large businesses that can afford the not insignificant investment and management required to run a BES infrastructure, and it still only provides rigid "work" and "personal" containers, which I don't think are adequate to achieve what is necessary to lockdown Android for personal privacy.
Blackphone allows more than 2, user-customizable containers.
What might change my mind about Priv is if BlackBerry introduces a new form of BES Cloud, which allows for such configurable containers and gives away the service with the Priv or at the very least makes it affordable. That would be my personal minimal requirement. Then we start talking about the other items in my shortlist of intrusive Android elements that need to be put on a leash.
Have you tried removing google services from your nexus?
Setting up Android Marshmallow, without Google - XDA Forums
My Nexus7 (2013) is rooted and running CyanogenMod 11. When it was rooted the "Gapps" were installed but I don't use them at all, have all the Google sync stuff deactivated and in fact have no Google account associated with the device at all. Neither do I keep the kind of sensitive data on it that would normally be on people's smartphones. (Contacts, calendar, SMS history, phone call history, personal photos, GPS is disabled, don't use Google's web browser, don't use Gplay, don't use Gmail, don't keep the device with me and activated when traveling, etc etc)10-21-15 02:48 PMLike 0 - ... What might change my mind about Priv is if BlackBerry introduces a new form of BES Cloud, which allows for such configurable containers and gives away the service with the Priv or at the very least makes it affordable. That would be my personal minimal requirement. Then we start talking about the other items in my shortlist of intrusive Android elements that need to be put on a leash. ...10-21-15 08:35 PMLike 0
- All Blackberries are compatible with BES, which provides the secure containers.
But BES is typically only used by large businesses that can afford the not insignificant investment and management required to run a BES infrastructure, and it still only provides rigid "work" and "personal" containers, which I don't think are adequate to achieve what is necessary to lockdown Android for personal privacy.
Blackphone allows more than 2, user-customizable containers.
What might change my mind about Priv is if BlackBerry introduces a new form of BES Cloud, which allows for such configurable containers and gives away the service with the Priv or at the very least makes it affordable. That would be my personal minimal requirement. Then we start talking about the other items in my shortlist of intrusive Android elements that need to be put on a leash.10-22-15 11:48 AMLike 0 - OmnitechDragon Slayer
To reiterate, neither the customizable (up to 4) containers nor the security service for Blackphone users cost them any money for at least the first year. They also provide a free 1-year "gift subscription" that you can give to someone you want to do secure communications with.
https://support.silentcircle.com/cus...-do-they-last-
Trying to get details on individual device licenses of BES Cloud is a challenge, calling on the phone to support or NA sales results in getting put on hold for 15+ minutes, and their website is inconclusive about whether they sell single-device licenses or not. Anyone care to share those details? I can't find them here:
https://store.blackberry.com/direct/...ue/c/1?q=cloud
(EDIT: still on hold with BlackBerry Enterprise Sales... after 40 minutes. Not looking good..)Last edited by Omnitech; 10-22-15 at 03:14 PM.
10-22-15 02:48 PMLike 0 -
- To reiterate, neither the customizable (up to 4) containers nor the security service for Blackphone users cost them any money for at least the first year. They also provide a free 1-year "gift subscription" that you can give to someone you want to do secure communications with.
https://support.silentcircle.com/cus...-do-they-last-
Trying to get details on individual device licenses of BES Cloud is a challenge, calling on the phone to support or NA sales results in getting put on hold for 15+ minutes, and their website is inconclusive about whether they sell single-device licenses or not. Anyone care to share those details? I can't find them here:
https://store.blackberry.com/direct/...ue/c/1?q=cloud
(EDIT: still on hold with BlackBerry Enterprise Sales... after 40 minutes. Not looking good..)
Silver, 1 year per device, $23/yr.
Gold, Flexible (Android, IOS or BB10) is $72/yr.
Took me about 1 minute to get to the page where I can click "buy".
https://store.blackberry.com/direct/...692.141904796410-22-15 04:39 PMLike 0 - OmnitechDragon SlayerReally? You couldn't just buy it online?
Silver, 1 year per device, $23/yr.
Gold, Flexible (Android, IOS or BB10) is $72/yr.
Took me about 1 minute to get to the page where I can click "buy".
https://store.blackberry.com/direct/...692.1419047964
It required a site registration to get past the point I had gotten-to (including your link above), I assume that's what the issue was. (I don't generally have much patience for companies that require a bunch of info from you just to get details on the product they are trying to sell you.)
Or something else I was blocking in the browser may have caused it but I saw no evidence of that.
Never had any reason to register with shopblackberry because they never sell devices that work on my carrier, or have competitive prices on accessories.10-22-15 04:46 PMLike 0 - Well it's $23.
I had a trial but let it expire (they'll let you do that too, 60 days free, so you can see if it will do what you want before you pay.)
The account, surprisingly, is still there. I may turn it back on when I get a Priv, just to get the second compartment.10-22-15 05:55 PMLike 0 - The costs of maintaining two OSes will have the tendency to get out of control, at the moment BB has to do this because BB10 has all of the government security clearances or certifications Android does not. Chen stated on the Code/Mobile interview that there will be two more updates to BB10 that will update BB10's security certificates for the enterprise/government market. His long term plan for Android and BB10 is to influence Google's development of Android towards BlackBerry's implementation of security and add more of BB10's features into Android that in the long term would cause BB10 and Android to "merge" only then would BB10 be retired. So what this means IMHO is that for the consumer market BB10 is for all intents "dead."FinnBerry likes this.10-23-15 08:28 AMLike 1
- It required a site registration to get past the point I had gotten-to (including your link above), I assume that's what the issue was. (I don't generally have much patience for companies that require a bunch of info from you just to get details on the product they are trying to sell you.)
Or something else I was blocking in the browser may have caused it but I saw no evidence of that.
Never had any reason to register with shopblackberry because they never sell devices that work on my carrier, or have competitive prices on accessories.
How secure and private is Ubuntu?
Can you even trust Linux on your computer anymore?
I gave up on the Windows and Microsoft even as a dual boot option more than 10 years ago.DJM626 likes this.10-23-15 08:34 AMLike 1 -
My point is that you can't go through the source code of BB10, IOS, Windows 10, etc the same way that you can with AOSP source code and then make a statement on whether one is more secure than the other.
I'm talking about OS level exploits, not some bullet points that you can read on some site.
Sure, we assume BB10 is safer than Android, but how do YOU know for sure?10-23-15 08:53 AMLike 0 - OmnitechDragon SlayerPlease enlighten me then oh wise one.
My point is that you can't go through the source code of BB10, IOS, Windows 10, etc the same way that you can with AOSP source code and then make a statement on whether one is more secure than the other.
I'm talking about OS level exploits, not some bullet points that you can read on some site.
Sure, we assume BB10 is safer than Android, but how do YOU know for sure?
While it's all well and good to have the ability to inspect the source code, most people do not have the skill to do this and come to a useful conclusion themselves anyway, and the simple fact that the source is public is not a guarantee of security either. There are tons of OSS S/W that is notoriously insecure, and has a long history of insecurities.
With regard to BB10 and other mobile operating systems, I have a decent idea of the relative merits because I follow the development, research and news on them. You can too.
There is no "magic bullet" that automatically makes A, B or C "universally superior" - in fact, the situation changes all the time. For example, BASH, an open-source product from the very start and something that a huge percentage of the world's online infrastructure uses as the default command shell on webservers, DNS servers, routers, and all manner of network-connected devices that make up a huge percentage of the networked world - recently discovered an extremely-serious and widely-exploited security flaw that, as it turns out, had been introduced into the shipping code in 1989.
That's just the background. If you want details you'll have to either lookup one of my prior posts on the subject or wait until I'm not sitting here typing this on my Z10.10-23-15 10:31 AMLike 0 - While it's all well and good to have the ability to inspect the source code, most people do not have the skill to do this and come to a useful conclusion themselves anyway, and the simple fact that the source is public is not a guarantee of security either. There are tons of OSS S/W that is notoriously insecure, and has a long history of insecurities.
I know. I provided detailed reports to BlackBerry on how to recreate bugs that I found when 'we' were getting BB10 ready for end users.
There is no "magic bullet" that automatically makes A, B or C "universally superior" - in fact, the situation changes all the time. For example, BASH, an open-source product from the very start and something that a huge percentage of the world's online infrastructure uses as the default command shell on webservers, DNS servers, routers, and all manner of network-connected devices that make up a huge percentage of the networked world - recently discovered an extremely-serious and widely-exploited security flaw that, as it turns out, had been introduced into the shipping code in 1989.
That's just the background. If you want details you'll have to either lookup one of my prior posts on the subject or wait until I'm not sitting here typing this on my Z10.10-23-15 12:44 PMLike 0 - OmnitechDragon Slayer
Well your comments here on this subject would not have suggested as much, thus the "history lesson" meant to demonstrate that security and vulnerability-assessment is not some either/or where something non-OSS is automatically assumed to be of unknown security simply because someone can't examine the source. BASH's source was open since the beginning but a horrible glaring security bug existed since 1989 despite millions of users around the world and probably hundreds if not thousands of people reviewing its source code over that timeframe.
Hackers and pentesters have discovered and learned these security distinctions about both OSS and non-OSS S/W for decades. "Pwn2Own" competitions, last I checked, did not require the source code on every system challenged.10-23-15 06:38 PMLike 0 - Yeah, like with OpenSSL. Code intended for security purposes (and thus you'd think people would care) and yet I seem to keep having to load new versions as they keep finding buffer overflow, use-after-free and other similar errors..... no, open source doesn't mean that people actually vet the code!10-23-15 09:01 PMLike 0
- All Blackberries are compatible with BES, which provides the secure containers.
But BES is typically only used by large businesses that can afford the not insignificant investment and management required to run a BES infrastructure, and it still only provides rigid "work" and "personal" containers, which I don't think are adequate to achieve what is necessary to lockdown Android for personal privacy.
Blackphone allows more than 2, user-customizable containers.
What might change my mind about Priv is if BlackBerry introduces a new form of BES Cloud, which allows for such configurable containers and gives away the service with the Priv or at the very least makes it affordable. That would be my personal minimal requirement. Then we start talking about the other items in my shortlist of intrusive Android elements that need to be put on a leash.
My Nexus7 (2013) is rooted and running CyanogenMod 11. When it was rooted the "Gapps" were installed but I don't use them at all, have all the Google sync stuff deactivated and in fact have no Google account associated with the device at all. Neither do I keep the kind of sensitive data on it that would normally be on people's smartphones. (Contacts, calendar, SMS history, phone call history, personal photos, GPS is disabled, don't use Google's web browser, don't use Gplay, don't use Gmail, don't keep the device with me and activated when traveling, etc etc)
Posted via CB1010-24-15 02:14 PMLike 0
- Forum
- Android BlackBerry Phones & OS
- BlackBerry Priv
Privacy; BB PRIV v Blackphone 2 v other
Similar Threads
-
If the Priv is successful, what will that mean for Crackberry?
By pdizzle27 in forum General BlackBerry News, Discussion & RumorsReplies: 38Last Post: 11-04-15, 06:07 PM -
[Rumour] Priv to receive BB10 in February
By jdr6000 in forum BlackBerry PrivReplies: 50Last Post: 10-11-15, 04:06 PM -
Who cares about privacy?
By Livermore in forum BlackBerry PrivReplies: 2Last Post: 10-10-15, 06:21 AM -
How long is Blackberry going to support BB 10 and the Passport?
By CrackBerry Question in forum BlackBerry PassportReplies: 0Last Post: 10-09-15, 09:34 PM -
PRIV is all caps
By cbvinh in forum BlackBerry PrivReplies: 1Last Post: 10-09-15, 05:56 PM
LINK TO POST COPIED TO CLIPBOARD