[ohaiguise]

Proof?

It's never been proved to the contrary so there is no reason to suppose it.

[Dunt Dunt Dunt]

Some people have bought the idea that BlackBerry have 'hardened' the Linux/Android kernel in their Priv to make it more secure.

'More secure' than what? Than other Android smartphones? Or just more secure than a comparatively less secure version of the kernel?

At the end of the day it's just 'yet another Android' with a pop out keyboard, neither more nor less secure than any other reasonably modern Android phone.

BlackBerry can do all the hardening they want... and then it's found the chip software is vulnerable to begin with.

And BlackBerry can issue all sorts of flyers and whitepapers http://help.blackberry.com/en/securi...y-Guide-en.pdf.. in the end it will come down to the certifications that they can get. Wonder how long before BlackBerry Android will get the all important NIAP Certifications? Has it been FIPS certified yet? It's going to take 3rd parties to test and tell us just how secure BlackBerry's Android is... but I think first BlackBerry has to be committed to hardware.

[Invictus0]

It's never been proved to the contrary so there is no reason to suppose it.

Enjoy!

https://github.com/blackberry/android-linux-kernel

PRIV is for Private: How BlackBerry Secures the Android Platform | Inside BlackBerry

Introduction: Security and privacy, deep and wide - Security guide for BlackBerry powered by Android - latest

[Emaderton3]

It's never been proved to the contrary so there is no reason to suppose it.

Then by the same logic the similar things that BlackBerry did to BlackBerry 10 phones is also questionable and does not necessarily make them the safest phones.

Posted via CB10

[Jerale]

http://blogs.blackberry.com/2015/10/...roid-platform/

Posted via the CrackBerry App for Android

[ohaiguise]

Then by the same logic the similar things that BlackBerry did to BlackBerry 10 phones is also questionable and does not necessarily make them the safest phones.

Posted via CB10

Correct

[Invictus0]

Correct

And yet, how many active BB10 vulnerabilities can you name (or any previous ones that were widely exploited)? Even the Android runtime has held up quite well, the only exploit I know of is Stagefright but its impact on BB10 was quite limited and required the user to do a bit of work to expose the system, it was patched quickly as well.

[Soulstream]

And yet, how many active BB10 vulnerabilities can you name (or any previous ones that were widely exploited)? Even the Android runtime has held up quite well, the only exploit I know of is Stagefright but its impact on BB10 was quite limited and required the user to do a bit of work to expose the system, it was patched quickly as well.

Another problem is that an OS being more popular makes it a more attractive target to hackers. For every hacker taking a go at a BB device, there are 1000 attempting to crack Android/iOS. It is a form of security by obscurity. I am not saying that this is the case but you should consider it in your thought process.

Another issue is that most Android vulnerabilities require the user to either have their device rooted, disable protection for sideloading apps (you even get a warning you might be at risk if you do that) and download and install apps from some random internet page. But if you use some common sense and only use the vetted Google Play store, you chances of being infected are very very very low.

[Dunt Dunt Dunt]

Another problem is that an OS being more popular makes it a more attractive target to hackers. For every hacker taking a go at a BB device, there are 1000 attempting to crack Android/iOS. It is a form of security by obscurity. I am not saying that this is the case but you should consider it in your thought process.

Another issue is that most Android vulnerabilities require the user to either have their device rooted, disable protection for sideloading apps (you even get a warning you might be at risk if you do that) and download and install apps from some random internet page. But if you use some common sense and only use the vetted Google Play store, you chances of being infected are very very very low.

And sometimes when a vulnerability is found... it get's exploited and not just announced so it will be fixed. Look at BBOS and that hacker group that was access what were once very secure devcies.

[Prem WatsApp]

Drive-by downloads...?
Poisoned MMS?
...
etc.

There's just too much affecting Android. :-(

�   There's a Crack in the Berry right now...   �

[LazyEvul]

Enjoy!

https://github.com/blackberry/android-linux-kernel

PRIV is for Private: How BlackBerry Secures the Android Platform | Inside BlackBerry

Introduction: Security and privacy, deep and wide - Security guide for BlackBerry powered by Android - latest

There was a pretty detailed takedown of BlackBerry's security claims made by a researcher from Copperhead some time ago, I'll have to see if I can dig that up again. But the conclusion was that the Priv might be marginally more secure than similar Lollipop devices, but not as secure as an up-to-date Nexus.

Haven't heard any comment from them about the Marshmallow update on the Priv, but I haven't seen any evidence to suggest that BlackBerry has done any extra hardening since Lollipop. Assuming that's the case, the Priv would be only marginally more secure than other Marshallow devices - and that's only if your carrier keeps up with the monthly security updates. The Priv will almost certainly be missing out on Android Nougat security improvements for months after the Nexus lineup gets them as well.

BlackBerry does an admirable job, but they're always going to be hamstrung by the realities of being an Android OEM - you need time to adapt new updates to your device and run them through carrier approval. Unless Google or BlackBerry can address that, a Nexus will always remain the best choice for security on Android.

And yet, how many active BB10 vulnerabilities can you name (or any previous ones that were widely exploited)? Even the Android runtime has held up quite well, the only exploit I know of is Stagefright but its impact on BB10 was quite limited and required the user to do a bit of work to expose the system, it was patched quickly as well.

BB10 was never popular enough to have a vulnerability exploited at scale in the wild, and security through obscurity is generally a bad idea.

That's not to say it was poorly designed for security, but it simply never became popular enough for us to draw any serious conclusions - security researchers never gave it much more than a quick glance.

[Invictus0]

There was a pretty detailed takedown of BlackBerry's security claims made by a researcher from Copperhead some time ago, I'll have to see if I can dig that up again. But the conclusion was that the Priv might be marginally more secure than similar Lollipop devices, but not as secure as an up-to-date Nexus.

Haven't heard any comment from them about the Marshmallow update on the Priv, but I haven't seen any evidence to suggest that BlackBerry has done any extra hardening since Lollipop. Assuming that's the case, the Priv would be only marginally more secure than other Marshallow devices - and that's only if your carrier keeps up with the monthly security updates. The Priv will almost certainly be missing out on Android Nougat security improvements for months after the Nexus lineup gets them as well.

BlackBerry does an admirable job, but they're always going to be hamstrung by the realities of being an Android OEM - you need time to adapt new updates to your device and run them through carrier approval. Unless Google or BlackBerry can address that, a Nexus will always remain the best choice for security on Android.

Yup I remember that, they only discuss the kernel but it was the CTO of Copperhead. Tom's Hardware has interviews with both the CTO and BlackBerry's Chief Security Officer,

Copperhead CTO: Nexus Phones Already More Secure Than BlackBerry Priv

BlackBerry's Security Chief On The Priv, And Raising The Bar On Cybersecurity (this interview also discusses Priv vs Marshmallow devices)

Have there been any cases where carriers have withheld monthly Priv updates for an extended period of time? If your Android security needs are met through consistent OS updates then I agree, Nexus is absolutely the best and safest choice for that. If your security focus is on root protection and device integrity it's possible the Priv is better suited (and there are certainly other devices that do different security needs better than both).

BB10 was never popular enough to have a vulnerability exploited at scale in the wild, and security through obscurity is generally a bad idea.

That's not to say it was poorly designed for security, but it simply never became popular enough for us to draw any serious conclusions - security researchers never gave it much more than a quick glance.

That's a very good point but we can still evaluate the Android runtime and BlackBerry's response time to noted vulnerabilities.

[K3_Cubed]

Maybe you all could expand on the back and forth discussions in this thread... http://forums.crackberry.com//genera...sired-1078545/

Don't know why it has been only commented on by two people. Or maybe it's what another poster said. No one is really interested in knowing the details or really explaining or trying to understand.

There seems to be too much of an "east-side"/"west side" mentality when it comes to discussions.

But I guess the site is not really about security/privacy, so nobody's really interested in laying not out and making it a sticky. Guess there are other forums for that. An on that note if anyone knows another forum that can sum it up very nicely please share.



Posted via CB10

[keliew]

It's as secure as the user.

BlackBerry Passport via CB10

[LazyEvul]

Yup I remember that, they only discuss the kernel but it was the CTO of Copperhead. Tom's Hardware has interviews with both the CTO and BlackBerry's Chief Security Officer,

Copperhead CTO: Nexus Phones Already More Secure Than BlackBerry Priv

BlackBerry's Security Chief On The Priv, And Raising The Bar On Cybersecurity (this interview also discusses Priv vs Marshmallow devices)

Yep, that's what I was talking about. There was a lot more in-depth detail in a series of tweets on Copperhead's Twitter account, but I'm having a hard time finding them.

Have there been any cases where carriers have withheld monthly Priv updates for an extended period of time?

Definitely have been, yes. The US carriers have skipped monthly updates before, and some still haven't even delivered Marshmallow to the Priv.

If your Android security needs are met through consistent OS updates then I agree, Nexus is absolutely the best and safest choice for that. If your security focus is on root protection and device integrity it's possible the Priv is better suited (and there are certainly other devices that do different security needs better than both).

For the average consumer though, timely updates will be far more important than root protection. Those monthly updates will patch any known holes that allow remote root access, among others - anything that isn't known is less likely to be deployed on a wide scale, it's worth a lot more to someone with specific targets. And local root would require a very specific threat model to be a concern because it requires the device password and wipes the device in the process.

We also mustn't overlook the importance of the major updates like Marshmallow or Nougat - they usually include new or improved mitigations for vulnerabilities, that can protect even against vulnerabilities that aren't yet publicly known.

That's a very good point but we can still evaluate the Android runtime and BlackBerry's response time to noted vulnerabilities.

Sure, and that tells us that BlackBerry does their best to push out timely updates (though some carriers have been known to delay matters with BB10 as well), but it doesn't tell us much about the security features of the OS and how well they're implemented.

[Tsepz_GP]

All my friends are saying about blackberry is highly secure mobile and i have doubt about it what the secure features in blackberry and compare to the normal mobiles so clarify me what is the security

Its all a lie people have been telling themselves.

Your very own Mobile Carrier has a ton of information on you that they sell on to marketing agencies and big data companies.

I can't help but laugh at people who believe they are on the "most secure OS".

You want security and privacy, get off the grid.

[Invictus0]

Definitely have been, yes. The US carriers have skipped monthly updates before, and some still haven't even delivered Marshmallow to the Priv.

Not surprised as US carriers have been pretty slow in the past with updates on Windows Phone as well. I don't think carriers elsewhere are as slow with their OS updates.

For the average consumer though, timely updates will be far more important than root protection. Those monthly updates will patch any known holes that allow remote root access, among others - anything that isn't known is less likely to be deployed on a wide scale, it's worth a lot more to someone with specific targets. And local root would require a very specific threat model to be a concern because it requires the device password and wipes the device in the process.

We also mustn't overlook the importance of the major updates like Marshmallow or Nougat - they usually include new or improved mitigations for vulnerabilities, that can protect even against vulnerabilities that aren't yet publicly known.

I agree, OS updates are important but eventually support for a device will stop (even Nexus devices) and users won't necessarily upgrade because of that. With a device like the Priv you would at least be better protected from certain attack vectors than other stock or near stock Android devices if they were both stuck on Lollipop. Most Android devices are still on 4.4 so it's definitely not an angle that should be underplayed IMO,

https://developer.android.com/about/...rds/index.html

Sure, and that tells us that BlackBerry does their best to push out timely updates (though some carriers have been known to delay matters with BB10 as well), but it doesn't tell us much about the security features of the OS and how well they're implemented.

Fair point, and realistically, BlackBerry likely isn't intending on secure deployment of BB10 without BES or a similar solution.

[Jerry A]

Not surprised as US carriers have been pretty slow in the past with updates on Windows Phone as well. I don't think carriers elsewhere are as slow with their OS updates.



I agree, OS updates are important but eventually support for a device will stop (even Nexus devices) and users won't necessarily upgrade because of that. With a device like the Priv you would at least be better protected from certain attack vectors than other stock or near stock Android devices if they were both stuck on Lollipop. Most Android devices are still on 4.4 so it's definitely not an angle that should be underplayed IMO,

https://developer.android.com/about/...rds/index.html



Fair point, and realistically, BlackBerry likely isn't intending on secure deployment of BB10 without BES or a similar solution.

BES won't really make a difference in these situations. The purpose of BES isn't to protect your personal information.

It's purpose is to protect corporate data and limit exposure by restricting (based on your company's security policy) what one can and can't do on a given device.

[Invictus0]

BES won't really make a difference in these situations. The purpose of BES isn't to protect your personal information.

It's purpose is to protect corporate data and limit exposure by restricting (based on your company's security policy) what one can and can't do on a given device.

Sometimes, that might be all you need. A BB10 BES policy that blocks app installs would reduce (perhaps even remove) the risk that Stagefright could be exploited on a device in an enterprise setting. If a user can't install apps they wouldn't be able to accidentally expose Android based MMS capabilities.

[Jerry A]

Sometimes, that might be all you need. A BB10 BES policy that blocks app installs would reduce (perhaps even remove) the risk that Stagefright could be exploited on a device in an enterprise setting. If a user can't install apps they wouldn't be able to accidentally expose Android based MMS capabilities.

You're absolutely correct. Ditto for blocking SMS/MMS. But, as you say, this is for enterprise settings.

Guess my comment was more geared toward those that don't understand what BES is or does and think it provides some magic layer of Unicorn Security (tm) against all threats - known, unknown, real or imagined.

[LazyEvul]

I agree, OS updates are important but eventually support for a device will stop (even Nexus devices) and users won't necessarily upgrade because of that. With a device like the Priv you would at least be better protected from certain attack vectors than other stock or near stock Android devices if they were both stuck on Lollipop. Most Android devices are still on 4.4 so it's definitely not an angle that should be underplayed IMO,

https://developer.android.com/about/...rds/index.html

Oh absolutely, this is a major issue for Android. But the reason most devices are stuck on old versions is because OEMs abandon them early. It's a major expense to modify new updates for your device, then run them through carrier approval. So most manufacturers abandon updates much earlier than Google might. Google promises major updates up to two years from launch, and monthly security updates for up to three years from launch or 18 months from the final sale on the Google Store (whichever is later).

Will the Priv be getting Android O at the end of 2017? Will it still get security updates at the end of 2018? It's not impossible - BB10 and BBOS devices have had long support cycles - but given how precarious things are at BlackBerry's handset division, and how many Android OEMs ditch users early, it's a lot easier to trust Google with that promise.

And because the Priv appears to be only marginally hardened, it's likely that most vulnerabilities discovered after EOL will still affect the device. BlackBerry Integrity Detection might provide a warning some of the time, but judging by the description BlackBerry provides in their security guide, it's not foolproof. And what does the average user do with that warning? It doesn't sound like the device takes any action if an issue is detected, so the malware will still be free to do what it wants.

Also worth keeping in mind that, because you can unlock the bootloader on a Nexus, you can install an updated ROM on the device after EOL. For instance, for the Nexus 4 you can get a ROM like Chroma - based on Marshmallow, close to stock, and provides the latest security updates within a few days of their release.

Custom ROMs are probably outside the purview of the average consumer, but it's nice to have those options.

Fair point, and realistically, BlackBerry likely isn't intending on secure deployment of BB10 without BES or a similar solution.

At this point, almost certainly not.

[Invictus0]

Oh absolutely, this is a major issue for Android. But the reason most devices are stuck on old versions is because OEMs abandon them early. It's a major expense to modify new updates for your device, then run them through carrier approval. So most manufacturers abandon updates much earlier than Google might. Google promises major updates up to two years from launch, and monthly security updates for up to three years from launch or 18 months from the final sale on the Google Store (whichever is later).

Will the Priv be getting Android O at the end of 2017? Will it still get security updates at the end of 2018? It's not impossible - BB10 and BBOS devices have had long support cycles - but given how precarious things are at BlackBerry's handset division, and how many Android OEMs ditch users early, it's a lot easier to trust Google with that promise.

And because the Priv appears to be only marginally hardened, it's likely that most vulnerabilities discovered after EOL will still affect the device. BlackBerry Integrity Detection might provide a warning some of the time, but judging by the description BlackBerry provides in their security guide, it's not foolproof. And what does the average user do with that warning? It doesn't sound like the device takes any action if an issue is detected, so the malware will still be free to do what it wants.

Realistically the issue with updates and patches likely won't improve until consumers begin to demand more from OEM's and carriers. The Priv is a good step in this direction in my opinion, if apps like DTEK can inform general users of security and privacy concerns as it relates to their device it could drive home the need for better update support in a way that news articles about Stagefright or Heartbleed can't.

It's hard to say how many updates BlackBerry's Android devices will receive but I'd like to think that given BB10's support track record under Chen that we'll see updates for a few years at least but only time will tell.

As for future threats, I think the Priv will be better suited to protecting/identifying threats that attempt to root the device or interfere with the OS. Nothing is infinite but that seems to be where much of BlackBerry's technical investment in Android currently is. I think BlackBerry Integrity Detection will just warn the user/administrator of breaches, at that point I guess they'd want you to wipe or replace the device?

[LazyEvul]

Realistically the issue with updates and patches likely won't improve until consumers begin to demand more from OEM's and carriers. The Priv is a good step in this direction in my opinion, if apps like DTEK can inform general users of security and privacy concerns as it relates to their device it could drive home the need for better update support in a way that news articles about Stagefright or Heartbleed can't.

Yeah for sure, consumers need to demand more. Though given how low a priority security is for many, who knows if that'll ever happen?

It's hard to say how many updates BlackBerry's Android devices will receive but I'd like to think that given BB10's support track record under Chen that we'll see updates for a few years at least but only time will tell.

I'm cautiously optimistic about it, but it's a hard case to make to the average consumer when it's far more certain that Google is going to be around to support Nexus devices for a very long time.

As for future threats, I think the Priv will be better suited to protecting/identifying threats that attempt to root the device or interfere with the OS. Nothing is infinite but that seems to be where much of BlackBerry's technical investment in Android currently is. I think BlackBerry Integrity Detection will just warn the user/administrator of breaches, at that point I guess they'd want you to wipe or replace the device?

You could wipe the device, sure, but by the time you act on the warning, will the damage already be done? Might be different for a BES-managed device, but I could quite easily see an average consumer putting off the warning to deal with it later - giving malware time to do its thing. That's why I don't think it's that beneficial, at least not to a regular user. It needs to be able to act as well, ideally by killing any suspect APKs. It doesn't sound like it does that, unless BlackBerry is excluding something from their documentation.

The added hardening might be of benefit, though. Assuming you're comparing to a similar Marshmallow device, you might see some benefit in specific circumstances, but it's just so minimal. Chances are very good that it won't be long before it's vulnerable to several things anyways. Post-EOL devices are an inherent security risk, no getting around it.

If we're making security-first recommendations, then the recommendation there should be to buy a newer device (if possible, of course). And if you're buying a device now with the intent of keeping it for a very long time, probably look into an iPhone. They get updates for between 4-5 years. Apple doesn't explicitly guarantee a timeframe, but we know the iPhone 4s (launched 2011) will be getting the final iOS 9 update this summer before going EOL, and the iPhone 5 (launched 2012) will be getting iOS 10.

But my original argument was about security specifically on Android, so I suppose that's beside the point. Nexus is still the best guarantee you have of (relatively) long-term support on Android.

[chain13]

Am I the only one who get invited by onlineshop ad accounts in my BBM?
How could they know that I like shoping? Data mining?
Doesn't that mean blackberry does excactly the same huh?

[Invictus0]

You could wipe the device, sure, but by the time you act on the warning, will the damage already be done? Might be different for a BES-managed device, but I could quite easily see an average consumer putting off the warning to deal with it later - giving malware time to do its thing. That's why I don't think it's that beneficial, at least not to a regular user. It needs to be able to act as well, ideally by killing any suspect APKs. It doesn't sound like it does that, unless BlackBerry is excluding something from their documentation.

Interesting, there's a bit more information about BID here,

BlackBerry Integrity Detection is here! | BlackBerry Developer Blog

Basically developers can integrate BID into their apps and check the status of a device before performing an action (if the device has BID of course). The FAQ goes into a bit more detail,

https://supportforums.blackberry.com...w/ta-p/3178827

They use NFC payments as an example but I wonder if any OS level apps are using it on the Priv?

The added hardening might be of benefit, though. Assuming you're comparing to a similar Marshmallow device, you might see some benefit in specific circumstances, but it's just so minimal. Chances are very good that it won't be long before it's vulnerable to several things anyways. Post-EOL devices are an inherent security risk, no getting around it.

It would depend on the exploit but in current cases the protection definitely isn't minimal,

BSRT-2016-002 Vulnerability in Android/Linux kernel impacts BlackBerry PRIV smartphones (under "Mitigations")

For other devices the only option was to wait for an OEM update,

Android rooting bug opens Nexus phones to ?permanent device compromise? | Ars Technica

I think it's a pretty safe assumption that the Priv would handle other root based vulnerabilities the same way. Granted we're likely a few years away from EOL and there's no telling how exploits will advance in that time but assuming the Priv is still able to detect root access the device seems to have a system in place to block exploits and restore system integrity.

If we're making security-first recommendations, then the recommendation there should be to buy a newer device (if possible, of course). And if you're buying a device now with the intent of keeping it for a very long time, probably look into an iPhone. They get updates for between 4-5 years. Apple doesn't explicitly guarantee a timeframe, but we know the iPhone 4s (launched 2011) will be getting the final iOS 9 update this summer before going EOL, and the iPhone 5 (launched 2012) will be getting iOS 10.

Agreed, when it comes to device support Apple is definitely leading the way.