3

Recently, Blackberry began selling smartphones that run the Android OS. If the Android OS has so many security issues out-of-the box, then why bother paying extra for it?

Blackberry claims that the phones have a "hardened" version of the Android OS. Are these measures worth the cost, or do they only provide trivial protection against an experienced hacker?

Can you get the same level of protection by simply buying a regular Android and then hardening it yourself?

asdfdsa
  • 41
  • 2
  • Specific Android OS's are already Hardened. More: what out-of-the box Security issues exists in the "Vanilla" Android OS? In My experience it is more secure then most of the Linux Distributions on the market. And many Vendors make it impossible for a simple App to gain root access without the user already tempered with the device. And nice "Spambot"-Username ;) – Serverfrog Sep 24 '16 at 01:02
  • And mostly i see that Blackberry flavored his Android OS with own Apps. And Things Like the DTEK App is... a Information most users ignore because they think they know it better. (Developer Mode, Rooting the device, Untrusted Sources etc.). So Mainly, I could not read something like SELinux (Which use Samsung for it's KNOX Project ) or somthing other things which "hardened" the Android OS. Most of the Simple Virus Scanner do the Same Job. – Serverfrog Sep 24 '16 at 01:07

2 Answers2

2

So many questions, let's tackle one-by-one.

Recently, Blackberry began selling smartphones that run the Android OS. If the Android OS has so many security issues out-of-the box, then why bother paying extra for it?

Because Android has many useful applications which are not otherwise available on Blackberry. Android has approximately 10x more apps, so a chance to find an app you need (for example, Airline-specific app) is much higher on Android. Thus for many users it would be worth paying extra.

Consider that an old cell phone (which is not a smartphone) is extremely secure against many nowadays attacks - no ransomware ever! However you'll see very few people still using it, despite its extremely high level of security.

Blackberry claims that the phones have a "hardened" version of the Android OS. Are these measures worth the cost, or do they only provide trivial protection against an experienced hacker?

This is impossible to answer without knowing specifics, especially how contained the Android frameworks are on Blackberry. However it is possible to contain them better on Blackberry, because Android frameworks do not have to run under root or have access to hardware, like they do on Android.

Can you get the same level of protection by simply buying a regular Android and then hardening it yourself?

Unless by "harderning" you mean "rewrite a significant enough part of Android", the answer is No. You will not have the same level of protection in this case, because you cannot contain all Android code in such a way that nothing Android-specific runs with elevated privileges.

George Y.
  • 3,504
  • 2
  • 10
  • 15
  • 1
    BlackBerry Priv and DTEK50 is Android running Linux kernel, not BlackBerry's QNX kernel running Android framework like Z30 was. – Lie Ryan Sep 24 '16 at 19:04
  • Good point. I was mostly focused on Z30 Android support. The native Android phone is not likely then to be significantly more secure; they can add defenses on top of Android (like KNOX), but the effectiveness of them will always be questionable until someone actually tries to break it. Many hardening solutions sounds good on paper, but don't really change much. – George Y. Sep 24 '16 at 19:39
  • Are there a lot of unfixed security bugs in the Android OS? Is Apple any better at fixing security bugs as they emerge? – asdfdsa Sep 26 '16 at 09:18
  • There are no known unfixed security bugs in the Android OS source code tree. But there's a long path from the bugfix made in the source tree to the actual firmware change on a non-Google Android device. Many devices never receive those fixes, and thus stay unpatched. – George Y. Sep 26 '16 at 17:49
  • @GeorgeY. Wow. I never realized how important updates were! How do you find out which manufacturers are better at making sure their customers actually get the bug fixes? – asdfdsa Sep 26 '16 at 21:15
  • 1
    You can look at track record, which is unfortunately not good for many manufacturers. Notably, all US carriers make their own firmware of popular phones, and they're all bad both in timely delivering updates, and in supporting old phones. The only devices which are updated fast enough, and have decent track record are Google phones. – George Y. Sep 27 '16 at 00:12
  • Can you compare Google Pixel and BlackBerry KeyOne? - - Which is more secure? – Léo Léopold Hertz 준영 Feb 26 '17 at 07:21
2

The security issues related to Android is mostly due to three things:

  1. most users choosing weak security settings (e.g. swipe screen locks), BlackBerry tries to resolve this by adding an application that nudge you to changing these settings
  2. lack of commitment from manufacturers to push updates for old devices, BlackBerry seems to signal that they want to take updates more seriously than other manufacturers
  3. most importantly, most users do not pay attention to application permissions when installing apps. I don't see anything that BlackBerry does here that's particularly interesting. It's a really hard problem because you can't make user pay attention to things they don't care about

Neither of these are actually security issues in Android software itself, which had a very solid Linux base; rather, they are security issues in the things surrounding Android (user education, manufacturer's processes, etc). There are a few security bugs on Android software, like Stagefright, and they make big news due to their severity. That these actually still make big news rather than just being one of many security bugs fixed on last Tuesday's set of patches indicates that security issues of this magnitude and severity are still considered quite uncommon.

The actual software security hardening that BlackBerry does, for example, trusted computing, full disk encryption, verified boot, were supposed to bring BlackBerry's Android security ahead of its competitors, but they arrive too late, as these features have now become standard for Marshmallow and later devices across manufacturers because Google makes these mandatory in the Android Compatibility Definition Document (CDD). You can argue whether having a company that has security in its DNA developing these security features vs manufacturers just trying to do the minimum to pass the CDD is worth the extra pricetag.

Probably the only interesting bit of hardening that BlackBerry does is including grsecurity.

Lie Ryan
  • 31,089
  • 6
  • 68
  • 93