Blackphone2 review (2)

This blog is normally in danish, but since there are very few actual reviews of the Blackphone2 to be found, I decided to write this review in english.

First part of review here.

So I've had my Blackphone2 for three weeks, and it is time to make up my mind.

Reading PDF files

I get the impression that Android is basically designed to not allow you any privacy.

You have to stay incredibly alert to not miss a single one of the omnipresent "Automatically put all your secrets in our cloud" checkboxes.

You want to read a PDF file ? Well, guess what: The registered app for that is Google Drive.

Not only that, but it sucks at it.

I've been leafing through the Bell Laboratories Record which I downloaded to the SD card.

After a couple of pages, a pop-up urges me to take the PDFs I've downloaded from the Internet and "save" them from my SD card to Google Drive.

I have done everything in my power to make it clear that I do not want that.

But after about 20 PDF files, the phone gets notably slower and warmer. After a couple more PDFs it dies and cold-boots.

I've found out through experiment, that if I go into the APP manager, and clear all data from the Google Drive app, things return to normal.

After leafing through a December issue of BLR, that became a routine thing to do - which felt really 'retro' - like the 1960-1970 vintage 16 bit minicomputers where stopping and starting programs had to be done with due attention to core fragmentation. But in 2016, on an 8-core, 1.7 GHz computer with 3GB RAM ... really ?

The only rational explanation is that Google Drive is either buggy at CS-101 level, which I doubt, or more likely, slurping up data about my PDF reading, to dump into the cloud later, once I embrace the panopticon as my one true saviour.

For a regular Android phone I guess that could be considered par for the course.

But a "private by design" phone which does not let me read a document without being looked over the shoulder ? FAIL!

Root certificates

A root certificate is fundamentally a self-signed document, and if you accept it, you allow whoever signed it to lie to you, about pretty much anything and anybody on the net.

If you havn't already, you really want to go deep into preferences on your browser and OS, they likely have separate lists, and audit which you trust.

There are a lot of root certificates installed on the Blackphone2 by default, we're literally talking 150-ish of the things.

They are all enabled by default, but you can disable them.

By opening each one individually, scrolling down, pressing "DISABLE", and then "OK".

There are at least 10 overt root certs from government controlled by regimes I don't trust.

Here is the best and most deceptively named of them:

Really ?

Couldn't somebody have found just a single data field in all the X.509-gunk in the cert, which would give a little hint about which government ? (/C= anyone ?)

Ohh, and once you've gone through and disabled all the root-certs you don't trust in the owner-space, guess what does not happen when you create another space ?

Bingo! You get to disable every single bloody single one of them, in every single bloody space you create.

150+ Fail!

I could go on, but this was sufficient for me to reach the conclusion:

Not Private By Design

Silent Circle prominently markets the Blackphone2 as "private by design".

It isn't - not even close.

They've glued some pieces onto Android - which itself seems designed to minimize your privacy - at least with respect to Google.

I have tried a couple of times to start with a factory reset, and not let allow the phone connectivity until I have gone through all the menus and settings I could find, and configured the phone for maximum privacy, but each time I've found out some time later that I overlooked something, somewhere in an obscure corner.

I'm not an Android specialist, so I'm not going say that it is patently impossible to get acceptable privacy on a Blackphone2 by configuring it correctly.

But 30+ year of systems programming and security experience is clearly not enough.

What went wrong ?

Speaking with my Inventor of Jails hat on, the fundamental problem seems to be that the root jail, the "owner space", is a fully fledged Android, loaded up with the full "Google Wants To Be 100% Part Of Your Life™" package, with no tuning or adaptation to turn the Google-Loving down a notch or two.

The moment you enter your google password, you immediately have a great chance to overlook that all your passwords will be "kept safe" by Google going forward.

I don't know if this is Silent Circle's marketing insisting that the "learning curve must be low" or part and parcel of how one licenses Android from Google, could be either or could be both. But the net result is that the blackphone2 does not easily get you privacy from the worlds largest advertising-funded panopticon.

If you're OK with that, then fine, but if like me you don't want, or for contractural reasons cannot allow Google to sniff around in all your passwords, data and communications, then the blackphone2 is just another untrustworthy computing device.

Conclusion

All that doesn't mean that the blackphone2 is without merit.

The display is gorgeous, the camera seems OK, and the "spaces" are, like all jail-concepts, a strong and conceptually simple security metaphor, in particular in divided-authority scenarios.

If your ambition is to avoid employees installing DropBox AutoSync onto the company VPN, or conversely, if you don't want the company to see the contents of or wipe your private phone when you leave their employ, then the BlackPhone2 with its spaces (or something similar) is the right way to think.,

I have not tried the cloud services offered by Silent Circle, so I cannot say if they swing the balance either way.

But in no way, shape or form can the blackphone2 live up to "private by design".

phk

PS: My best shot at a the start of a HOWTO for privacy

  • Go through the welcome dialogs without establishing network connectivity.
  • Go into the space manager (grey icon bottom right)
  • Set Privacy level to "deny all"
  • Under Screen Lock, select PIN, then enable PIN for encryption on startup.
  • In the Space section, enable "Lock Spaces on entry"
  • In the Apps section, go through each and every one and rip permissions away.
  • Disable all the untrustworthy rootcerts in the Settings::Security app
  • Never log into google from the Owner Space.
  • Never use the Owner space for anything but managing other spaces.
  • Now make a personal space and use that as your phone.
Poul-Henning Kamps billede
Poul-Henning er selvstændig systemprogrammør, kernekoder, Varnish-forfatter, data-arkæolog og brokkehoved uden særlig portefølje.

Kommentarer (34)

lars christoffersen

So either you trust Apple not to sell your information and keep it secret, or you don't have a phone?
I can't really understand this. Android and Dalvik/ART are all open source, and I have been blown away by a lot of people who claims it to be so safe and free, because of that. Clearly that is not the case and all Google does it to fake you to believe it and use their services, gaming on the fact that very few people actually have the knowledge and time to check the software out?
I would have thought Blackphone had used this opportunity to change the software to be private? Or is that just too daunting a task for a small company?
Seen from a business perspective I trust Apple the most. The make so many money on very expensive hardware, that the have no interest in using your data, on the contrary, they now use that as a marketing tool. I mean that is a clear cut deal. We take your money, you can only use app's from our App Store, etc. In return your data are private (unless you use FB, or Google Apps and don't turn off the snooping)

Michael Eriksen

I run around with a general purpose computer in my pocket, but I don't use it for any information which isn't 100% public.

Let me get this rigth: You use a vintage Nokia (or similar) featurephone as a modem for a pocket-PC probably running *BSD. That should enable running a SSH tunnel home to your 24/7 home server. Right? Just leaves one question: Which pocket-PC?

Martin Bøgelund

So either you trust Apple not to sell your information and keep it secret, or you don't have a phone?

Well, that's apparently the scary fact of life now; either you share your information with $BigSnoopingCompany, or you don't have a smartphone at all.

And I really would dislike it if PHK's tremendous work here is simply used for parading personal ideas about "iPhone is more private than Android", or the like. This is not the lesson here, at least not if you're serious about privacy.

What I take away from this review (and I seriously was considering buying a Blackphone), is that privacy isn't an option on today's smartphone market. Period. Even phones bragging about being "private by design" are configured in a way, that will have you struggling for obtaining the promised privacy - if it's obtainable at all!

The push for Google/Apple/MS/whoever to trap the users in an application silo with "seamless integration", and strip them for valuable private data to "optimize the user experience" is massive, and neither is an option if you wan't to keep things private. But the vast majority of users ignore this fact, or just don't care.

A thin layer of privacy gloss over the offered smartphone operating system (Android, iOS, etc) isn't going to cut it for the privacy aware user. And that's basically it - take it or leave it.

lars christoffersen

A thin layer of privacy gloss over the offered smartphone operating system (Android, iOS, etc) isn't going to cut it for the privacy aware user. And that's basically it - take it or leave it.


I see what you mean. I still think there is a difference though. Google is making a living from your data, Apple and Microsoft (I suppose) are not! So even though Apple probably could access your data, they don't (they claim they can't for personal data). Google do! Further, Apple and to some extend Microsoft have done a much better job of keeping your device up2date security wise. 90% of android devices are running with know exploits open, as Samsung, HTC, Sony, etc don't give a damm about upgrading old versions. 2 put in short, I am more comfortable using mobile banking from an iOS device than from any android device! Of 3 evils, I choose the lesser evil :-)

Poul-Henning Kamp Blogger

Further, Apple and to some extend Microsoft have done a much better job of keeping your device up2date security wise. 90% of android devices are running with know exploits open

100% in agreement there.

This is one of the better arguments for the blackphone2: Silent Circle promises to keep it updated, and so far I've received more updates on the bp2 in three weeks than my 3+ years old HTC ever did.

But the fact that I cannot trust the device to begin with, makes this less important.

Poul-Henning Kamp Blogger

But I don't see any body claiming apple to be in the data brokering business.

Based on network traces I have seen, Apple do collect a lot of information.

The fact that they currently have more profitable ventures than selling that information is not "privacy".

And companies change business models all the time.

Google wasn't in the panopticon business when they started.

lars christoffersen

But the fact that I cannot trust the device to begin with, makes this less important.


The real underlying problem is that governments, instead og using their power to protect us and make some good legislation in this area, have done the exact opposite. I think this can only be solved politically by laws that protect us from the likes of Google, Microsoft, Apple, etc. I is NOT ok, that I as a normal consumer, should worry if my privacy is exploited or not, by using a computer, smartphone, or what ever!

Poul-Henning Kamp Blogger

I think this can only be solved politically by laws that protect us from the likes of Google, Microsoft, Apple, etc.

Without a human right to privacy, privacy will be incredibly hard to obtain, and currently the political process is moving the exact opposite direction pretty much everywhere (with Island as the possible exception.)

Changing the politcal climate on this would require a major grass-roots effort, and that again means you have to get the youth fired up about this.

I don't see that happening anywhere.

Martin Bøgelund

Google is making a living from your data, Apple and Microsoft (I suppose) are not!

Remember it isn't just about what MS and Apple do.
- Being US based companies, they must follow US law, and can be forced to hand over any data to the US government.
- Also remember, MS is trying hard to get into the advertising market through their search engine - they strive to take away precious market share from Google, so right now they might make a big point out of saying "we don't sell your data", but that's easy as long as their puny market share keeps the value of their collected data low - if the size of their collected data increases, so does the value, and a push from share holders could force MS to cash in on that value, if it gets high enough.
- Apple and MS can be taken over by or sold to other companies, who might have a different approach, or they might sell some divisions of their operation, causing user data to float into another company.
- Then there's apps - apps can harvest behavioral data, and these apps are not necessarily controlled by Apple or MS, making Apples and MS's behavior irrelevant in this discussion. One of the key selling points of the Blackphone is that you can cut apps access to your phone pretty tight.

lars christoffersen

Yes.


Hmm, so you did not read the link?
<snippet>
In 1994 — the same year the Highlands Forum was founded under the stewardship of the Office of the Secretary of Defense, the ONA, and DARPA — two young PhD students at Stanford University, Sergey Brin and Larry Page, made their breakthrough on the first automated web crawling and page ranking application. That application remains the core component of what eventually became Google’s search service. Brin and Page had performed their work with funding from the Digital Library Initiative (DLI), a multi-agency programme of the National Science Foundation (NSF), NASA and DARPA.
But that’s just one side of the story.
Throughout the development of the search engine, Sergey Brin reported regularly and directly to two people who were not Stanford faculty at all: Dr. Bhavani Thuraisingham and Dr. Rick Steinheiser. Both were representatives of a sensitive US intelligence community research programme on information security and data-mining.
</snippet>

lars christoffersen

  • Apple and MS can be taken over by or sold to other companies, who might have a different approach, or they might sell some divisions of their operation, causing user data to float into another company.


Absolutely (although the chance of anybody cashing out US$ 700 billion for Apple is a bit remote) and I absolutely aknowledge that you don't have privacy per se. I just consider Apple the least evil option right now. I might be wrong in that, in the end it is a subjective evaluation by me.

Thomas Løcke

Gad vide om det måske er lettere/muligt at skabe en eller anden form for privatliv med en Jolla smartphone?

Umiddelbart virker det som om at Sailfish OS er lidt mere "tweakbar" for dem der gider.

Er der nogen her med erfaringer?

Og tak for anmeldelsen. Jeg har været tæt på at brænde penge af på en Blackphone. Det projekt er lagt i graven nu.

Søren Løvborg

It sounds like Blackphone compromised its security gains for the benefit of usability by including Google apps. And honestly, you may get away with letting Google build your house, but you won't get any privacy if you let them stay in your home afterwards.

For comparison, I'm currently running CyanogenMod on a rooted Nexus 5 without Google apps. It's hardly secure (e.g. it has the same list of 150 more or less dubious CAs) but at least Google is nowhere to be seen, and I have basic protections like Privacy Guard and the AFWall+ firewall, which help to reenable the original Android "jail" mechanism of isolated apps. Still doesn't mean that a malicius app couldn't wreak havoc... Fortunately, the selection is limited. ;)

Søren Løvborg

One thing that is painfully obvious is that Android (that is, the thing people think of as Android) is not open source. It's at best "open core", with Google moving increasing amounts of functionality from the Android Open Source Project into closed source Google apps.

Since I have no Google account, and the phone is not registered with Google, I obviously cannot use Google Play store, though I can use various semi-shady sites to obtain free apps from the store, e.g. Rejseplanen. F-droid gives me basics like Firefox (for now, at least), VLC, Document Viewer and PocketMaps. But cutting the Google umbilical cord means that security updates are shaky, and so is the GPS. (Modern smartphones rely on augmented GPS a great deal for optimal GPS operation. There are alternatives to Google though, e.g. Mozilla.)

Apps like Swipp and MobilePay are unavailable: Both apps send your financial data via the Google mothership. At this rate, Jolla might soon have a larger app ecosystem than an "unsupervised" Android phone.

So, yeah... Android is out, from a privacy perspective. So is iOS (at least I can install an app without informing the manufacturer). FirefoxOS to the rescue? ;P

Henrik Hansen

Based on network traces I have seen, Apple do collect a lot of information.

It's kind of hard to see what information though. A while ago I created a special rule for communication to/from 17.0.0.0/8 in iptables on my home-network. On an average day, with 3 AppleTV's, 2 iPhones, 2 iPads and 1 TimeCapsule, approx. 170 Mbyte of data was transferred to and from Apple's network (excluding App-updates)...

Mikkel Mikjær

Could one build a business on supplying free and safe software for phones?

Maybe a foundation that writes (and releases under some kind of liberal and free license) the software and a business side that install the software onto phones and sells it to regulare people and company and leaves the hacking to people who enjoys this?

Jesper Mørch

You know, it is possible to disable apps on most Android-based devices, though you still have to rely on the Google/Android ecosystem, and trust the device, when it claims that a certain app is disabled.

It IS however possible to build an Android version for any device, which offers Android support to the hardware.

Alternatively one will have to use any electronical device, keeping in mind, that privacy IS broken. This will move privacy from your device to your mind ...

Sometimes I wonder, if the Cold War really ever ended

Martin Schlander

Jolla/SailfishOS might still have some lack of crypto support, except the fundamental GNU/Linux tools of course. And they also don't have tools to control what stuff applications can access etc., except of course you may be able to do something with SELinux or similar, but I don't think it'd be easy.

But they certainly don't have all the default apps spying on your every move by default. And they have plans for a "security" version of SailfishOS partnering with SSH Communications:
https://cdn.jolla.com/wp-content/uploads/bsk-pdf-manager/49_PRESS_RELEAS...

But unless people start putting their money where their mouthes are, soon we might not have Jolla/SailfishOS - or any other privacy respecting, FOSS'ish mobile OS alternative to Android or iOS. Jolla recently almost went backrupt but got saved by investors.

FirefoxOS got discontinued for phones, and if I'm not mistaken Blackberry are moving to Android in 2016. So the alternatives to the duopoly (oligopoly if you want to give MS that much credit) are running out fast.

Jolla/SailfishOS is not perfect (yet) on many levels, but it's still great, and it's our best long-term bet for a decent mobile OS imho.

Sven Waskönig

@Thomas Løcke (og eventuelle andre):

Du skal kunne mere end den gennemsnitlige mobilbruger, hvis du vil tweake på en Jolla. Det siger selvfølgelig ikke så meget, men jeg har en fornemmelse af, at du godt ved, hvordan man bruger en shell a la linux – og præcis sådan en dukker op som app, når man aktiverer ”udviklertilstand” på en Jolla. Man kan herefter logge på den via SSH med en adgangskode, der sættes på ny, hver gang men aktiverer udviklertilstand.

Der har været / er lidt debat om kryptering af telefonen, f.eks.: https://together.jolla.com/question/2158/optional-encryption-of-the-device/

Pt. er det ikke implementeret, men en af brugerne beskrev et hack.

Jeg ved for lidt til at vide, om Sailfish OS er mere eller mindre sikkert end Android, iOS, Windows eller noget helt fjerde. Mit bud er, at det generelt nok er nogenlunde det samme. Men jeg føler mig ret sikker på, at Jolla ikke har snablen nede i dine personlige data – dels er det ikke deres forretningsmodel, dels tror jeg, at firmaet er for lille til, at de ville kunne håndtere den massive mængde af information.
Jeg var positivt overrasket, da jeg fik min Jolla – den kommer med et minimum af præinstallerede apps; der er hverken ur, kalender, lommeregner eller kort. Selv Android-supporten skal installeres. Dette er dog nemt, da det bare er apps, der skal lægges ind via Jolla-marked.

På minus-siden skal det nævnes, at man ikke for hver app kan styre, hvad den skal have adgang til af private ting, så som position, kamera, mikrofon, kontaktpersoner etc. Der har Android en fordel – MEN hvor nyttigt er det redskab i virkeligheden, når praktisk alle Android-apps kræver adgang til et eller andet personligt? Sagen er den, at man selvfølgelig altid kan argumentere for, at en f.eks. en app til at læse stregkoder skal bruge kameraet, men vi har ingen ide om, hvorvidt pågældende app kan finde på at aktivere kameraet uden vores vidende. Jaja, jeg ved det - sølvpapirshatten blev lige fundet frem igen. Men jeg finder betryggende, at når man i Jolla lukker en app, kører den ikke bare i baggrunden, som jeg har oplevet det på min Android

Generelt synes jeg det er sund fornuftigt kun at installere de apps, man virkelig har brug for og holder det på et minimum. Drop dog en Facebook-app, hvis man kan nøjes med en browser; vi ved ikke, hvad appen samler ind af information. Jeg har heller ikke installeret Android-support på min Jolla – jeg har ikke brug for det. Indtil videre kan jeg ”nøjes” med de apps, jeg kan finde på Jolla-marked, selvom udvalget i forhold til Google Play er skrabet.

Desuden vil jeg give Martin Schlander ret – bekymrer man sig om privatliv og sikkerhed, må man give de etablerede noget konkurrence. Dels når det drejer sig om at have snablen nede i vores privatliv, dels når det drejer sig om opdateringer til OS – hvad der for fa… aldrig burde have været et issue! (Pt. ser jeg kun iOS, CyanogenMod, Sailfish OS og Ubuntu Touch, der opdaterer device independent.)

PS: en fin lille oversigt:
https://en.wikipedia.org/wiki/Comparison_of_mobile_operating_systems

Log ind eller opret en konto for at skrive kommentarer