Blackphone2 review (3)
This blog is normally in danish, but since there are very few actual reviews of the Blackphone2 to be found, I decided to write this review in english.
One of my friends read my Blackphone2 review, and asked incredulously : "But what did you expect ?"
Both he and I go back a long time, we're old enough to know why you "dial a number" and "hangup" when you're done, and we have both worked with computer security in many different settings, and he clearly didn't expect much.
I guess I expected that a privacy-focused product, produced and marketed post-Snowden, would stand on the shoulders of former giants, and build on our 50+ years of experience, but now that he made me step back and look at it, that is clearly not the case.
Give me a place to stand...
If you want to build something secure and private, you start with a trustworthy and impenetrable nucleus, nothing is allowed or trusted here, until the owner specifically and explictly enables or trusts it.
No network connectivity, no bluetooth, no microphone, no camera.
No default root-certificates.
No apps except the absolute minimal set required to administrate the other spaces on the phone.
Now that we have a place to stand, we can create and destroy other security domains, call them spaces if you want to, with lower or maybe just different security policies.
The Blackphone2 does it the wrong way around: You start out with a fully contaminated Android environment, and there is no realistic way to turn that into a trusted platform.
In particular not, when there are tons of applications you cannot delete and they don't even tell you what they do and why you are not allowed to delete or even just disable them.
What the heck is "com.qualcomm.qcrilmsgtunnel" and why does it have Chernobyl permissions to everything including "add voicemail" ?
Security settings should be subsetable
Security and Privacy is prescriptive: You define your model, you implement it, you audit your implementation against the model.
To make this practically manageable, almost everybody, everywhere, who designs security and privacy controls, create a hierarchy of security domains, with policies inherited downwards.
There is no trace of this on the Blackphone2. Everytime you create a space, it gets created from the full monty, and you go directly back to Start and do not collect $200.
It's actually worse than that, but this may merely be a bug in their implementation: If you disable an app in the Owner space on the BP2, it will still be present and enabled in any User spaces you create, but the Owner space can no longer administrate it or limit its permissions.
As a minimum it should be possible to create template spaces, spend the time to get their security set up right, and then create the actual to-be-used spaces by cloning a template.
Entry/Exit control for all domains
For each security domain, it should be possible to control all I/O.
It should be possible to create a space that does not even know that the hardware platform has internet connectivity, or BlueTooth, camera, microphone, GPS and so.
What little the BP2 has of this, is very incomplete and very tangled and surprising to use. For instance BlueTooth has to be enabled in the Owner space for it to work in any other space.
There is not even something as simple as a per-space "Flight Mode" - Obviously in addition to the "real" hardware-wide Flight Mode.
Logfiles, Audit facilities and Alarms
There are no logfiles anywhere I can find. Whatever happens leaves no trace behind for me to examine.
The only way to audit the security, is to wear the fingerprint off your index finger, and go through each and every bloody tab, screen, menu and app to hunt down every single control and make sure it is in the right position.
Even if you wrote the check list for that, it would be frustrating because of secret or buggy short-circuits. For instance changing the PIN code for the disk-encryption disabled the "Shuffle PIN code pad" setting.
It can be argued that there is a hint of alarms, if you set permissions to "Ask", but as fig-leaves go, it is a small one, because there is no permanent record of these "alarms".
For real privacy, the existence of security domains should not be revealed until the user presents credentials indicating need to know.
Some people think this amounts to "Plausible Deniability" but that would be a mistake. (See: GBDE - Geom based Disk Encryption section 1-4).
The real point is to not tempt anybody who accidentally comes into contact with the device.
In the classical "I lost my device" scenario, the pocket-thief should never be presented with a list of protected things which could invite extortion, or attempts to find an interested party to sell the secrets to.
The Blackphone2 should only show a user-selected identification string ("Please call ##-##-##-## if found") and a (randomized) PIN pad.
If you know the correct PIN, that space opens, of not, you won't learn which spaces there are to open in the first place.
The only thing that has the faintest whiff of this on the BP2, is that you never know which PIN code it is asking for or for that matter which PIN code your a changing. I consider that a bug.
Done with the Blackphone2
This was the last installment in this review.
Silent Circles marketing slogans "Private by Design" etc. are almost totally without substance and spring from a very comprehensive ignorance about fundamental principles of computer security.
I fear that we might be dealing with another "lost generation" here.
When the Dot-Com thing happened, the IT business grew by a factor of 1000 in head-count. Every eloped tram-driver, highschool nerd or butcher was suddenly a "web-programmer", and whatever professional methods, wisdom, skills or tools the computing business had built over 40 years got diluted to nothing and forgotten.
The IT people of the dot-com generation could not imagine that they could learn anything from "old mainframes" etc. and they will boast of the "inventions" made in "their time".
Version Control, Agile Development etc. All these smart things that didn't exist at all in the previous 50 years of computing.
I suspect we may be suffering from a new lost "smartphone-app" generation, people for whom the above security design principles are totally alien, because they were not mentioned in whatever book about App-writing they started their career on.
Those who don't learn from history, are doomed to repeat it.
I have had no communication with Silent Circle as part of this review, and I have paid full retail price for the BP2 I used for the review.