Can you make a secure Android phone? I think you can.

by Volker Weber


Not too long ago, when you were a BlackBerry fan, then Android was the enemy. A big pile of code, quickly hobbled together, with loads of security issues. Never in your life would you deploy this PoS in your enterprise.

Then BlackBerry launched an Android Phone.

I understand why BlackBerry needs a popular platform. But how do they make Android secure? The only thing I got to was "security is in our pedigree" b/s. I had to cut deeper. I tried to go through PR but they could not get anybody to meet with me. I asked a few people I know within the company, but they would not know enough.

All of this changed last week. I met with BlackBerry CISO David Kleidermacher, then with his direct report Alex Manea, who finally got me in touch with the Principal Architect. No, I will not reveal his name. But he was able to make me understand.

I worked this understanding into an article that will most likely be published next week in c't 17. Please bear with me while I wait until you bought this magazine. I promise I will explain things later.

The bottom line is: can you make Android as secure as BlackBerry 10? And the anwer is: yes, you can. You leave the user bits and pieces alone. The user only sees a familiar Android phone. But you change the fundamentals in a big way.

It's like vaccination. You expect to get sick and you deal with it before it happens. A vulnerability does not mean that you have an exploit. And when you were able to build this exploit, it might infect all Android devices, but not the one that has additional defenses.

There are Anti-Vaxxers out there. "If I cannot root this phone, I don't want it". Well, good luck, dummy. If you can root your phone, so can others. People who are way smarter than you will ever be. I am only waiting for this big malware that is going to wipe out most of Android. Not all of it though. Not all of it.


I wouldn't call someone who prefers to run a rooted Smartphone "dummy". These people have their reasons, most of them are fully aware of the security risk and they decided to accept it. That doesn't mean that they're stupid.
A Smartphone that you as an enduser cannot root might be more secure (depending on the usage pattern). But it will never be invulnerable, no matter how much of the fundamentals you change.

Erik Schwalb, 2016-07-29

Right. You can ride your bike without protective gear and helmet, being fully aware of the security risk and accepting it. And you look kinda cool, until you hit the tarmac.

Volker Weber, 2016-07-29

... and start complaining how you did not know and how this is possible.

Hubert Stettner, 2016-07-29

I fully agree.
When you ask people, why they buy Android phones from manufacturers that are known for updating their devices for just a short period, they say that security isn't important to them. There is no confidential data stored on the phone.
So even there is no other confidential data stored on it, they assume that the login data for their different accounts does not need to be protected. Really?
And if the device gets bricked by malware?

I'm waiting for the big Android malware too.

And if i will ever buy an Android smartphone, it will be a Blackberry.

Manfred Wiktorin, 2016-07-29

Manfred, full ack. I hope / think that there might be a flagship down the road.

Hubert Stettner, 2016-07-29

Do you think there is a chance that we will see an Android tablet from Blackberry with all the security features?

Manfred Wiktorin, 2016-07-30

Unlikely. There is no money to be made with Android tablets.

Volker Weber, 2016-07-30

For the enterprise having regulary and the latest security patches on Android is the first step. Also important is to evaluate the patch level in compliance rules: e.g. only devices with a security patch level not older than ... should be able to access corporate assets. The API to read the security patch level was indroduced with Marshmallow.

What are your experiences to have support for this particular API in device management / app management only (BYOD) operation modes with the different EMM solutions?

Peter Meuser, 2016-07-31

Old archive pages

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.


Paypal vowe