Can you make a secure Android phone? I think you can.

by Volker Weber

ZZ7F8D01AC

Not too long ago, when you were a BlackBerry fan, then Android was the enemy. A big pile of code, quickly hobbled together, with loads of security issues. Never in your life would you deploy this PoS in your enterprise.

Then BlackBerry launched an Android Phone.

I understand why BlackBerry needs a popular platform. But how do they make Android secure? The only thing I got to was "security is in our pedigree" b/s. I had to cut deeper. I tried to go through PR but they could not get anybody to meet with me. I asked a few people I know within the company, but they would not know enough.

All of this changed last week. I met with BlackBerry CISO David Kleidermacher, then with his direct report Alex Manea, who finally got me in touch with the Principal Architect. No, I will not reveal his name. But he was able to make me understand.

I worked this understanding into an article that will most likely be published next week in c't 17. Please bear with me while I wait until you bought this magazine. I promise I will explain things later.

The bottom line is: can you make Android as secure as BlackBerry 10? And the anwer is: yes, you can. You leave the user bits and pieces alone. The user only sees a familiar Android phone. But you change the fundamentals in a big way.

It's like vaccination. You expect to get sick and you deal with it before it happens. A vulnerability does not mean that you have an exploit. And when you were able to build this exploit, it might infect all Android devices, but not the one that has additional defenses.

There are Anti-Vaxxers out there. "If I cannot root this phone, I don't want it". Well, good luck, dummy. If you can root your phone, so can others. People who are way smarter than you will ever be. I am only waiting for this big malware that is going to wipe out most of Android. Not all of it though. Not all of it.

Comments

I wouldn't call someone who prefers to run a rooted Smartphone "dummy". These people have their reasons, most of them are fully aware of the security risk and they decided to accept it. That doesn't mean that they're stupid.
A Smartphone that you as an enduser cannot root might be more secure (depending on the usage pattern). But it will never be invulnerable, no matter how much of the fundamentals you change.

Erik Schwalb, 2016-07-29

Right. You can ride your bike without protective gear and helmet, being fully aware of the security risk and accepting it. And you look kinda cool, until you hit the tarmac.

Volker Weber, 2016-07-29

... and start complaining how you did not know and how this is possible.

Hubert Stettner, 2016-07-29

I fully agree.
When you ask people, why they buy Android phones from manufacturers that are known for updating their devices for just a short period, they say that security isn't important to them. There is no confidential data stored on the phone.
So even there is no other confidential data stored on it, they assume that the login data for their different accounts does not need to be protected. Really?
And if the device gets bricked by malware?

I'm waiting for the big Android malware too.

And if i will ever buy an Android smartphone, it will be a Blackberry.

Manfred Wiktorin, 2016-07-29

Manfred, full ack. I hope / think that there might be a flagship down the road.

Hubert Stettner, 2016-07-29

@vowe
Do you think there is a chance that we will see an Android tablet from Blackberry with all the security features?

Manfred Wiktorin, 2016-07-30

Unlikely. There is no money to be made with Android tablets.

Volker Weber, 2016-07-30

For the enterprise having regulary and the latest security patches on Android is the first step. Also important is to evaluate the patch level in compliance rules: e.g. only devices with a security patch level not older than ... should be able to access corporate assets. The API to read the security patch level was indroduced with Marshmallow.

What are your experiences to have support for this particular API in device management / app management only (BYOD) operation modes with the different EMM solutions?

Peter Meuser, 2016-07-31

Recent comments

Hans Giesers on Microsoft Office 365 verlängern at 22:32
Benjamin Bock on Logitech zum halben Preis at 17:15
Axel Koerv on Tages-Angebot: Arlo minus 30 Prozent at 15:16
Michael Witzorky on Microsoft Office 365 verlängern at 09:26
Volker Weber on Microsoft Office 365 verlängern at 09:12
Michael Witzorky on Microsoft Office 365 verlängern at 09:10
Thomas Hernadi on Rettet Eure Flickr-Bilder at 21:52
Volker Weber on Tages-Angebot: Arlo minus 30 Prozent at 19:44
Markus Philippi on Neuer Kindle Paperwhite :: Jetzt kaufen at 19:25
Tobias Hauser on Tages-Angebot: Arlo minus 30 Prozent at 18:56
Nikolaus Schickl on Neuer Kindle Paperwhite :: Jetzt kaufen at 18:51
Frank Stoermer on Erzähl mir nicht, das geht nicht at 18:21
Thomas Schmutz on Erzähl mir nicht, das geht nicht at 17:15
Martin Imbeck on Erzähl mir nicht, das geht nicht at 16:29
Bastian Anthon on Tages-Angebot: Arlo minus 30 Prozent at 15:52
Volker Weber on Erzähl mir nicht, das geht nicht at 14:19
Martin Engel on Neuer Kindle Paperwhite :: Jetzt kaufen at 13:38
Harald Gärttner on Erzähl mir nicht, das geht nicht at 13:27
Ragnar Schierholz on Erzähl mir nicht, das geht nicht at 13:09
Martin Baron on Erzähl mir nicht, das geht nicht at 12:54
Manfred Wiktorin on Erzähl mir nicht, das geht nicht at 12:41
Clemens Müller on Erzähl mir nicht, das geht nicht at 12:37
Volker Weber on Neuer Kindle Paperwhite :: Jetzt kaufen at 12:25
Axel Koerv on Erzähl mir nicht, das geht nicht at 12:10
Andreas Weinreich on Neuer Kindle Paperwhite :: Jetzt kaufen at 12:06

Ceci n'est pas un blog

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.

vowe

Contact
Publications
Stuff that works
Amazon Wish List
Frequently Asked Questions

rss feed  twitter  amazon

Local time is 07:30

visitors.gif

buy me coffee