Since the release of the BlackBerry Priv, there have been some articles appearing across the internet debating just how hardened BlackBerry's Android offerings really are when it comes to security and privacy. Most notable of the debates, an interview with Daniel Micay from Toronto-based security firm Copperhead, who claimed that 'Nexus phones are more secure than the BlackBerry Priv because Android 6.0 offers some security improvements over 5.1.1'.
Now, as part of their Priv security and privacy blog series, Chief Security Officer at BlackBerry, David Kleidermacher has taken to the Inside BlackBerry Blog to further explain why BlackBerry's Android is best for security and privacy and seemingly address those debates without actually pointing any fingers but instead, sticking to the technical details of BlackBerry's solutions.
PRIV initially shipped with Android Lollipop (L) 5.1.1. Google has released Android 6 Marshmallow (M) to device makers, and BlackBerry is in the process of integrating the new release. Marshmallow adds a number of security enhancements. However, when it comes to "hardening" Android, BlackBerry's special sauce includes numerous additional improvements independent of the Android version number, such as:
- Supply chain security for hardware root of trust. That means we "sign" all of our hardware with digital keys at the manufacturing level to ensure device integrity.
- Improvements to the Address Space Layout Randomization (ASLR) security technique that are not in Android L or M and make it far more difficult for malware – even something like Stagefright – to exploit Android software bugs.
- Improvements to the SELinux mandatory access control policy system not in L or M.
- The Pathtrust utility, which goes above L or M in ensuring that untrusted code cannot be introduced into the system dynamically via malware.
- Hundreds of hardening improvements to the Linux kernel and Android service framework to enable features like DTEK, our new app that helps you protect your own security and privacy.
- Tamper-proofing of critical security parameters.
- Cryptographic improvements, including the use of BlackBerry Certicom certified-FIPS 140-2 security compliant cryptographic library and other techniques that improve upon the Android password's protection against brute-force attacks.
- Support for smart card authentication and other enterprise-specific features that benefit business users.
As Kleidermacher notes, there are lots of small companies offering hardened Android implementations including the already mentioned Copperhead through their CopperheadOS but it really does come down to whom users trust and BlackBerry has been in this game for well over fifteen years with their security and privacy focus being a key part of the company and one that hasn't stopped with Priv. Be sure to check out the full blog post for the complete rundown.