Android Security: How's BlackBerry going to fix it?
It's a tall order
Analysis “Android Security” sounds like an oxymoron, perhaps the biggest since “friendly fire”. So what’s BlackBerry, which has forged a reputation on enterprise security, thinking with the new Priv device?
BlackBerry's handset division is promising to create a business-friendly secure 'droid, and it’s recently been explaining just how. It certainly has its work cut out.
Android represents a global IT security threat not seen for over a decade, when unsecured Windows XP allowed the botnet industry to be created.
Google is trying, as Microsoft is trying, to secure the platform. But as Microsoft also found, the supply chain and user practices are beyond its beck and call. A recent paper by Cambridge academics indicated the nature of the problem.
"The security of Android depends on the timely delivery of updates to fix critical vulnerabilities," concluded university researchers Daniel Thomas, Alastair R. Beresford and Andrew Rice in a paper (PDF) published this month.
They found that "on average 87.7 per cent of Android devices are exposed to at least one of 11 known critical vulnerabilities” and the relative security depends on how effectively manufacturers push out updates. Alas, “few devices receive prompt updates, with an overall average of 1.26 updates per year, leaving devices unpatched for long periods".
BlackBerry launched a portal Android Secured but it’s going to take more than a blog to assure buyers. Last week its Chief Security Officer David Kleidermacher detailed several ways Priv is more secure than its Android rivals.
BlackBerry is transferring two features of its BBOS handsets to Priv. It gives each device a unique identifier, and then boots using a special mode of the ARM processor, to verify each component. So far so good: the device won’t be rootable, which will dismay enthusiasts but will please enterprise buyers.
The Priv will use a security-focused Linux kernel – Kleidermacher won’t say which one – but GRsecurity has been spotted in leaks. There’s also an security monitor/manager called DTEK, brewed in house.
The rest of Kleidermacher's list will be familiar: BES enterprise management, support for Android at Work, app permissions and partitioning, and use of the BlackBerry network, although the post doesn’t specify what for.
Absent from the list is any patching commitment. The Priv is a vehicle for BlackBerry’s services, so it would be surprising if it didn’t support the business services that BlackBerry has been building off BES and its network, like VPN authentication, BBM Protected, or Meetings.
Nor do we have details of how two of BlackBerry’s most attractive services will play with Priv secure voice (via SecuSUITE) and WorkLife, the virtual SIM technology acquired from Movirtu, which are as much about privacy as security. With WorkLife, the employee’s personal data traffic remains private, while the employer isn’t billed for their personal usage.
All these are either cross platform already, or BlackBerry has promised they will be. And all needed industry co-operation or features to work. For example, the VON authentication harnesses BlackBerry’s network. WorkLife requires carrier support.
But the device still hasn’t launched, so we wouldn’t expect the list to be exhaustive. BlackBerry needs to hold features back for launch day. But with Google struggling to patch Android, they need every bit of help they can get. The Priv is available for pre-order at £559. ®