The BlackBerry Priv is here — we already reviewed the phone, but there’s a lot more to say. This is BlackBerry’s first Android device. I had the opportunity to talk to Dave Kleidermacher, BlackBerry’s chief security officer, and pick his brain about the Priv, and more broadly about the company’s decision to finally go Android.
First and foremost, I wanted to know why BlackBerry decided to go with Google’s mobile platform. Kleidermacher gave the expected response at first (closing the “app gap”): BlackBerry has fixed the lack of apps issue once and for all by switching to Android. In short, the Canadian company is admitting that its strategy to offer two app stores (BlackBerry World for business apps and the Amazon Appstore for consumer apps) simply wasn’t good enough. This isn’t much of a surprise to anybody who has been watching BlackBerry’s decline continue even after the launch of its BlackBerry 10 operating system.
Why wait until 2015?
And so, I asked Kleidermacher why now. Why didn’t BlackBerry go with Android sooner? Surely it didn’t take the company until 2015 to realize that its customers wanted more from a mobile platform.
Above: David Kleidermacher
“We would have taken this job earlier if we had thought that the Android platform gave us the right base to launch,” Kleidermacher told VentureBeat. The Canadian company was looking for very specific capabilities in the base open-source platform on top of which it could “add our special sauce to” and produce something that’s “really awesome, that we really believe in, that matches things we’ve done in the past.”
In short, BlackBerry was understandably hell-bent on making sure it didn’t produce just another Android phone. The company wanted to make sure it could produce a BlackBerry Android phone where the BlackBerry part wasn’t an afterthought.
“To be honest, Google, as good of a job as they’ve done on the Android platform over the past few years, in terms of building an app ecosystem, we didn’t feel until really Lollipop that the platform was ready and gotten to a point where we felt like ‘This is a base where we can actually build a BlackBerry device from,'” Kleidermacher explained. “We really couldn’t do that before then. It wasn’t ready. There were a number of capabilities that would require too much surgery on our part to add the capabilities we needed. But Lollipop reduced the amount of surgery to a point where we could add our special sauce and let us maintain the product going forward.”
To me, that sounded like an exaggeration. What was Android missing until Lollipop that BlackBerry couldn’t build itself?
It turns out that the answer lies deep within Android’s security and privacy underbelly. Kleidermacher spelled out where BlackBerry wasn’t happy with Android’s approach.
“Prior to recent versions of Android, it was very difficult to validate the integrity of the entire Android system; it would be painful to do that without Android being smart about it internally,” he explained. “And so that is something that became much more maintainable. There are some things we need to do to validate the authenticity and integrity of firmware layers below Android, but the Android system itself now has a built-in capability that once you’ve validated the kernel, verifying the authenticity of the Android system image has been made easy for us.”
Kleidermacher continued that a lot of it came down to being able to run code outside the Android operating system.
“The algorithm for measuring authenticity, for example, you don’t want to run in Android,” he said. “Parts to that you don’t want to run that in the thing that you’re measuring, you want to run that below Android. Google, really in Lollipop, started to maximally leverage what they call the trust-execution environment (we call this the secure compound). It’s a trusted area to run and store critical things like encryption keys, so that they are better protected than if, say, they were stored on the Android file system. Being able to do that was made easier [with Lollipop].”
And yet: Android 5.0 Lollipop arrived in November 2014, Android 5.1 Lollipop followed in March 2015, and the Priv launched much later, in November 2015. So even if BlackBerry really was waiting for these very specific capabilities that allowed it to “add security and privacy capabilities that we would put our name behind,” the company still took its sweet time to get going. And when BlackBerry finally did move, it failed to ship a device running the latest version, Android 6.0 Marshmallow.
Kleidermacher was able to confirm that “work has started” on bringing Marshmallow to the Priv, but couldn’t give a percentage for how much progress has been made. BlackBerry still isn’t even able to commit to a timeline (translation: not this year).
But it is clear that BlackBerry believes Android could shape the future for the company. “Does it have everything we want? No. However, in a way this is good. If it had absolutely everything, it would be more difficult for us to actually differentiate.”
That said, there’s only one app on the BlackBerry Priv that is truly new, and that’s DTEK, which is meant to secure your phone and help you monitor what’s happening on your device. It lets you see everything that every other Android app is accessing (you can drill into specific permissions and see how often requests are being made to check your personal details) as well as give you an overall security rating (red, amber, or green) based on what features you have turned on or off.
I told Kleidermacher that the rating system felt very gimmicky. It was very easy for me to get an “Excellent” rating by simply adding a screen lock.
“One of the things we view as absolutely critical to security is making security easy to understand and easy to use,” he said. “Users hate it when you make security hard. The color-coded view is an easy way for the user to see ‘OK, I’m in a good place.'”
Fair enough. But if security is so important to BlackBerry, why doesn’t the Priv include a fingerprint reader or any other forward-thinking solutions?
Biometrics aren’t ready, yet
“User authentication is a freakin’ nightmare in the mobile world today,” Kleidermacher declared. “There is not yet a widespread and ubiquitous user authentication mechanism that is both strong for security and users don’t hate it.”
What about fingerprint readers? Apple does them. Google does them. Samsung does them. Why doesn’t BlackBerry?
“The reason we haven’t put a fingerprint scanner is that if you lose your fingerprint, you’ve lost that part of your identity forever. And that’s a problem, because it’s a static picture of your finger. It’s just bits. You drop those bits, and you’re done. We’ve never put a fingerprint scanner on our devices because we think of it as a relatively weak authentication system,” he said.
Kleidermacher argued that, if implemented poorly, it’s easy to steal those bits off of a device, or even lift the fingerprint off the actual device and use that to log into it. In short, he believes that using your fingerprint as your identity is flawed from the get-go, because it doesn’t change. Other types of biometrics, where the “password” isn’t just a static image, but rather something that is moving or changing, while still being unique to you, are “much better.”
“I’m not saying biometrics are a bad idea,” he elaborated. “I’m saying that today, in terms of what’s available in the market ubiquitously, there is not yet one that I’ve seen that passes our muster from a security and stability perspective.”
Instead of fingerprints, BlackBerry brought its picture password solution to the Priv. In short, your password is a number plus a point in a picture. It takes a while to get used to, and definitely takes more time to execute (the placement of the numbers is random, so you have to locate your number every time, and drag it to the *exact* spot on the picture). But Kleidermacher’s argument holds: Because your swipe is different every time, this is arguably more secure than using your fingerprint.
It’s very easy to remember while at the same time very difficult to steal if someone is simply watching over your shoulder. You can touch anywhere on the screen, all the numbers move at once, and smudge patterns are useless, so it’s very difficult to figure out what exactly you just did to unlock your device.
“It’s totally brilliant. I’m not saying it’s the end-all forever, but until biometrics get to a point where they’re actually good, this is a really great one. Samsung, Apple, and those other guys should use it,” he added.
So why don’t they? I’ve played with the picture password feature, and the reality is that it’s just a slower approach. It can also be quite frustrating if your combination isn’t very specific. If you pick a part of an image that is significantly bigger than the number, placing your number in the exact spot every time is annoyingly hard. Fingerprint readers are easy and fast, even if they don’t pass BlackBerry’s security standards.
Indeed, Kleidermacher refused to declare that BlackBerry would never include a fingerprint reader in a future device. He said that relying on a combination of a fingerprint and something else might be a reasonable tradeoff, adding that “eyepanning” technology shows tremendous promise.
“We are constantly evaluating biometrics in general, and when we feel satisfied that the security strengths, cost, and usability are in a sweet spot, then we would consider putting them into devices. When that will happen, and exactly what type of biometric, remains to be seen still,” he said.
Translation: Don’t be surprised if a BlackBerry Android phone next year has some sort of biometric solution.
Securing Android
I wanted to know if, aside from DTEK, there is anything that the BlackBerry Priv offers in terms of security that past BlackBerry devices don’t. Nothing, Kleidermacher confirmed.
So, what exactly has BlackBerry added to the Priv that isn’t available in Lollipop out of the box? Quite a bit.
There’s the aforementioned DTEK and picture passwords, as well as a Password Keeper app and media card protection. FIPS 140-2 compliant full disk encryption is on by default, and you get the S/MIME encryption protocol for digitally signing and/or encrypting messages, and of course doubly encrypted messages via BBM (though you can install BBM yourself on any Android device, assuming you still have someone to message on it).
But there are three improvements that particularly stand out on the Priv:
- Secure compound, a special BlackBerry area of firmware that runs below Android (making it immune to Android vulnerabilities) and handles operations such as validating the integrity of the Android OS itself
- Verified Boot and Secure Bootchain, which uses the embedded keys to verify every layer of the device in order to make sure they haven’t been tampered with
- Modifications to harden the Linux kernel with patches and configuration changes to improve security
The first two points we discussed earlier: These are the two that were impossible to pull off before Lollipop came along. For the third, Kleidermacher explained that BlackBerry has made “literally thousands of changes to both the Linux kernel below Android and to Android itself for security and privacy.” Of course, if Android 6.0 was the base, the company wouldn’t have had to include as many patches.
But there’s more than just software fixes here. Back in February 2009, BlackBerry acquired cryptography company Certicom. Ever since, BlackBerry has injected security keys into its chipsets to guarantee the “hardware root of trust.” This is a big sell to corporations, according to Kleidermacher.
“How do I know that the hardware key, that the hardware root of trust, hasn’t been tampered with during the supply chain? You can’t test this with Fibs certification,” he declared. “So we don’t really care where the device is being manufactured, the chipset and the injection is controlled by BlackBerry and our Certicom technology. That can give users and businesses a very high level of confidence that the root of trust for all crypto (encryption, integrity validation, and application-level security policies) is rooted in something that is truly BlackBerry secure.”
This is where it becomes very clear that BlackBerry will be selling the Priv to die-hard BlackBerry fans, sure, but it will be mainly selling it to corporations. The Priv is meant to be Android plus BlackBerry, the best of the consumer and business worlds.
Indeed, BlackBerry this week announced how it will be patching Android on the Priv. In August, Google revealed Nexus devices would receive monthly security updates, and Android device makers like Samsung did the same.
BlackBerry will be releasing security updates on the same schedule as Google, but the Canadian company will go a step further.
“There are times when monthly is not good enough,” Kleidermacher correctly declared. Critical, low-sophistication vulnerabilities that result in remote access and full privileged access once you get in — those can enter the public domain before a patch is available. “If that happens, our customers are exposed, immediately. And we’re not going to wait a month to fix that.”
BlackBerry’s new hotfix program will turn a patch around immediately for certain security holes. The exact turnaround time will depend on the fix, what localized changes are needed, and how much testing is required. Patches could be made available within anywhere from 24 hours to a few days, Kleidermacher promised.
BlackBerry also wants to bring back the ability for IT to deliver OS updates. While business PCs have gone through this for years, the practice hasn’t translated well to the mobile world. If your BlackBerry phone is owned by your employer, they will have the right to determine when updates happen.
Final thoughts
All of this sounds great on paper, but as always, BlackBerry’s success will hinge on execution. And if consumers and businesses aren’t interested, the company’s foray into Android will be too little, too late. CEO John Chen has said that if his handset division doesn’t turn a profit next year, BlackBerry may exit the phone business.
The Priv, and BlackBerry’s broader Android strategy in general, is sound. But the competition isn’t standing still. Apple, Samsung, and Microsoft all have their own strategies for the business world, meaning BlackBerry has to do everything it listed above, and then some.
The whole company’s reversal depends on it.