BlackBerry’s Chief Security Officer, David Kleidermacher, took to the company’s blog on Tuesday to discuss more details about the security hardening added to Android on the BlackBerry Priv.
As we noted in our review of the device, there have been doubts raised by the info security community about BlackBerry’s security improvements in Android. With the information known at the time, Android 6.0 Marshmallow was considered more secure overall than BlackBerry’s implementation of 5.1.1 Lollipop. But Kleidermacher insists in his post that “BlackBerry’s Android is best for security and privacy.” In addition to previously revealed improvements and their plan for fast patching, he discusses a few more things BlackBerry has added:
- Improvements to Address Space Layout Randomization (ASLR) which are not present in Android Lollipop or Marshmallow. This makes it more difficult for malware to exploit vulnerabilities.
- An improved SELinux mandatory access control policy system, which is also not present in Android L or M.
- The Pathtrust utility, going “above [Android] L or M” to ensure untrusted code can’t be introduced dynamically through malware.
- “Hundreds” of hardening improvements to both the kernel and Android’s service framework, in addition to protection against brute-force password attacks.
- Tamper-proofing for critical security parameters.
- An improved cryptographic library that is BlackBerry Certicom-certified and compliant with FIPS140-2.
- Enterprise-specific features, like smart card authentication.
We have not yet heard anyone in the info security community evaluate these claims, but some of them certainly seem to be valid. For instance, Google’s Project Zero security team has criticized Android’s implementation of ASLR, so there must have been room for improvement there.
Some of the points Kleidermacher makes may exaggerate the effects of the improvements however, especially in terms of improvements to the kernel. The original criticisms came after security firm Copperhead evaluated the Priv’s kernel source code, finding only minor improvements that were outweighed by those made in Android M.
We’ll update this post if we hear any further evaluation of BlackBerry’s claims, but it’s good to hear that they’ve done more than we originally thought.
Update: Copperhead has responded in a series of tweets, beginning here. They claim that BlackBerry’s post misrepresents the security offered by the Priv, saying that BlackBerry has “only done a bunch of cargo culting.” Here’s a quick breakdown of their criticisms:
- Pathtrust merely duplicates functionality offered by SELinux.
- The kernel hardening BlackBerry has done is minimal.
- FIPS140-2 is an outdated standard that encourages bad practices.
- BlackBerry has not fixed the problems with Android’s ASLR.
- The hooks added for DTEK and exFAT increase the attack surface.
- BlackBerry needs to provide details about how they’ve changed SELinux policies, but every vendor makes adjustments.
- Hard-wiring the keys for secure boot is “a useless gimmick,” as an attacker with physical access gains nothing by replacing the OS on your device.
Copperhead mentions that a more detailed analysis is difficult without the source code for the userspace, but the onus is arguably on BlackBerry to provide more details if there are further improvements.
Source: Inside BlackBerry Blog