BlackBerry DTEK50 is billed as “The World’s Most Secure Android Smartphone”. Much to the chagrin of naysayers, BlackBerry is ensuring the DTEK50 and Priv earn that title.
Today, it was announced that BlackBerry was the first major phone manufacturer to patch the scary QuadRooter vulnerability. A short while before this became known, ZDNet published a post questioning the security of the DTEK50. Some wild accusations were made. The post stated that the BlackBerry Priv matched “similarly secure devices”, and went on to state that the DTEK50 did not “raise the bar in any meaningful way”, leading the author to “dispute” BlackBerry’s claim. The other phones mentioned by the author were the Nexus and the iPhone. Let’s look at the claims made in the post.
Security Patching, It Works
If there’s one thing we know by now, it’s that vulnerabilities will be found. These vulnerabilities are dealt with through security patches. This is nothing new. ZDNet used the news of the QuadRooter vulnerabilities to argue against the security of the DTEK50. ZDNet states that the DTEK50 was still at risk for one of the four vulnerabilities “despite being up to date with Google’s monthly patching schedule”. Prior to today, that was true. However, the narrative to this story is deceiving at best.
QuadRooter affected over 900 million devices, among them, the previously mentioned Nexus line. In reality, the QuadRooter vulnerabilities are found in devices which use the Qualcomm chip sets. This includes the most popular android phones. While Google did patch three of the four vulnerabilities in the August security update, the fourth patch was not ready when that patch was rolled out. That final vulnerability will be patched in the September security update. BlackBerry patched this remaining vulnerability today. The aforementioned Nexus will be patched sometime next month.
This would also be a good time to mention that BlackBerry has a perfect record of rolling out Google’s security patches. No other Android OEM has even come close to BlackBerry’s record.
Root of Trust & Secure Boot
ZDNet states that this is nothing new. That’s true. BlackBerry has been doing this all along. ZDNet also goes on to state that the iPhone and Knox equipped Samsung phones do the same thing. In fact, it was only in October of last year when Apple initially published it’s “iOS Security” document that claims “Apple designed the iPS platform with security at it’s core”. They also went on to speak of a secure boot. If this sounds familiar to anyone, it should. It’s almost a word for word duplicate of what BlackBerry has been doing for years.
While anyone can state that they have a secure boot, we need to look at what is actually taking place. Can you have a secure boot when the phone is not secure? I don’t think so.
Sometimes I feel like a broken record when speaking of the vulnerabilities across the platforms. I hope that with repetition, people will begin to understand the truth. When looking at the top 50 products with the most distinct vulnerabilities at CVE Details we see that iOS is the top mobile OS with the most vulnerabilities. In fact, it’s number 5 out of all products, with 920 vulnerabilities recorded. This almost doubles Android which comes in at number 22 with 520 vulnerabilities. It is even more than the typical example of poor security, the Flash Player. Flash Player actually follows Apple at number 6 with 892 vulnerabilities.
Just in case your wondering, the number one product with the most recorded vulnerabilities is Apple’s Mac OS X with 1601 vulnerabilities. BlackBerry doesn’t even make the top 50 list. BlackBerry’s entire product range, from phones to BES, even the Playbook, totals only 21 vulnerabilities. Should we really be placing Apple products in the same security space as BlackBerry? Of course not.
In all honesty, can you really brag about a secure boot and root of trust when speaking of a product which is easily rooted or jailbroken? No. Again, of course not. Apple cannot stop the iPhone from being Jailbroken. Android is known for rooting. Except for BlackBerry devices. Due to BlackBerry’s security measures, BlackBerry Android has yet to be rooted. There’s simply no comparison here.
Who Knows Encryption Better?
ZDNet points out that BlackBerry is not the only OEM to use full disk encryption. The argument that it is no better because they use a proprietary method that can’t be inspected by outsiders, seems to be the basis for the argument that it is no better. I thought this would be a good time to point out that BlackBerry owns Certicom, which owns the patents to elliptic curve cryptography. This is the encryption used by governments. I think BlackBerry knows encryption. At the very least they know it better than Apple. Let’s not forget that during the great encryption debate, Apple stated it would take a team of engineers months to crack the San Bernardino terrorists iPhone, when it took an outside party a couple of days to get in.
DTEK, The App
Finally, ZDNet points out that the DTEK app, is a monitoring app. In their words, “”DTEK isn’t much more than an information app in that it tells you when things are happening,”. That’s a fair statement. It’s also a fair statement to mention that the other devices which ZDNet keeps comparing it to, does not have it.
It seems that the primary argument in the ZDNet post was that the DTEK50 was affected by the QuadRooter vulnerability. Unfortunately for ZDNet, the other Android device, the Nexus, which they continued to use as an example, was also affected. Even more unfortunate for ZDNet, BlackBerry has patched the vulnerability, while it appears that the Nexus, and surely the rest of the affected Android phones, will be waiting until September for their patch.
ZDNet also seemed to keep using the iPhone as an example as to why the DTEK50 should not be called the world’s most secure Android phone. That’s an odd argument for two reasons. The most obvious reason is that the iPhone is not an Android phone. The less obvious reason, is that since the iPhone runs on iOS, which is the most vulnerability laden mobile OS (nearly doubling Android), it really shouldn’t be included in a security conversation.
What Makes it Secure? BlackBerry
We can’t expect a device to be vulnerability free. There will be vulnerabilities. There will be hacks. What matters is how they are dealt with. Will the OEM’s rush to fix the error or will they wait? Will they do nothing at all? BlackBerry didn’t wait. They rushed to protect their users. Today BlackBerry proved that they are setting the bar for Android security, and they’re setting it high.