clock menu more-arrow no yes

Filed under:

What the BlackBerry Priv means for Android security

New, 31 comments

The new BlackBerry Priv comes at a crucial time for both BlackBerry and Android at large. It's BlackBerry's first-ever Android phone, and the first major device since the Passport, a major bet for a company that's struggled to stay relevant. At the same time, Android is pushing manufacturers and carriers toward a more aggressive patch schedule, hoping to tighten security across the ecosystem. The Priv looks to solve both problems at once, offering a more secure Android phone that can resuscitate BlackBerry and lead the way for the Android phones across the board.

Read next: The BlackBerry Priv review.

It's a big ambition, and at the center of it is a set of stronger security features than we've ever seen on Android before. So how do they stack up?

The most important issue is patching. BlackBerry has pledged to keep Priv up to date on Android's monthly patches, and while patches will arrive more slowly on carrier versions of the phone, that alone should put it ahead of 90 percent of Android phones on the market. (Only Samsung and LG have made similar promises, and even then, not for all of their phones.) Beyond that, BlackBerry has set up a hot fix system for urgent bugs like Stagefright, allowing it to push fixes without the carrier approval for a sufficiently urgent patch. It's hard to say how effective the system will be until we see it in practice, but if the protections work as promised, they should establish the Priv alongside Nexus and Samsung flagships as one of the best-patched Android phones on the market.

How does Priv security stack up?

The most visible security measure will be a series of security-focused apps, built specifically for the Priv by BlackBerry. A tool called DTEK monitors app permissions and activity to catch malware early. There's also a built-in password manager, akin to mobile versions of LastPass or 1Password. None of these are particularly sophisticated or novel, but they're important just the same. They're the kind of thing IT departments have been recommending for years and users have been ignoring for just as long. But those common-sense security measures really do make a difference, and building them into the phone will ensure they're put to use.

The most interesting choice is BlackBerry's decision to go without a fingerprint reader, an entry-level biometric that has become a near-essential component in the latest generation of Android phones. According to BlackBerry CSO David Kleidermacher, the problem wasn't cost: BlackBerry simply doesn't believe fingerprint authentication is a good idea. "The problem is, if you use it and it gets lifted, you've lost an aspect of your identity forever," said Kleidermacher. "We believe they're too easy to hack. It's just not a strong enough authentication mechanism." Still, BlackBerry doesn’t offer anything more than the usual PINs and passwords in place of the fingerprint, leaving the Priv as a real outlier on the biometric front.

Priv can't solve every Android issue, and on the issue of software authentication, the biggest issues are still unresolved. Since the beginning, the iPhone's biggest security advantage has been Apple's control over the software available to install. Programs in the App Store are tightly managed, and installing anything outside of the app store means relying on involved and increasingly fragile jailbreaks. In Android, third-party app stores are everywhere. As Amazon apps have crept onto carrier builds, enabling software outside the Google Play store has become almost unavoidable.

The Priv can't solve Android's biggest problems

It's a powerful disadvantage, and one Priv isn't entirely able to break away from. Instead of cutting off third-party stores entirely, it partitions them, using the recently released Android For Work system to keep sensitive applications in a separate part of the phone. Even if you do download an infected app onto the Priv, the program won't be able to reach into your email or work programs without breaking through the partition. It's a solid system, but you can bet security researchers will be looking for ways to break into that enclave for years to come, and it puts Priv at a real disadvantage compared to phones that can attack the problem at the ecosystem level.

In other words, BlackBerry can't solve every security problem on Android — but it doesn't have to. The biggest question for the company is whether Priv can help BlackBerry recapture the business users that have been trickling away since the iPhone was first introduced. Is the Priv's reinforced version of Android enough to win them back? Even if it's not, it may end up as a template for any Android phone making a play for enterprise customers. It's more of a raised alert than a complete lockdown — which in this case, may be just enough.