BlackBerry's DTEK50 fails to raise the security bar

Four years ago, I was one of the few die-hard BlackBerry owners left, as the company began to derail.

Today, the company thinks Android can get it back on the tracks. Its debut Android smartphone was a flop, but it hopes that it can redeem itself with its reinvented BlackBerry DTEK50, which it bills as "the world's most secure Android smartphone" today.

That largely unchecked and untested claim was enough to grab our attention, given that many still don't believe that "Android" and "security" in the same sentence can be anything more than a contradiction.

After two weeks of scrutinizing those claims, here's what we learned.

BlackBerry's DTEK50 is a passable smartphone that was in most cases able to match the security features of other similarly secure devices, like Apple's iPhone and Google's Nexus. But the DTEK50 was not able to outperform or raise the security bar in any meaningful way. In part because of that, we dispute the company's claim that this is "the world's most secure Android smartphone."

Rapid security patching is good -- when it works

Ask anyone in security, and keeping to a regular patching schedule is by far the most effective way of nixing most known security issues. That's why, in the wake of the "Stagefright" vulnerability last year, Google began to offer monthly security patches.

Top ZDNET Reviews

Dell Latitude 11 5000

7.9

Apple iPhone 7 Plus

9.3

Amazon Echo

9.0

Google Pixel XL

8.0

Google's own-branded Nexus devices would be given the patches first, and other companies would follow in the coming days and weeks -- though, some wouldn't keep to a schedule at all.

BlackBerry promised that it will similarly provide same-day patches for security issues (which was described as "zero day" patching to some, a confusing echo of a common malware descriptor), once they are released by Google or its partners.

SECURITY

Need a secure smartphone? Answer is simple

This is what the foremost security experts and privacy-minded people say.

Read More

BlackBerry said if it can fix issues that are disclosed outside of that schedule, it will.

There's no real way to test this, but we struck lucky -- for want of a better term -- when we found that the DTEK50 was already vulnerable, straight off the manufacturing line, to one of four new security flaws, dubbed "Quadrooter" -- despite being up-to-date with Google's monthly patching schedule.

Three of the flaws were already fixed and were rolled out as part of July's monthly batch of security patches. Qualcomm, which was charged with making a fix for the fourth, has released an emergency patch, but it won't be widely released until September.

At the time of writing this review, BlackBerry hadn't patched the Quadrooter flaw, and a BlackBerry spokesperson didn't respond to repeated emails requesting to comment. (Update: After this security analysis was posted, BlackBerry confirmed it released a patch for unlocked phones, but those tied to a carrier will not receive the patch until carriers' give their approval.)

By delivering patches faster and on a regular basis, Android's patch schedule is arguably better than Apple's, which is erratic and usually only released when bundled with other software improvements.

But good patch management only works when it's put into practice.

Hardware root-of-trust and secure boot: Welcome, but not new

You might not know about the phone's hardware root of trust or the secure boot process, but it's a vital part of ensuring that your phone maintains its security integrity.

Every process of the phone's switch-on procedure is cryptographically signed. In other words, if a hacker has tampered with anything in the boot process, the codes will not match up, and the process stops dead. For instance, if malware's found, the phone just won't boot, which prevents your data from being decrypted. Think of it as a dead man's switch (and BlackBerry documents this in detail in a deep-dive blog post).

It's why Apple has included these features in its iPhone for many years, as do modern Samsung phones that come equipped with its Knox technology.

Android comes with this feature baked in, but it'll become a strictly enforced feature when Android Nougat, the latest iteration of the operating system, is rolled out.

When the DTEK50 gets the new software in the months after its launch, executives said, that'll make verifying the phone's boot process far stronger. In the meantime, it's a good start, but it doesn't nudge the security needle forward.

Encryption as standard, but questions over Android "hardening"

Encryption has become a controversial topic in the past year. Apple got it out of the gate first, largely because the company controls the hardware and software package. Android stumbled because of performance and fragmentation issues.

Just as all modern iPhone and Android Marshmallow devices and later, the DTEK50 comes with full-disk encryption -- an increasingly commonplace smartphone feature.

BlackBerry also touts its Android "hardening" effort, which it argues makes it tougher for attackers to extract data or take control of a device. One of those features includes "improved random number" generation, which we wrote about in more detail here.

The short version is that, according to cryptographers who spoke to us about this, BlackBerry's hardening efforts "doesn't meaningfully change the security of the phone," because the company is trying to fix something that isn't broken. And because BlackBerry used a largely secret and proprietary method to try to improve the cryptography -- which can't be inspected or verified by security experts -- the phone may be secure, but until we know how and why, we can't (and shouldn't) fully trust the phone.

DTEK's app will pacify and inform, but not block

My biggest gripe with the phone's flagship app, which first debuted with the Priv, was that it didn't do anything -- and it still doesn't.

In case you missed it, the phone is named after its flagship app, DTEK, a play on "detect." The app sits on your home screen, acting as a gateway health dashboard for your phone. It tells you how secure your device is, such as if a strong passcode has been set, and even when apps use your phone's features. If a malicious app triggers your camera or your microphone, it'll tell you -- but it won't block it.

BlackBerry said that the app hasn't changed since it was first rolled out to the Priv, despite a promise from David Kleidermacher, chief security officer, who said the app would be "constantly" improved.

We had some harsh words for the app the first time around -- all of which still stands today.

"DTEK isn't much more than an information app in that it tells you when things are happening, unlike a privacy app which actively mitigates against data-slurping incursions [...] It doesn't prevent your data from being slurped up by the various apps you use, nor does it give you an option to do much about it -- except uninstall the apps."

Now both the Priv and the DTEK50 are running Android Marshmallow, and both phones now come with iPhone-style app permissions by default, so you have greater granular control over your apps and what they can access.

I'd put that down as a win for Android, over any worthwhile improvement on BlackBerry's part -- though it nevertheless puts the DTEK50 on a par with other devices that run Android Marshmallow, as well as the iPhone.

Bottom line: Security, take two, but no lessons learned

Android already has a bad rap when it comes to security and privacy. Anything to boost that impression could be a boon to business -- if done right.

But BlackBerry hasn't learned any lessons from its first Android incarnation, and by its own admission hasn't improved the phone's security in any consequential way.

Case in point: Alex Thurber, the company's global device sales chief, told us at a meeting that the Priv and the DTEK50 are "the two most secure smartphones," because the Priv is "as secure" as the DTEK50.

The reality is that when you cut through the marketing fluff, you're still faced with an unremarkable phone, which, like any other product or service, takes one hole in the security facade to bring the entire thing down.

Granted, the company didn't know about Quadrooter ahead of time. Its so-called privacy app doesn't block or mitigate, and only passively advises. We can welcome its hardware improvements, but it's not enough to nudge it past that already-high security bar to achieve status as "the world's most secure Android smartphone."

Marketing and selling this phone as more secure than other phones that are equal or better in the security space is going to give people false hope, and that's dangerous for those who think this phone will defeat hackers and attackers at every hurdle.

Security researchers will tell you that the most secure smartphones will be the least useful to most people. But in absence of perfection, many will choose an iPhone over anything else. Tried and tested, the iPhone was able to withstand government demands for customer data -- and, though not perfect, Apple's closed in-house duopoly of hardware and software makes it far tougher to crack than most other devices.

So what's the most secure Android phone available now? Your best bet is a Nexus smartphone, which researchers believe are the least vulnerable to flaws and issues because of rapid vulnerability patching.

Update at 2:25pm ET: to add that after this security analysis went live, BlackBerry had patched the remaining Quadrooter flaw, a little over a week after it was first revealed.