BlackPhone, BP1, PrivatOS, Do you own one? Do you use it? How do you use it?

On June 10, the released PrivatOS-1.1.6:

URL=https://support.blackphone.ch/custom...otes?b_id=4314

They claim:
CVE-2015-4000:
* https://access.redhat.com/articles/1456263
* http://cve.mitre.org/cgi-bin/cvename...=CVE-2015-4000
* https://web.nvd.nist.gov/view/vuln/d...=CVE-2015-4000

As for a comment on stability... Though it has improved with time, yesterday, I lost my phone service provide. The phone reported zero bars. A friend told me in via chat session on my computer that my phone number, when dialed, went right to voice mail. Switching my phone to "Airplane Mode On" then "Airplane Mode Off" magically restored phone service access and I saw 4 or 5 bars.

Stability is still not quite there for phone service. AFAIK, this is the first loss of service in 1 week, with the same problem a week ago.

I am hoping the phone service is more stable with PrivatOS 1.1.6

I have been using the BlackPhone off and on for a few months. These last two weeks I have used it as my main device. I am finding that since PrivatOS-1.1.5 I have had pretty great stability with side loaded APKs as well as system apps.

Pandora 6.1 has only crashed on me once in the 2 weeks that it has been my main device, and I think that it is due to the phone service stability and\or living in a separate space. The APK that I had the most trouble with through out this entire adventure with BP1 is WeChat... PrivatOS-1.1.4 and below was impossible to use WeChat in a separate space. This might have been the version(s) available at the time were causing the app to crash, or the spaces were helping\causing the problem. I have not tested to see what the issue was, but the bottom line is that it was unusable in a space. WeChat was usable in the Silent Space in PrivatOS-1.1.4 and below, but that kind of defeats the purpose of keeping apps locked up in their own space. As of PrivatOS-1.1.5 and WeChat version 6.2.something.something (latest at time of this post) the WeChat app will run smoothly in a separate space.

T-mobile USA is generally not stable when attempting to use data for streaming content or browsing the intertubes. My BP1 loves to jump from 4G to HSPA to 3G when ever it feels like it during data use, but when it is just sitting idle it will have a more constant 4G connection. The bars go from 1 to 3 on me when idle as well when in a "full bars LTE" area on another Tmo android device. If my BP1 drops to a lower data connection the bars are magically full strength. I have been trying to use Tmo's LTE IPV6 APN to see if that somehow solves the stability issue, but I can't really test it out since all of my browser attempts time out and apps trying to use data sit in their initiating connection phase. I still have some other things to try in my attempt to get this device to have a decent mobile network connection. I will update this post when I get to testing that stuff out.

I have serious issue with the BP1 not disabling touch on the screen and softkeys when the phone is against my face on a phone call. I constantly go into menus or open apps with my face when I am just trying to make a damn phone call!

I'm still seeing dropped service from my phonecall/data provider about once a week, where I can't make/receive calls or use 3G/4G data service from carrier. Instead of rebooting, I switch to "Airplane Mode" then switch off "Airplane Mode" and it finds my service provider again.

From SilentCircle, notice of update available for PrivatOS-1.1.7:

URL1=https://twitter.com/SilentCircle/status/616676728237359104

Update Notes: https://support.blackphone.ch/custom...otes?b_id=4314

Unlike previous updates, this provides no indication on what security issues by referencing CVE or providing comment about what was changed without CVE. This is not good. I'm going to ask them about this in twitter:

URL2=https://twitter.com/TCMBC/status/616679576392089600

A reply to the question on twitter about lack of details:

URL1=https://twitter.com/SilentCircle/status/616687656181858305

URL2=https://twitter.com/VicHyder/status/616711743755022336

It is better to have security issues for users fixed early, but this embargo is problematic.

If this kind of lack of details to fixes for this and other products becomes a new norm, is can also be used to masquerade changes to products that won't always be in the individual consumer's interest.

For products made in the US (or China, or Russia) if the government mandates inclusion of back-doors in code, and further denies vendor free speech to let users know about the back door, then users fall under greater risk to lost security with the addition of a back door, and without a legal method to be informed of the new security risks, greater exposure without opportunity to address risk or try to mitigate newly introduced degraded security.

Obviously, vendors do not need to use an embargo to install a backdoor, as they can roll one with any normal update and disclose information about the update while omitting information about the back door. All the embargo delay does is help make it normal for updates to not specify what changes are being made to their devices... kind of like shrink-wrap licenses, or governments voting on would-be new laws, but not being allowed to see the text of the new legislation.

"Bad Guys" can download old code, and then download new code, and compare differences. the differences will expose what code was changed and provide scope of search to find vulnerabilities based on the changes.

I understand a few reasons for embargo legally, but do not like them. :-/

I purchased my blackphone in response to a stalking problem I was having. The stalker had hacked 3 I phones and a couple of androids and I was fed up. I've had the phone for about a year and I use it for everyday calling, texting etc. I feel 100% private and have had no more phone problems since I switched.

There is/was an update to PrivateOS 1.1.8 now, but the update for 1.1.7 is still missing details:

URL1=https://support.blackphone.ch/custom...otes?b_id=4314

It was last updated Jul 03, 2015 03:35PM UTC.

I've asked for any new ETA on info since we have passed the previous mid-July estimate.

[Edit: They replied on twitter fairly quickly: Adding:]
URL3=https://twitter.com/SilentCircle/sta...90993703145473
URL4=https://twitter.com/SilentCircle/sta...91275719778304
[/edit]


URL2=https://support.blackphone.ch/custom...otes?b_id=4314

All about OpenSSL:
* CVE-2015-1788 https://web.nvd.nist.gov/view/vuln/d...=CVE-2015-1788
* CVE-2015-1789 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1789
* CVE-2015-1791 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1791



Last, don't forget to visit "Silent Store" after each upgrade and check all your apps for updates after installing new PrivateOS updates.

URL1=http://www.techtimes.com/articles/73...ch-display.htm

In this news article is a claim, which is new to me about the new plans for BlackPhone2. (Realize, the past suggestions on direction, release date, and features for both have not been reliable, and journalists can get things wrong, but this was interesting to me:

This could be double-edged. The present BlackPhone SilentStore does not support Google Play. Support for other "stores" in the "Spaces" allows for Amazon and others, but lack of google play support built into BlackPhone1's PrivateOS and no support for other google services means some other tools don't work in BP1. (RedPhone, some games, TextSecure, etc.)

It seems unlikely to me that Google would support "Android for Work" on BlackPhone2 unless Google could get some data-mining information out of the device. So, now I am guessing that we will see a collision between features and use on the new BP2. Google apps may demand broad access, and refuse to work without it. This would give the illusion of control, when in reality it would still be an "all-or-nothing" proposal -- accept Google apps with full access or don't use Google apps.

Seeing the development of new app in the SilentStore at a growth-rate of nearly zero since it opened suggests consumers don't find it too popular, and developers don't see enough consumers to dev for "yet another platform."

Maybe this change in direction they started many months ago towards business use and google play store support will give a more popular product consumers might want even more.


All of this with new competition in the same space: Turing Phone

"Futuristic-looking liquid metal Turing Phone promises total hacker protection"
http://www.cnet.com/products/turing-phone/

"The Turing Phone is the craziest Android device you'll see this year"
http://www.theverge.com/2015/7/18/89...nds-on-preview

"The Turing Phone Is Built to Be Unhackable and Unbreakable"
http://www.wired.com/2015/07/turing-robotics-phone/

The Turing phone marketing or at least the phrases in these articles is alarming. Calling something "Hacker Proof" is like calling ciphers "Military Grade" or "Proprietary and Secret" -- these are often warning signs.

So, while I was at DEF CON, they released PrivatOS 1.1.9:
URL1 = https://support.blackphone.ch/custom...-release-notes

Silent Circle had a booth, and one of the people there had a BlackPhone 2. I asked a few questions about "SilentOS" as the new name vs "PrivatOS" as the old name of the OS, and was told of the differences in highlighting the purpose and target for each, and the new SilentOS should support Google App Store.

None were physically available for sale, but they were accepting pre-orders. I'd like to hear how things worked out for them.

Additionally, they have updated what 1.1.7 was all about:

URL2 = https://support.blackphone.ch/custom...otes?b_id=4314

So, on Aug 17, they releases PrivatOS 1.1.10:

URL1 = https://support.blackphone.ch/custom...-release-notes

Free, public mention for both these CVE, since the update, have not show many details, but he descriptions above from BlackPhone provide some idea on the intended fix.

I've recently updated my BP-1 to 1.1.10 and am playing around with it again.

One problem I'd love to find a way around is how to download .apk packages and install them to BP-1? I don't want to have to create yet another account to join the app store to install a single app.

For BP1 1.1.x, if you can download an "apk" from the browser in the phone, even in another space, it appears to recognize the downloaded apk can be installed as an app.
If the apk is an upgrade, it reports changes in deps/requirements (if any) on install/upgrade. (Some of this likely requires support in the web server serving apk to properly mark the required MIME type.)

So, you really appear to only need the apk-based file in order to get an app installed.

(In PrivatOS 1.1.10 and earlier, just because you can install an app does not mean it will work. For example, if an app requires Google Push Notification support? It likely won't work unless you install quite a few of the google apps assuming they install and work.

For some apps, you can download them direct from the developers's site. An example:

http://plai.de/android/

As linked from:
https://github.com/schwabe/ics-openvpn

which is linked from:
https://play.google.com/store/apps/d...blinkt.openvpn

Side loading has worked on those apk I've downloaded from developer's site, bypassing need to register with amazon store, or other stores, but losing notices of new updates with features to auto-upgrade.

There are websites that will download APK for you from play.google.com, acting a s a proxy, but I don't trust them, and don't know how I would decide which sites were trust-worthy, and which are not. in my view, they have to make money somehow; if your not the customer, maybe you are the product?

There are claims of plugins for firefox and chrome to download APK from play.google.com for you, so you can save on your desktop and then side-load them.

Also, there have been recurring claims that from an ordinary URL with modifications, it is possible do downlod APK direct from http://play.google.com/ , but the ones I found did not work -- it was s-if google engineers fixed those.

Last, there are apps that claim to be able to build APK by intercepting the install process and then manufacturing an apk, but that required another device to run these on and then install from "stores."


They claim BP2 will support google play in at least one of their "spaces" and I saw a demo the had at DC23 Vendor for SilentCircle, but did not ask about push notificaton or other google services and that space with google play store. (Would be nice to have one phone easily support the silent* suite of tools and in another space spport RedPhone and TextSecure or "signal"

I'm not getting my hopes up. I'm expecting minimal "play.google.com" support so I can be surprised if/when they do support RedPhone in addition to their default SilenPhone.

Back to topic:

Since having "apk" files is enough, how do other people get their APK files for sideloading to phones?


HTH,
-Cot

Let's say I want to get an apk from the google store, is there a way to get it off my daily use phone and manually move it to my test phone?

I'm like you and don't trust the "we'll download it for you!" sites

I feel a similar way about the apps that claim to do this, and I am not 100% convinced that the apps that do this, don't just look for where cached copies of the installed app's APK are left behind on the FS, and then just copy them to your SD.

There is/are also plugins for Chrome and Firefox that claim to download APK for you from the play.google.com store, but let you know this is a violation of their ToS, and I *think* these plugin also require you to login, or be logged-in with google before the download will work, which exposes creds or auth-token to this plugin to do other things with.

The web-plugins, websites and android apps that do this APK export all occupy a gray space, where people often employ their use to do something illegal, break contracts, bypass border restrictions on import, etc. and because of this, are great candidates as vectors for malware. They enjoy the same kinds of protections that con artists gain with common cons that usually make a mark into a co-conspirator in the commission of a crime, or actions they would not made public, so if things do go bad, they are unlikely to contact law enforcement and complain, as they would have to admit their involvement in the action, too.

Have you searched the dirs on your phone with a file browser to see if your phone has copies of all its play.google.com installed apps? If so, that would be the most trust-worthy method to get copies of the APK your phone already has.

What I would like, and I bet you would like would be an understanding of how to direct request APK from play.google.com, and have google serve these APK to us. The few descriptions I have read that provided URL constructions to do this do not work for me.

If you or anyone else finds a description of a method that can reliable allow direct download from play.google.com (and not a proxy that demands your trust of the proxy, and downloads a copy from play.google.com and then serves it to you from the proxy, please let us know.

I'm guessing, the best method might be to examine a web-client plugin, so see how it crafts a URL to download APK, and then duplicate it in a shell or script. Another option? Build a custom CA and sign wildcard keys for "*.google.com" and load that wildcard key into something like wireshark or a proxy that does intermediate plain-text, and then dump to plain a packet capture file, and analyze it for how their protocol works.

The last problem with this, though, is getting notifications for updates to Side-Loaded apps via APK -- how do we know an app needs a critical security update, and what happens if we are away from a desktop/laptop that might be used in the process. :-/

I do not know of any export method that extracts configurations/settings for an app and builds an APK to include all of those settings/license(s)/configs. This would be important for any apps that required some sort of in-app license key to activate.

Anyone have a current description of how do craft a URL and request for APK direct from play.google.com?

So now they have released PrivatOS 1.1.11:

URL1 = https://support.blackphone.ch/custom...-release-notes

CVE-2015-1534 on all of the online DB for CVE I've checked so far have it specified as "reserved" without public details. However, code review of CyanogenMod shows where code was changed and what was fixed: http://review.cyanogenmod.org/#/q/topic:CVE-2015-1534 and the summary from blackphone.ch release notes on 1.1.11.

Again, with this update for my BlackPhone, none of my other Android devices have any updates to the OS. There was a time that going with a "Pure Google Phone" (like HTC Android Dev1, or later "Nexus" phones) would mean 2-3 years of OS security fixes. Now it seems like the time for security updates is less than 1 year, and updates can take 2 months to arrive after they are found (by non-malicious hackers/developers) and/or disclosed. Hard to accurately estimate what has been found by malicious hackers/developers, but not disclosed, only saved or used for attacks.

Last info on "BlackPhone2" was "to be release mid September."

Turing Phone (not related to PrivatePhone or SilentOS or PrivatOS) is still in the news. Claims of "No USB port", Ship date of December 18, price tags of $1299, $999, $870, $740, $610 for different models, many of which seem to have prices associated with internal storage space, like Apple has done with the iPhone -- charging well more than what you might pay for an MicroSD to upgrade it yourself, but also claims there will be no microSD slot: http://www.androidpolice.com/2015/08...-turing-phone/
It appears as though Turing Phone as BlackPhone2 might be taking advantage of the Google-provided features in Android for Enterprise support of security. It also looks like BlackPhone/BlackPhone2 will be in the market "first." Being first has many advantages, but provides no guarantee for retention of market share.

If anyone receives a Turing Phone, and has a BlackPhone or BlackPhone 2, please compare/contrast and post your thoughts somewhere online.

Thanks!

Cot, they were taking pre orders for the BP2 at DEF CON, $700 I believe? It looks like a traditional black sleek rectangle. A friend who has a BP-1 said he was passing on the 2 because for the extra money there really wasn't enough more memory to meet expectation of "modern" smart phones in that price range.

I like their frequent update schedule! Now if there was any new software in their app store that would be great. Tor? Authenticator? Wonder why it is so hard to get useful security apps listed.