BlackPhone, BP1, PrivatOS, Do you own one? Do you use it? How do you use it?

BP1 lacks adequate documentation

Although the BP1 does slow down occassionally (i dunno why yet--in some Spaces i currently hav live backgrounds and lotsa apps), and less often this results in an uninvited reboot (maybe once a week with daily heavy use), the main weakness of this device, the reason for the considerable amount of bad press (some of which is surely legitimate, ie genuine, honest) is the glaring lack of documentation. No decent user guide (i finally did hav a look at it), no wiki, no user forum, the FAQs on the Blackphone website often hav no answers ("No English Translation"), just good customer service, security via obscurity (not good).

Admittedly, this phone is ahead of its time, and when ur pushing the limits of technology with very limited resources, documentation is not a priority. But in this case, the result may hav been compromised security. I dont own a BP2, but it's designed to support Google Services, and maybe those services are adequately compartmentalized into a separate space and dont leak data between spaces (like the BP1 intentionally leaks contact info from its Silent Space as i described in a previous post here recently). I hope the BP2 receives the documentation that BP1 lacks or else i suspect that further security compromises will appear in BP3 (i havnt heard anything about any BP3).

Jus sayin, u make something new, it works great, but its a flop because u don't explain how to use it. Use ur words, geeks. And then maybe there would be more happy BP1 users here discussing ur words rather than discussing whether or not the device is of any value.

(i mean, fellow geeks)

About the 2 Silent Stores, and Password Managers

I can no longer access the Silent Store for BP1 on the web to copy descriptions of apps listed there (i can access the Silent Store from my BP1, but i cant copy the app descriptions that way). Silent Circle Support claims that their Silent Store for BP1 is no longer accesible via the web--lemme kno if u discover otherwise.

Apparently, there is a separate Silent Store for the BP2 which includes additional apps--i asked Silent Circle support for a password manager recomendation, which they dont usually do, but they did mention Keeper Password (by Keeper Security i presume), which they claim is on their Silent Store for BP2, tho they claim that store also is not accessible from the web (and i cant access the BP2 Silent Store from my BP1).

Im not recomending Keeper Password manager tho (it's described at the Google Play Store) because it doesnt appear to be opensource, tho it seems that other apps in the Silent Store are also not opensource.

Update: I did finally find an opensource password manager for the BP1 that encrypts the database with Twofish (a non NIST-approved encryption algorithm, i think by Bruce Schneier). The app includes an integrated clipboard and prevents screenshots of the app from revealing passwords. The app is called PasswdSafe by Jeff Harris and is a port of Password Safe (for the PC) originally by Bruce Schneier. The companion Android app, Passwd Sync, also by Jeff Harris, may rely on Google Services, and so it might not work on the BP1, i havent tried it. PasswdSafe (like BP1) does not yet enjoy much documentation, but gets good reviews.

Edit: Regarding my recurring "mobile data signal loss" problem, i asked Silent Circle about it and they suggested double-checking my APN settings. Oops--i had forgotten to update those settings after switching carriers 3 weeks agoago (from a T-mobile MVNO to T-mobile). My 4G signal has been stable the last day or so since updating the APN settings on my BP1. My bad.

But im leaving the post i wrote about this because generally, the lack of opensource hardware is a huge security problem. I mean firmware that can't be publicly inspected and thus verified to be free of backdoors. Cant be audited. Not that opensource assures security, but without opensource security is hearsay.

I previously wrote:

"I wonder if the "mobile data signal loss" problem discussed previously in this thread (which would bother me if i used the BP1 for communicating more than i do) is related to the problem of the phone sometimes slowing down to a crawl and then rebooting itself.

I hav a data-only plan, so i dont notice a weak signal from my wireless network carrier until and unless it affects mobile data (vs voice calls).

I suppose i could research the data for this phone on file at the FCC (USA regulatory agency for phones) to discover where the antennas are located on the phone so that i can optimize the mobile data by the way i hold the phone in my hand(s).

But im guessing that the BP1 modem firmware is at
fault (wild guesses here, because im not that knowlegable on this subject in general or as it pertains to Blackphones), and that firmware is closed source and so the modem firmware programing isnt accessible for review no? And furthermore, the BP2 uses a different modem, made in the USA by Qualcomm no? which is also closed source and so that firmware programming is also not accessible for review, no? And if Silent Circle wants to audit the modem firmware (which im guessing that they really would like to be able to do), or hav a 3rd party do that, then maybe Silent Circle needs to start using yet another modem in the BP3 (i havnt heard anything about any BP3). Ditto regarding SD Card firmware. In other words, if my guesses are correct, then Silent Circle isnt going to be motivated to try to fix the BP1 modem, or the BP2 modem, because Silent Circle cant be assured that any firmware fix will maintain existing modem security, because Silent Circle cant be certain that the modems are currently secure, because Silent Circle cant view the firmware source code because that code is closed source. Or if Silent Circle can view the source code, we cant, so we would hav to trust Silent Circle, which is not not a good security scenario.

Jus saying, jus guessing that Silent Circle is probably putting their energy into obtaining opensource modem hardware for future use rather than risking a closed source modem firmware update that might fix the BP1 signal loss problem, might not, might compromise BP1 security, might not, but will certainly highlight the fact that Silent Circle cant gaurantee modem security because the modem firmware is not opensource. And since the modem is the master to the CPU slave in smartphones, Silent Circle cant guarantee phone security. So attempting to fix the BP1 modem is gonna result in some bad press, is gonna pose questions that cant be answered nicely. Jus guessing.

I personally would not be surprised if the supposed modem problems were due to incessant hacking attempts by goverment agencies, in which case the occasional drop of mobile data signal reassures me that the BP1 has not yet been hacked!"

Correction regarding the above post, regarding the relationship between the modem and the CPU in the BP1, i did recently read a 2014-10-10 interview with John Callas, Silent Circle CTO, at TechCrunch.com, in which he states:

"“The sort of quality assurance that we simply have to do to maintain a quality device is a 99% security review on the hardware itself. Because if we review that this actually was a CPU that came from NVIDIA, this actually was Flash that came from this manufacturer and things like that, there’s relatively little space for somebody to gimmick the phone. The just in time nature of factories where the parts come in within hours before the manufacturing line starts — there’s just no time and no space in the factory for them to do these sorts of things, and simply normal quality control does that.

“There are architectural issues that we have looked at. Like the cellular radio. The baseband as it’s called. The baseband that we’re using is NVIDIA’s baseband. They’ve very concerned about the security of it themselves. We know that that baseband is connected to a serial bus, it’s not connected to your processor directly. So that is a huge step up from some of the other cheaper ones that have been in other phones. So this is a case where by picking the right manufacturer and the right level of technical goodness we’re getting almost all of the security things that we want.”

“But we had to pick a baseband radio from some manufacturer and they are all completely proprietary, they are not reviewed. It is a huge problem. But if you want to have a mobile device that’s on a cellular network you have to live with that,” he continues, adding: “You do have the option of not putting a SIM card in it, and using it wi-fi only.”

I have a Blackphone 2 and the display has stopped working. Basically, if I reboot, I can enter my PIN no problem but when the OS loads, it appears that the phone is punching random buttons by itself. However, it's not responsive to anything I do.

My only experience with Silent Circle support so far is worse than abysmal. Questions:

Has anyone seen this type of issue?

Are you aware of a phone support option, or any other way to contact them than e-mail?

So BlackPhone 1 is no longer supported with updates and now, if you do not upgrade your blackphone 2 to Silent OS 3, existing certs on Silent OS 2 will expire:

https://www.silentcircle.com/blog/up...t-phone-today/

I upgraded my BP2, and after download and reboot, it failed to recognize the encrypted filesystem. I reset to factory OS, upgraded and it worked.

Some tools seem to be missing, like tools to look at local cell towers/location to decide when close enough to a wifi access point to try to connect, and settings access to USB mount controls havemoved, and the granular app controls have changed -- when set to deny, all apps are deny, not just new ones, so you can manually add access for each newly installed app. Now you have to choose default, and then manually visit each app after install to pull-back grants. Some app controls are a bit buggy... select to enable access and then leave selection and return to see none of your selections have stuck. Under "Deny" 2 or 3 apps controls and access grants would not remain granted. I had to use "default" and then visit each app's settings one at a time to get these 2 or 3 apps grants to "stick." But now, Default means new apps installed get free access on first install until I can get to remove grants. It is a small window of opportunity, but that is all that is needed. The better method was the older "deny" which denies all new grants on install before apps run.

The old location for USB media control was under settings, Storage/USB, top-right options. The "new" location for controlling if media is mountable over USB appears when you connect the USB cable to a device... tap at the top and drag down to see a notification-area item for USB which you can tap and change to "charge-only" or choose to share media. Even with "charge only" my computer recognizes an android device and appears to show a share, even if it does not appear to work. It would be better if the device communicated nothing to any usb host when in "charge only".

SlentStore app and many other apps are not present.

The "Battery Saver" options can't be turned on when on power, so if you want that, you need to disconnect power, set it, then reconnect power. After this, it will switch on/off depending on if you are connected to power or not.

The new OS does not have the desktop "widget" for controlling enabling bluetooth/wifi/gps/brightness/etc, instead that is a drag from top (twice) to get access to these and other items.

URL1=http://www.ibtimes.co.uk/silent-circ...ooping-1569216

I did just apply the 1.1.16 update to my BP1, assuming it will be the last update ever.

URL1=http://www.forbes.com/sites/thomasbr...phone-lawsuit/

Sorry that it is Forbes . They require Javascript be allowed in order to see content, and there have been claims that Forbes has relayed requests through advertising chains to delivery mailware via javascript, including RansomWare.
* Citation: http://www.trendmicro.com/vinfo/us/s...able-adblocker

Anyway...

For full details and more on the background for their take on why, you'll have to read the original article, if you dare.

If this impacts updates, and BlackPhone 2 falls behind, what will any of you do when you are looking to upgrade to a more secure smartphone to replace BlackPhone2?

[Edit: An article from techcrunch that does not require javascript to see the text of the article:]
https://techcrunch.com/2016/07/07/si...-a-sales-flop/

Does anyone know what version of Google Play Services to install for PrivatOS 1.1.17 (Android 4.4.4) on BP1? I'm trying to use Signal, which requires Google Play Services. I know BP1 doesn't officially support Google Play; I thought I read it was possible to install it anyway.

I started down the road of importing APK to get signal to run on BP1, but the deps tree that was unlocked caused me to stop. After BP1 was EOL, I replaced one with a BP2, which supports Signal. BP1 is no longer getting any security updates from Silent Circle; I no longer use my BP1. I do not have an answer for you for BP1. Maybe someone else can help?

Thanks! Maybe it's time to replace my BP1 then.

From the day it was new, the BP1 lasted around 2 years, but less than 3 before they dropped support )future security updates) for it. BP2 has been out for over 1 year. If BP2 security support is like BP1, then even if you buy one new now, then you get only 1-2 years of security updates for their OS.

Next, I do not know what their plans are for BP3. They have been going through re-organizations of their financing, and had financial difficulties when sales did not work out as expected and they bought out the other half of the company from the other owners (Geeksphone). Silent Circle announced plans for a BP3 (and a tablet) before the financial issues which surfaced a few months after the BP3 article appeared: http://www.digitaltrends.com/mobile/...kphone-3-news/ (December of 2015 (last year))

There was talk that they would get out of the SmartPhone market. There was also talk they would stop designing their wn phones, but still produce SilentCircle OS on future phones.

In July (of this year, 2016) there was an article that claimed a BP3 was still being planned ( http://arstechnica.com/information-t...cloudy-future/ )

I've not seen a SilentCircle tablet mentioned since the one article a long time ago (2 years ago?) mentioned it.

So, if a BP3 is to be available soon, buying one new would give you more years of support (assuming support life-span is like BP1 and BP2.) So, it is a better value to wait for BP3 or not worry about cost and get a BP2 even if a new BP2 only gives you 1-2 years of updates (assuming past support on BP1 will predict future support on BP2.)

Thanks for the advice. I recall hearing about the Blackphone 3, and a tablet, a while ago, but it's been a while as those articles show. A search doesn't turn up any more recent results for BP3, so I doubt it's coming soon. And I'm not confident that Silent Circle will be able to support hardware, given their financial problems. As the arstechnica article says, it seems like the privacy and security of iOS and other Android devices have largely caught up to the Blackphone over the past couple years, so I might just buy an iOS and other Android device (one made by Google, so it gets security patches quickly--some handset makers delay patches for months!).

Do you see any significant advantages to a BP2 over iOS or other Android?

There are a few advantages in the BP2 compared to other android or maybe even the iPhone. USB, Firewire, PC Card, CardBus -- all of these create security risks for things like direct memory access, insertion of code contained in firmware, trusting devices to be what they claim to be, and more. With these, a whole class of direct access to memory, and/or running of code as
"system" are possible. The BP2 (and BP1, IIRC) have support in hardware to turn off data to the OS to act much like as if a USB-condom were placed in-line for USB connections (Enable "charge-only" for when USB connections are made to the phone.). This is what BP support claimed of the BP1 and BP2. I do not know if it is true. If this is true, this is a feature I have not seen in other android or iPhones. Without something like this, things like JuiceJacking or direct memory exploit (or system exploits) may be easier. I'm not sure if any or all of these exploits in the USB space require "host-mode" USB or not, and if they will work with OTG supported configurations, but I would bet they would.

There are built-in applications that are part of BP2 that might be available elsewhere, like not automatically connecting to all wifi hotspots that share a name of a hotspot what was previously learned; use location information from GPS and/or cell towers to establish if the phone is "close enough" to reconnect the a hotspot with the same given name. Other built-in applications that report on degraded telco crypto (forced from 3G to 2G, or from a 4G LTE to 3G or 2G) and applications that check for "ping" SMS used by law enforcement (or other evil users) to convince a phone to reply to SMS without (normally) notifying the owner of the device.

The Already built-in tools and features are nice.

There is a "Security Center" app which is a nice addition to consolidating a bunch of security-related things together, with notices on security risks, and quick access to things like App access limits, and defaults. (Tap "Security Center" then "Owner" then "Settings" then "Privacy Level" and you can set to "Deny All" : This denies app access to all sub-classification of access like location, contacts, sms, phone, storage, camera, calendar, microphone, etc. So that all new apps installed after this are denied everything, requiring you to visit the app allowances and turn on those things you want that app to access.) Some of the app controls in newer stock Android are already present in modern android. You can compare/contrast on your own.

At this point, if I had to go with a more security-centric android phones, I would probably go with a BP2, but Apple *probably* has more security support in their latest iPhone. Considering the complaints made by Feds about inability to gain access to encrypted content. Complaints about protected data on Android seems less common ( but still exists.) With Android having ~80% of the smartphone market, I would expect MORE cases where courts demand access to data on Android phones. Does that mean such requests are being honored so there are fewer complaints? Maybe they are not "possible" and the dialogue between google (or providers) and entities demanding decryption have legal requirements to remain secret? Maybe most Androidusers use a default install, and do not opt for full device encryption? Maybe only a small fraction of android phones have "good enough" security to cause feds to ask for help in gaining access to data? We as the public won't know how easy it is for governments to circumvent security on our devices intended to maintain our privacy any time soon.

Assuming no backdoor deals between feds and Apple, and the complaint from feds about iPhone data access being too hard is genuine, an iPhone probably has a better track record at supporting consumer privacy than even the most secured modern Android phones.

I do not like what Apple has become; easily being able to tweak details and minutia has been removed from Apple products for a long time. They have become more like Microsoft. Details and learning how to use a device is more about memorizing steps needed to make changes, not learning how to use tools which seldom change. For now, many of these tiny details can be altered in Android, but Google's Android is slowing becoming more and more closed-source, as google continues walling off options, walking a path like Apple.

Sorry, I have no suggestions on which is better; only comments on which is least worst.