BlackPhone, BP1, PrivatOS, Do you own one? Do you use it? How do you use it?

I'm still seeing dropped service from my phonecall/data provider about once a week, where I can't make/receive calls or use 3G/4G data service from carrier. Instead of rebooting, I switch to "Airplane Mode" then switch off "Airplane Mode" and it finds my service provider again.

From SilentCircle, notice of update available for PrivatOS-1.1.7:

URL1=https://twitter.com/SilentCircle/status/616676728237359104

Update Notes: https://support.blackphone.ch/custom...otes?b_id=4314

Unlike previous updates, this provides no indication on what security issues by referencing CVE or providing comment about what was changed without CVE. This is not good. I'm going to ask them about this in twitter:

URL2=https://twitter.com/TCMBC/status/616679576392089600

I have been using the BlackPhone off and on for a few months. These last two weeks I have used it as my main device. I am finding that since PrivatOS-1.1.5 I have had pretty great stability with side loaded APKs as well as system apps.

Pandora 6.1 has only crashed on me once in the 2 weeks that it has been my main device, and I think that it is due to the phone service stability and\or living in a separate space. The APK that I had the most trouble with through out this entire adventure with BP1 is WeChat... PrivatOS-1.1.4 and below was impossible to use WeChat in a separate space. This might have been the version(s) available at the time were causing the app to crash, or the spaces were helping\causing the problem. I have not tested to see what the issue was, but the bottom line is that it was unusable in a space. WeChat was usable in the Silent Space in PrivatOS-1.1.4 and below, but that kind of defeats the purpose of keeping apps locked up in their own space. As of PrivatOS-1.1.5 and WeChat version 6.2.something.something (latest at time of this post) the WeChat app will run smoothly in a separate space.

T-mobile USA is generally not stable when attempting to use data for streaming content or browsing the intertubes. My BP1 loves to jump from 4G to HSPA to 3G when ever it feels like it during data use, but when it is just sitting idle it will have a more constant 4G connection. The bars go from 1 to 3 on me when idle as well when in a "full bars LTE" area on another Tmo android device. If my BP1 drops to a lower data connection the bars are magically full strength. I have been trying to use Tmo's LTE IPV6 APN to see if that somehow solves the stability issue, but I can't really test it out since all of my browser attempts time out and apps trying to use data sit in their initiating connection phase. I still have some other things to try in my attempt to get this device to have a decent mobile network connection. I will update this post when I get to testing that stuff out.

I have serious issue with the BP1 not disabling touch on the screen and softkeys when the phone is against my face on a phone call. I constantly go into menus or open apps with my face when I am just trying to make a damn phone call!

On June 10, the released PrivatOS-1.1.6:

URL=https://support.blackphone.ch/custom...otes?b_id=4314

They claim:
CVE-2015-4000:
* https://access.redhat.com/articles/1456263
* http://cve.mitre.org/cgi-bin/cvename...=CVE-2015-4000
* https://web.nvd.nist.gov/view/vuln/d...=CVE-2015-4000

As for a comment on stability... Though it has improved with time, yesterday, I lost my phone service provide. The phone reported zero bars. A friend told me in via chat session on my computer that my phone number, when dialed, went right to voice mail. Switching my phone to "Airplane Mode On" then "Airplane Mode Off" magically restored phone service access and I saw 4 or 5 bars.

Stability is still not quite there for phone service. AFAIK, this is the first loss of service in 1 week, with the same problem a week ago.

I am hoping the phone service is more stable with PrivatOS 1.1.6

An another update May 14: PrivatOS 1.1.5

https://support.blackphone.ch/custom...-release-notes

They claim fixes for

* Fixes an issue where VPN services leaked DNS requests
* Fixes CVE-2014-7954, a path traversal vulnerability in the MTP server (CVE-2014-7954

And most other Android devices? No such updates. "Android" is the Windows 95 of Security -- so many variations on "Android" that without qualifiers, there is an assumption there are gaping security holes, publicly disclosed, but not patched. Some of my devices have had not updates for over 8 months. Without fixes, most Android devices are obsolete before they are purchased.

For a while, "Google Nexus" would get updates more frequently and for longer periods, but not as long as their first G1 was maintained.

So, they released PrivatOS 1.1.4 on May 7, 2015:

https://support.blackphone.ch/custom...-release-notes

They claim fixes for:
* CVE-2015-3636 : BP/SS: "use-after-free vulnerability in the linux kernel" or from RedHat "kernel: ping sockets: use-after-free leading to local privilege escalation "
* CVE-2014-7953 BP/SS: "vulnerability in the Android backup agent" or discussion from BugTraq: "CVE-2014-7953 Android backup agent code execution"
* CVE-2014-7951 BP/SS: "path traversal vulnerability that can be exploited via the adb backup feature" of discussion from BugTraq: "adb backup archive path traversal file overwrite"
* vulnerability in the Blackphone Security Center (Did not find CVE, URL or discussion yet)

And now we are onto PrivatOS 1.1.3:

https://support.blackphone.ch/custom...-release-notes

With a claim for a fix to address https://cve.mitre.org/cgi-bin/cvenam...=CVE-2015-1863

I still see stability issues with SMS/texting app crashes, and sometimes the photo/camera app dies, somehow blocking access to the camera for future runs of the camera app (or access to the camera is lost, so no apps can use the camera) until a reboot. I've not diagnosed it. It "feels" like the kernel suddenly dropped device support for the camera which causes the photo app to crash, but I've not started a shell to investigate after the crash. Each time, I was more interested in taking a picture than setting up a shell to investigate. (Not enough time, too many things to do.)

No new features as far as I can tell.

I recently did some international travel with my US-region BlackPhone1 running PrivatOS-1.1.1, and saw an increase instability problems while away. In two cases, an app crashed (Messaging App) and 6 times over 1 week the phone shutdown on its own.

Additionally, the Band/Frequency support was not as good as an old "WiFi Hostspot" was when traveling. It's multi-band support gave me occasional 4G and 3G service while the BlackPhone often found no service.

It looks like there is yet another update, this time to PrivatOS-1.1.2:

https://blog.blackphone.ch/2015/04/1...-1-1-2-update/

They "patched eight new public vulnerabilities affecting Android.* These vulnerabilities are not as major as the two" (fixed in PrivatOS-1.1.1 update)
(Public vulnerabilities fixed in PrivatOS 1.1.2: CVE-2015-1525, CVE-2015-0289, CVE-2015-0292, CVE-2015-0287, CVE-2015-0286, CVE-2015-0209, CVE-2015-0288 and CVE-2015-0293.)

They added 2 features:
* Random location on screen for PIN entry for access
* Updated CA list

They say some other bugs have been fixed.

Let's see if the stability issues were part of those bugs.

URL1=http://apexbeats.com/recent/702-03/b...s-next-update/

The statement in context makes it sound like they will add games to BlackPhone App Store, but not complete any security (and privacy?) reviews of games. Freemium (free to play some content, costs money to play more content, or make things easier, or get virtual equipment) and "Free" games both have a long history of "needing" (wanting) access to your contacts, call status, and more information about you and who you know, from your phone. I understand security is a broad topic (security of private information from those you do not want to have access to it, security from malware, security from theft-of-service. etc.) but the above implies no security reviews.

It is good to know they won't complete any audits of some apps. Hopefully, they will identify what kinds of check are done, and with what apps, so corporate users will get advice from professional on what risks they see as existing with the desired app.

About BlackPhone "Spaces" :

I found that running an OpenVPN client to a server in "captive mode" (all traffic through VPN) link did work as expected in *that* space, while other spaces were not bound to follow the captive routing rules of the space running the OpenVPN client in captive mode.

And now, an update to PrivateOS 1.1.1:

URL1=https://twitter.com/SilentCircle/sta...80584934068225

URL2=http://cve.mitre.org/cgi-bin/cvename...=CVE-2015-1474
None of my other android devices have been updated. I guess this is a credit to BlackPhone devs, and at the same time a harsh criticism to most other vendors of android hardware and the wireless providers that blame each other for not releasing fixes/patches for security issues.

With Blackphone "Spaces" allowing separate environments (from the description, it sounds like a chroot or jail) they have directions for suggesting "Spaces" can be used for stores.

Setup a space called "F-Driod" and install the "F-Droid Store" there:
https://support.blackphone.ch/custom...-f-droid-store

Setup a space called "Amazon" and install the "Amazon Store" in it:
https://support.blackphone.ch/custom...azon-app-store

Likely, because of the tighter integration of Google apps with Android, and google services it relies upon, Google Play Store is still not supported:
https://support.blackphone.ch/custom...my-blackphone-


As to stability, I've seen a few applications crash since using it. "Silent Store" and "Security Center" have both crashed one or two times each in less than 24 hours.


I check with VyprVPN, and it is not like OpenVPN Connect (which allows you to install your own keys and config.) VyprVPN appears to e competition for "Disconnect Wireless" app that ships with BP1. The licensing provided with "Disconnect Wireless" on BP1 purchase gives 1GB of data, while VyperVPN free gives 500 MB, but it is not clear if that is a one-time 500MB free, or 500 MB free each month.

Tresorit appears to be competition for "SpideroakBlack"/"SpiderOak BE.

CalDav and CardDav appear to be apps to help with syncing Calendar and AddressBook with DAV-based services, so there is a way to sync these with "the cloud" and you can choose your own. I've not tested these, but off-phone storage of these is needed for BP, in case phone is lost. (Yeah, we could manually export with USB cable to laptop, but this opens things up for each company to run their own spaces for DB sync, and possibly update employee calendars / contacts. (Guessing.)

PrivatOS 1.1 is now available for download from BlackPhone1.

This appears to have the new BlackPhone Store/app.

Their website link which presently comments about PrivatOS 1.1:
https://blackphone.ch/privat-os/

Link to their App Store:
https://silentstore.blackphone.ch/

A few new apps are listed, but no OpenVPN, RedPhone or TextSecure. (As mentioned before, with link, reliance on Google Push notifications lock the present whispersystem apps to those that support Google Push.) There is a "VyprVPN, but it looks like another paid anonymizer/protection service like the one that came with BP1.

The upgrade comes with application space support, claiming to provide a kind of isolation for each group you create, limiting co-exposure of information contained and gathered by each app from othergroups with their apps.

Again, I do not work for BlackPhone, or gain anything from posting about these updates.

Something announced yesterday or the day before, "Silent Circle," used $50 million to buy out the rest of "BlackPhone" from BlackPhone co-founder "geeksphone":

URL1=http://www.prnewswire.com/news-releases/silent-circle-consolidates-leadership-position-in-the-mobile-enterprise-market-300042132.html

Much of the rest of the article reads like a promo piece where companies write about how great they are, and journalists copy/paste as their own.

When such things happen, businesses like to spin up benefits of one group buying out the other group in such a business. However, some of the risks for costs are obvious:
1) With SilentCircle the primary owner, there is little chance for them to make it easy for apps that compete in the same space to be made available through the app store they plan to roll out. (Why make it easy for makers of apps like OpenVPN, RedPhone, TextSecure, etc. to port their apps over to BlackPhone? Limiting apps to those that do not compete with their niche in the market, and only their apps creates a barrier for competition to enter the market. If I was running a business based on profit, I too would want to deny competition with others on apps that generate me revenue.)
2) With a single primary owner, governments have a single thing to attack, to request back doors. The greater the number of people required to sign-off on backdoors, the greater the risk for secret back doors being leaked to the public. On the other hand, the greater the number of people that can do it, the greater the risk for non-government entities (like organized crime) to coerce any individual with sufficient access to add a back door, even if they might be caught at some future date.

From the BlackPhone website is a link to a blog article:

URL2=https://blog.blackphone.ch/2015/03/02/mobileworldcongress/
I am guessing that PrivatOS 1.1 will have the new App Store they promised early 2015. We have 29 days until we enter Q2 of 2015.

URL3=http://www.cnet.com/au/news/silent-circle-reveals-secure-blackphone-2-phone-blackphone-tablet/
Sounds like a bullet point for sales, to encourage corporate buy-in with restrictions on app imposed on employees. I can think of many businesses that would like this. However, will they like enough to switch their employees over to this?

It sounds like they are trying to make a new "BlackBerry" market, with their announcement to provide better support for "Enterprise Customers." Best guess right now is they are trying to become a kind of closed-system like Apple's iPhone, but I am predicting they will face the problems that BlackBerry and Nokia did with restrictions on apps allowed, and requirements for Devs.

Apple, being "first" with a widely-consumed smartphone was first to arrive at a ground of contention, so they could impose barriers to enter into their app store.

Android was a late-comer, and having something equal to the iPhone is not good enough to displace it. To displace another product, some estimate you need something 10 times better, and Android is not 10 time better than iPhone. However, Android competed to displace Apple's iPhone in 2 major spaces of competition:
1) Make it cheap for wireless carriers to use Android in their own phone, allowing wireless providers to "lock" their customers access to apps to their own app stores, and decrease risk for competition in the app spaces they would prefer to retain profit
2) Open a google app store (play.google.com) which has a very low cost for devs to enter (initially) and a rarely used "veto" to apps that are denied space. (The only apps banned/denied seem to be apps with genuine malware, or those that (people allege) threaten google's data-mining of consumers. ( https://www.eff.org/deeplinks/2013/1...er-adding-them and http://blogs.wsj.com/digits/2014/08/...id-play-store/ and somewhat related
https://www.eff.org/deeplinks/2013/1...er-adding-them )

Still waiting for the BlackPhone App store.

There is an article on TomsHardware claiming there is new competition for BlackPhone:

URL1=http://www.tomshardware.com/news/kaymera-mobile-security-solution-enterprise,28620.html

It reads a bit like an advertisement, as-if Toms Hardware took a press-release from this company, and printed it as-is in a news story. This may not be the case, but there is little in the article comparing and contrasting it to other products at a bullet-point like level. Much of what is presented are really questions about it as a device, and information that we could probably find on the vendor's website.



URL2=http://www.pcworld.com/article/2886092/longawaited-blackphone-tablet-may-emerge-at-mwc.html

An article from PCWorld about a new BlackPhone tablet to be demoed at a convention, and it too reads a bit like a direct press release promoting a product and company.

Not much value in either article, except to know that both includes claims of future hardware being made available soon.

URL1=http://arstechnica.com/security/2015/01/bug-in-ultra-secure-blackphone-let-attackers-decrypt-texts-stalk-users/
It appears that was addressed in Jan 20, 2015:
URL2=https://blog.silentcircle.com/silent-text-version-1-8-security-update/
Latest version in Google Play is 1.8.0 as of Jan 20:

URL3=https://play.google.com/store/apps/details?id=com.silentcircle.silenttext
Combining this upgrade and timeline with the previously mentioned upgrade from PrivateOS 1.0.5 to 1.0.6 to address https://web.nvd.nist.gov/view/vuln/d...=CVE-2015-1474 and timeline , and comparing host OS upgrades in my other Android phones shows BlackPhone is treating customers better than the many vulnerable Android phones that are never fixed by their vendor and/or wireless service provider.

For wireless providers, it is counter to their interest to patch consumer phones after purchase:
* It costs them money to build fixes and test
* It costs them money in support with new fix when some user's configuration was not tested by carrier leading to a one-off or corner case of troubles which then need to be fixed (re-starting the dev cycle, or as managers see it, "the death spiral of supporting old stuff."
* It costs them in false claims of problems with upgrade through consumers applying the fallacy of correlation is causation
* An exploited phone may cause more data to be used, and with no more "unlimited plans" being offered by many carriers and data overages causing more profit for carriers, exploited phones could increase the money they ear from consumers
* If consumers buy a new phone sooner than the contract ends, they do so totally out of pocket without a contract incentive and price break on the next phone to extend the contract.

For vendors of phones, the money they earn is primarily from the initial sale. Any on-going maintenance or upgrade is a loss. A concept of built-in obsolescence and failure to patch bugs can push consumers to buy a new phone in 1 year, anyway, pushing churn. (In this respect, Apple has treated consumers of their iPhones better with more updates for longer periods of time than the average Android phone vendor.)

Meanwhile, BackBerry and Nokia owners from decade's past will be nostalgic on how their phones were better supported "back in my day." -- Shut up grand[pa||ma], and go play with your 8 track tapes! :-)