Blackphone review: is a secure smartphone possible?

We have bought our very own Blackphone to check its security firsthand.

Blackphone, a smartphone often touted as the “most secure and privacy-oriented smartphone”, came out very timely. In the year of Edward Snowden revelations, anything with a “privacy” tag sells out quickly. However, the question remains – does Blackphone (BP) keep creators’ promise? Technically speaking, BP runs PrivateOS, a customized Android 4.4. Applications run smoothly on the device, but its default state is dramatically different from what you can see on most “droids”. These settings and alterations make a difference.

Physical features, display, camera, battery

Blackphone is quite an ordinary looking smartphone with all shades of black plastic dominating its face and back. The device is thin (8.4 mm/0.33 in) and light (119 g/4.2 oz), but not small, thanks to the generous 4.7″ screen. However, other screen features are not that generous. The resolution is 720×1280 which feels a bit grainy for a 4.7″ diagonal, and brightness range is quite narrow. The screen feels too bright in the darkness and too dark in the direct sunlight. Viewing angles are good though. BP is equipped with a very typical micro-USB and headset connectors on the top side and classical duo of volume rocker and power button on the right. All slots (microSIM, microSD and battery) are hidden under the removable back cover. Battery capacity is 2000 mAh, btw, which is considered mediocre for modern phones, but works quite well for BP. The camera on the back is a very straightforward 8 mp shooter – aside from LED flash, HDR and video recording capability, it lacks modern marketing gimmicks and you can’t expect much of it.

ss-sizeImage courtesy of Blackphone.ch

Communications features

Blackphone works in most countries thanks to radio supporting GSM, HSPA+ (3G) and LTE (4G). GSM and UMTS works everywhere, but LTE stuff is trickier, that’s why BP comes in two flavors – Region2 for North America (LTE bands 4, 7, 17) and Region1 for the rest of the world (LTE bands 4/7/17). It doesn’t mean that you can’t use BP region1 in USA or region2 in Europe, but a phone will be limited to 3G speed (maybe “limited” is a good thing here, as roaming charges for Internet are devastating). BP also supports modern Bluetooth 4.0 (hello smart watches and fitness trackers!) and fast Wi-Fi (802.11 b/g/n). Software additions try hard to make Wi-Fi more secure. NFC is not supported.

Storage capacity, Processing power & power saving

BP comes with 16Gb of internal storage, 12.5 Gb are at owner’s disposal. MicroSD slot accepts cards up to 64 Gb. Phone actively bugs a user to encrypt these storage pools and it’s recommended by us too. However, it comes at cost of  increased power consumption and slightly reduced performance. Another thing obviously affecting performance, is power saving. There are three presets (max performance, max saving, balance), and while maximum performance makes BP really snappy (over 31000 points in AnTuTu benchmark, not too far from HTC One M8 or Samsung Galaxy S5, each scoring about 35,000), even Balanced power saving dramatically decreases this score to 12,000. However, other power saving options may be very effective even without disabling two of four CPU cores or decreasing the screen refresh rate. First, the absence of Google services dramatically reduces background data transfers and associated spending of battery power. Second, the nSaver utility allows you to limit background activity of any app (or all apps altogether), also reducing power consumption. At the end of the day, Blackphone manages to squeeze two full days of moderate use from its battery, given that you keep the default application set.

Software & security

Blackphone’s PrivatOS is a modified Android 4.4. It has no Google services at all, with recent apps like Chrome, Hangouts or G+ photos replaced with older open-source (AOSP) versions. The setup process doesn’t involve setting up any accounts on the device, moreover, the only preinstalled apps that require an account are generic email clients and a BP-customized version of SpiderOak, an encrypted, “zero-knowledge” cloud storage (think of secure Dropbox). What is required at the setup stage, is a strong PIN code to protect the device, and full-disk encryption.  The encryption can be postponed, but BP will remind you to do it later. After a simplistic setup, we can see a very generic Android launcher with very generic apps and icons. Interesting additions to the app list are aforementioned SpiderOak, Security center, SmArter Wi-Fi, remote wipe, secure wireless, a trio of Silent Circle apps, plus a private search widget.

Most of Blackphone’s tools could be installed on any Android smartphone, but the real differentiator here is Security Center.

Most of these tools could be installed on any Android smartphone, fortifying some of the communication channels, but the real differentiator of BP is security center. In addition to reviewing some general settings like device  encryption and remote lock, it allows one to control any installed app and revoke its permissions if you consider some of them too invasive. Let’s say, for a mapping app you can keep location permission, but revoke the access to your address book and phone ID. Any installed app automatically pops up in security center and recommended settings are applied. Keep in mind that at the installation stage you must accept the whole list of required permissions, but immediately after installation some of them could (and should) be revoked. ss-2 Let’s briefly review other apps. Smarter WiFi allows you to enable wireless only in certain locations, saving battery and hiding BP from Wi-Fi-enabled device  tracking. Remote wipe is an antitheft tool with limited functionality. Private search provides a tracking-free Google/Bing/DuckDuckgo/Blekko/Yahoo experience via disconnect.me service. Secure wireless is a client for “smart” VPN service of disconnect.me, and the basic service is free. The most interesting additions are Silent Circle apps which claim to provide high security, “NSA-proof” voice and video calls, file sharing and text messaging. Obviously, for full protection the other party must have the Silent Circle subscription as well, which is not cheap.

The dilemma

Here comes the primary drawback of Blackphone as a smartphone. You can’t immediately dive into the ocean of apps, as the device lacks any kind of “app store” and just doesn’t give you a clue about possible ways of obtaining the apps. You must either find APK files (Android installation packages) for each app on the web and download them directly, or install some third-party app store like Amazon App store or Yandex store. However, each of these actions poses a risk to your privacy and/or security. You must give many permissions to the app store application to make sure it works properly. If you resort to direct APK download, you will be constantly at risk of malware infection, as many APKs on the Internet are malicious Trojans disguising themselves as popular apps and games. Unfortunately, Blackphone lacks even basic malware protection provided by Google Play, and privacy controls have little to do with it. “PrivatOS is no different from Android when it comes to malware infection. In our test, a real-world banking Trojan was able to steal credentials from the mobile banking app installed on Blackphone. The malicious app even managed to exploit standard Android vulnerabilities to prevent its removal. In addition, a preinstalled browser does little to prevent visiting phishing sites”, – said Roman Unuchek, Kaspersky Lab Senior Malware Analyst.

ss-5 So at the very least, any Blackphone owner needs malware protection, however, s/he has to accept the existence of cloud-enabled scans, which are used by most antiviruses to reduce CPU and battery consumption. In general, each new app you install poses additional risk to your privacy as it may leak information to app creators or third parties (typically analytic and advertising services). So if you want to keep your privacy shields as strong as possible, you must not install additional apps, which is crazy and diminishes the entire concept of a “smart” phone. This is a pure dilemma and Blackphone creators have held themselves aloof from it.

Tips

How to travel safely

Going on vacation? We’ve compiled a traveler’s guide to help you have an enjoyable safe time and completely get away from the routine.