Foreword: This is a think piece, with background material, personal opinion and analysis.
I’ll be discussing BlackBerry security assets and implementation that could be leveraged to add security layers around the Android OS.
Consider this a thought piece if anything on ways BlackBerry could tackle the larger security problem that is Android…With Lollipop and further with Android M, Google is working to increase the user controlled permissions for apps and overall security on their devices. Looking to shake the insecure stigma, Android for Work has been established to create an OS level secured container to allow EMM connectivity and further the usability of the Android offering within enterprise.
BlackBerry has many assets that could be ported or replicated on Android to build up the layers of security on the top level to protect Android from itself. This includes the applications, the data at rest and the movement of data between other devices and the internet at large. Google is placing a focus on security improvements, giving users greater control over app permissions – a tenant of the OS that BlackBerry 10 users have been spoiled with from day one. As Google, from a security prospective, replicates a lot of what BlackBerry 10 has done on the top end, there’s still plenty of security vulnerabilities inherent within the open nature of the Android OS. We’ll work top down on the measures BlackBerry can take to create a secure Android.
OS LEVEL SECURITY
Enter BlackBerry Safeguard:
“BlackBerry Safeguard effectively allows users to protect and secure all information on any app, including the device’s Web browser. This safeguard feature leverages app permissions by allowing users to set up private or public usage restrictions through the Privacy and Security menu available on most apps, allowing users to protect their data…even browser cookie information.”
This Safeguard application lives within BlackBerry 10 by design, but signs that BlackBerry aims to port this application and feature set to Android are apparent through leaked images and video we’ve seen of Android running on BlackBerry hardware (presumably on internal testing units). If implemented correctly, this would offer a shield of protection to lock down Android apps.
“BlackBerry Guardian evaluates all apps and games in BlackBerry World before they’re made available for downloading. BlackBerry Guardian is designed to protect you from downloading apps and games that might include malicious software or privacy concerns. The BlackBerry Guardian icon in the BlackBerry World storefront indicates that the app or game has been evaluated for malicious software or privacy concerns. BlackBerry Guardian also incorporates technology from software security leader Trend Micro. BlackBerry Guardian is constantly evolving to help identify the most advanced forms of malicious software and privacy concerns. If malicious software is discovered in an app or game after it’s available, the app or game is removed from BlackBerry World.”
BlackBerry has been working with Trend Micro to implement a more robust approach for addressing privacy and security concerns related to third-party applications. By incorporating Trend Micro’s advanced mobile scanning and detection capabilities with their own internal proprietary application analyzing system, they can provide another layer of protection and assurance for BlackBerry customers. To be fair, Google already has something similar called Google Bouncer for Google Play.
“This built in app that comes as a part of the BB10 operating system is capable of working together with the cloud and protects your device data. The best feature is that in case your phone is lost or stolen, you can remotely access it with the help of cloud and delete all the sensitive information as well as transfer it to your next handset effortlessly. The BlackBerry Protect feature works with the Blackberry ID, therefore, no one will be able to disable the BB Protect unless they have the ID and password to access the app.”
This goes without saying that BlackBerry Protect is a great way to effortlessly manage a device that has been lost or stolen, and to protect data on the device. Something like this for Android based BlackBerry would be a no-brainer. BlackBerry sees security even outside the hands of the user and has built cloud-based software to allow customers to address these concerns and recover, wipe or lock down data when the device becomes inaccessible.
KERNEL LEVEL SECURITY
LINUX vs QNX:
Android OS is an OS developed on a modified, monolithic Linux kernel, whereas QNX is a Real Time OS (RTOS) developed atop a microkernel. The main difference of each comes down to the architecture of the underlying system. How assets, libraries, drivers and the OS are executed on the kernel level directly correlates into how easy or complex it will be to secure the platform. Android is a more traditional architecture (read: less refined) with different top level aspects of the OS able to directly execute down to the root kernel. What this means is that hackers can exploit OS level vulnerabilities to manipulate the underlying kernel and ultimately overtake how data is accessed, stored or executed on said OS. Android applications run in a sandbox, an isolated area of the system that does not have access to the rest of the system’s resources unless access permissions are explicitly granted by the user when the application is installed. This puts real security on Android in the hands of the USER, not Google. As discussed in the opening, Android is continuously being developed to address some of these end user concerns with permissions, but due to the open nature of Linux, and thus Android, some of the exploits researchers have discovered have been accessible for years.
In this scenario, we have to assume BlackBerry has something that Google even wants. And that’s a hard pill to swallow considering Google’s reach and wealth. If you read up on the histories of Android and Linux, it seems to be a tale more of tedium than care. Google must make modifications and refinements to the kernel to meet their growing needs: increasing performance, memory management, etc. In this way, Google is stifled by the open source and has to invest money into the continued support for this backbone of the Android OS. BlackBerry’s QNX predates Linux by about a decade. Much of the QNX development tree has been focused on refining the microkernel to be exceptionally proficient. By design, it has stability laid in brick by brick, whereas the Linux kernel by design is not really built to load added kernel modules. This is less a Linux problem and more a problem with Monolithic kernels in general.
Linux and QNX could be considered opposites in terms of foundation. Android demands more access to the base kernel level to execute against the hardware. QNX on the other hand hosts all base and application system processes in user space protecting the kernel, and so it can maintain mission critical performance. The scope of the difference can be animated by numbers. Linux is about 15 million lines of code, whereas QNX is only 100K. Now if BlackBerry were to adapt Android, pay up for new drivers and aim to truly secure it – they could move components from the kernel mode on Android to the user mode atop QNX. In so doing, they would be able to replicate the same down-to-the-hardware security they have with BlackBerry 10 devices.
Let’s daydream on what BlackBerry has been working on… since they offered the 10.3.1 GOLD SDK back in November of 2014… IF they’ve been working on a secure Android solution, that would give them a one year timeline and credence to the relative slow down in BlackBerry 10 OS development. A secure Android would allow BlackBerry to fight much more flexibly in the enterprise space, where so many users are forced to carry two phones. Be it a BlackBerry for work and an Android or iPhone for personal use, being able to offer a BlackBerry that can be a user’s one device but still maintain a work and personal benefit would open up the enterprise sales teams to really drive up hardware sales. Now, BES12 already has connectivity as an EMM solution for Samsung KNOX devices and Android for Work; using QNX as a secure foundation to protect Android would establish BlackBerry hardware as THE most secure hardware in the market, allowing Google to capitalize in security through BlackBerry. An agreement such as this would fundamentally change Android. But if you really know anything about Android, you’ll know over time, as Ron Amaedo said:
“Android is open—except for all the good parts”
More and more of what originally made Android ‘open’ has been plugged into Google Services so Google can have more control over 3rd party applications/services and how deeply they can run within Android. It’s plausible that if BlackBerry innovates around the Android OS to offer better device security parameters, they can harness Android and Google Services into areas of the market they aren’t yet well established. This would get Android further into enterprise while allowing BlackBerry to connect services and applications to expand their hardware/software ecosystem. Which, uh, is happening anyway… For all we know, BlackBerry will simply join the OHA, slap some apps on Android and call it a day. Maybe they’ll utilize QNX and virtualize the Android OS with a hypervisor. Dual-boot, no perhaps it’ll be an user defined option at boot, maybe a Linux for QNX kernel swap. It really doesn’t matter. Regardless of what’s being tested, Android + BlackBerry is an interesting pairing.
Think about it. PlayBook OS/BlackBerry 10 contain the Android runtime, BlackBerry has actually been looking at Android on-top of QNX since they acquired the company back in 2010.
It’s my personal and by no means infallible opinion that the end game is to secure the world’s most popular mobile OS.
Can you picture the bootscreen?
Secured by BlackBerry. Powered by Android.
- The Future of Android on BlackBerry (Editorial)
- The Android-powered BlackBerry Venice slider is starting to look real
- INTEGRITY Multivisor – Green Hills Software (Current BlackBerry CSO)
- Android on BlackBerry Is Good Business
- The BlackBerry Slider is Badass
- BlackBerry’s QNX Launches Hypervisor 1.0 VMM