Blackphone, the carrier- and vendor-independent smartphone that was created with the goal of placing privacy and control directly in the hands of its users, is not without its flaws, the Bluebox Security team discovered while reviewing it.
The team analyzed the device running version 1.0.2 of PrivatOS, which is built on Android, and comes pre-installed with a suite of privacy-enabled applications such as Silent Circle’s Silent Phone, Silent Text, and Silent Contacts for secure calling, text messaging, and contact storage, and the Security Center app that allows users to control app permissions. All these apps have been built by the companies behind Blackphone (Silent Circle and Geeksphone).
The phone also has some third-party apps installed, such as Disconnect Secure Wireless, which creates a VPN connection from the device to the Disconnect.me (Blackphone partner) servers, and a special, Blackphone version of the online backup tool SpiderOak.
The team discovered a number of problems with the device itself and the apps on it.
For one, there is currently no method to update apps individually – this is an issue that will be fixed by November. Secondly, there is a lack of critical apps – for example, an app that will allow the user to open a PDF or Word document. This will force the user to install third party apps using sideloading or other untrusted methods, as the phone does not offer an app store from which a download can be trusted.
A surprise find was that some of the apps sported information disclosure vulnerabilities.
“Specifically, we discovered that when you log into the backend services for the core apps (Silent Circle apps, Secure Wireless, and SpiderOak) of the phone, the apps are leaking the username and passwords to any SSL server. We observed this by setting up a MitM network attack on the device and installing our own SSL root certificate,” the researchers shared in a blog post.
“This type of MitM attack can be mitigated by implementing SSL pinning into the apps,” they pointed out, adding that other apps may also be leaking information.
The team also find the 150+ pre-installed root certificates into the system credential storage problematic.
“This means your device is trusting a significant number of certificate authorities — some of which you may not feel comfortable about,” they noted, pointing as an example one specific certificate named “Government Root Certificate.”
They can be disabled, but it’s a tedious job that has to be done manually. Luckily, the creators of Blackphone have been open to pruning that list, and have collaborating with Bluebox researchers on this and a change is expected in future updates.
Blackphone developers have already fixed the vulnerabilities found in SilentCircle apps by pushing out PrivatOS 1.0.3 mere eleven days after they were notified about them.
This is not the first time that this privacy-minded handset was tested. Last month at DEF CON, Jon Sawyer, CTO of Applied Cybersecurity discovered several vulnerabilities, some on the initial version of the device’s firmware that have been patched in the meantime, in record time.
As noted before, despite what users may have been expecting, Blackphone developers knew that researchers would ultimately find vulnerabilities in the device and software on it. They were actually hoping that bug hunters would test the device and share their findings.
The developer’s ultimate goal is to push out patches for found vulnerabilities faster than any other OEM – fix issues as soon as they or other people find them.