August 13, 2014 By Rick M Robinson 2 min read

Is the world ready for a more secure smartphone designed to better protect your privacy? Encrypted communications firm service Silent Circle seems to think so, having teamed up with specialty phone vendor Geeksphone to offer the Blackphone, the prime selling point of which is data security. Essentially, a set of cryptographic and other security-enhancing services are bundled into a phone with a modified version of the Android OS.

In the hands of sophisticated users, the Blackphone could help placate companies’ mobile security worries. However, the phone will not entirely eliminate the bring-your-own-device challenge that many enterprises face. One thing it can do, however, is help illuminate the real mobile security challenge: the human factor.

Building Around Security and Privacy

As Fast Co.Labs‘ Luke Dormehl reports, Phil Zimmerman, the creator of Pretty Good Privacy, set out to provide a set of Android apps to enhance smartphone privacy and data security. His company, Silent Circle, ended up working with Spain-based Geeksphone to provide hardware specifically tailored to support the desired software features.

According to Sean Gallagher of Ars Technica, at the heart of the Blackphone is PrivatOS, an OS based on Android 4.4 KitKat. This system gives users much finer control over the permissions the OS provides to the apps running on it.

Blackphone also comes with a bundle of software and subscriptions to security-oriented services such as Silent Circle’s “Friends and Family” offerings, virtual private network (VPN) service Disconnect and SpiderOak secure cloud storage.

Is Blackphone Security for the Sophisticated?

Reviewers who have tested preproduction versions of this phone have been impressed by its suite of privacy and security tools, though its overall performance as a smartphone is only fair to middling. Given that this is the first effort to provide robust mobile security in a consumer-level package, the early results are highly creditable.

There are some inherent limitations. Like all software, Blackphone’s security software is potentially subject to zero-day vulnerabilities. Ironically, if Blackphone gains only niche interest, it will be largely safe from hackers, who will attack more widely used products. If it catches on, however, hackers will be that much more motivated to crack it.

Even aside from potential zero-day vulnerabilities, the Blackphone or similar devices will not entirely put security worries to rest. A brief perusal of the Fast Co.Labs and Ars Technica articles hints at the real challenges of mobile security, with mentions of proxy servers, public keys and VPNs. Security-minded readers will recognize these terms and have at least a general notion of how they relate to privacy and data security.

Read: 4 Essential Ways to Protect My Mobile Applications

However, most mobile users have never heard these terms and are in no rush to learn them, let alone adopt more secure usage habits. As one commenter at Ars Technica noted, no one on his contact list was subscribed to the secure services he used. Often, they were remarkably unwilling to learn or try these more secure tools. While Blackphone can extend some protection to the other end of a call or Internet connection, it cannot create security consciousness.

That is the true enterprise security challenge: creating security consciousness without browbeating people, which doesn’t work very well anyway. Blackphone is one more potential security tool, and a good one for sophisticated users, but no tool can provide security by itself.

More from

How to calculate your AI-powered cybersecurity’s ROI

4 min read - Imagine this scenario: A sophisticated, malicious phishing campaign targets a large financial institution. The attackers use emails generated by artificial intelligence (AI) that closely mimic the company's internal communications. The emails contain malicious links designed to steal employee credentials, which the attackers could use to gain access to company assets and data for unknown purposes.The organization's AI-powered cybersecurity solution, which continuously monitors network traffic and user behavior, detects several anomalies associated with the attack, blocks access to the suspicious domains…

Being a good CLR host – Modernizing offensive .NET tradecraft

14 min read - The modern red team is defined by its ability to compromise endpoints and take actions to complete objectives. To achieve the former, many teams implement their own custom command-and-control (C2) or use an open-source option. For the latter, there is a constant stream of post-exploitation tooling being released that takes advantage of various features in Windows, Active Directory and third-party applications. The execution mechanism for this tooling has, for the last several years, relied heavily on executing .NET assemblies in…

The current state of ransomware: Weaponizing disclosure rules and more

4 min read - As we near the end of 2024, ransomware remains a dominant and evolving threat against any organization. Cyber criminals are more sophisticated and creative than ever. They integrate new technologies, leverage geopolitical tensions and even use legal regulations to their advantage.What once seemed like a disruptive but relatively straightforward crime has evolved into a multi-layered, global challenge that continues to threaten businesses and governments alike.Let’s take a look at the state of ransomware today. We’ll focus on how cyber criminals…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today