Exclusive: A review of the Blackphone, the Android for the paranoid

Based on some recent experience, I'm of the opinion that smartphones are about as private as a gas station bathroom. They're full of leaks, prone to surveillance, and what security they do have comes from using really awkward keys. While there are tools available to help improve the security and privacy of smartphones, they're generally intended for enterprise customers. No one has had a real one-stop solution: a smartphone pre-configured for privacy that anyone can use without being a cypherpunk.

That is, until now. The Blackphone is the first consumer-grade smartphone to be built explicitly for privacy. It pulls together a collection of services and software that are intended to make covering your digital assets simple—or at least more straightforward. The product of SGP Technologies, a joint venture between the cryptographic service Silent Circle and the specialty mobile hardware manufacturer Geeksphone, the Blackphone starts shipping to customers who preordered it sometime this week. It will become available for immediate purchase online shortly afterward.

Dan Goodin and I got an exclusive opportunity to test Blackphone for Ars Technica in advance of its commercial availability. I visited SGP Technologies’ brand new offices in National Harbor, Maryland, to pick up mine from CEO Toby Weir-Jones; Dan got his personally delivered by CTO Jon Callas in San Francisco. We had two goals in our testing. The first was to test just how secure the Blackphone is using the tools I’d put to work recently in exploring mobile device security vulnerabilities. The second was to see if Blackphone, with all its privacy armor, was ready for the masses and capable of holding its own against other consumer handsets.

We found that Blackphone lives up to its privacy hype. During our testing in a number of scenarios, there was little if any data leakage that would give any third-party observer anything usable in terms of private information.

As far as its functionality as a consumer device goes, Blackphone still has a few rough edges. We were working with “release candidate” versions of the phone’s operating system and applications, so it would be unfair to judge their stability too harshly. But since the Google ecosystem of applications (Chrome, Google Play, and other Google-branded features) was carved from PrivatOS, a privacy-focused fork of KitKat, it may feel like a step backward for some Android users—and a breath of fresh air for others.

Out of the (metaphorical) box

The back of the Blackphone, with its 8-megapixel camera.

Credit: is SGP Technologies, SA

Blackphone is, at first glance, a fairly standard-looking Android phone, with what appears on the surface to be a vanilla installation of Android 4.4 KitKat. But in fact, its operating system is PrivatOS, which gives the user a much higher degree of control over what apps running on the phone are allowed to access and what they can do. And the pre-installed applications on the phone, aside from the standard Android system apps, are all focused on keeping conversations, text messages, Internet searches, and application data private—as well as preventing the kinds of Wi-Fi attacks and data harvesting mobile devices are often vulnerable to when away from trusted networks.

Since the Blackphones we tested were pre-production versions—the final, full manufacturing run starts shipping sometime after June 30—the final packaging wasn’t ready, so we couldn’t get the full “unboxing” experience. The demo phones were also European GSM models, so they were limited to T-Mobile’s non-LTE “3G-plus" service. Production phones will be LTE-capable.

The only cosmetic difference between our test phones and the final product, Weir-Jones told me, was a small bit of chrome on the bottom edge of the touch bar under the screen that will be (of course) black in production units.

The phone is cosmetically appealing, easy to grip, and is feather-light (just over four ounces) but doesn’t feel flimsy. While the Blackphone’s specs may not be state-of-the-art amazing, they aren’t embarrassing either. Its 4.7-inch 1280×720 pixel IPS HD touchscreen display is bright and responsive and compares favorably to the smaller display of my own iPhone 5.

The Blackphone's other components are serviceable, but not exactly bleeding edge. Its 8-megapixel rear camera, which juts out 2 millimeters from the phone’s black plastic back, doesn’t exactly have market-leading optics, but it’s fine for everyday use, as is its 5-megapixel front camera. Its 16GB of internal storage and 2,000mAh battery are de rigueur.

There’s one thing that’s a bit out of the norm in the Blackphone’s kit—a 2GHz Nvidia Tegra 4i quad-core system-on-chip. Weir-Jones said part of the reason was that Nvidia was more willing than some of the other SoC vendors to work with a small startup—another SoC had originally been chosen for the phone, but the Blackphone’s engineering team was informed that the manufacturer was about to stop production. Weir-Jones said that Nvidia, which has marketed its Tegra chips mostly for tablets but developed the 4i specifically for phones, was quick to step up.

Going black

The beginning of the setup process for the Blackphone—pick a PIN or password. Be prepared to pick a few more.

Credit: Sean Gallagher

• A two-year subscription to Silent Circle’s secure voice and video calling and text messaging services, plus three one-year "Friend and Family" Silent Circle subscriptions that allow others to install the service on their existing smartphones;
• Two years of 1GB-per-month Disconnect virtual private network service, plus Disconnect’s anonymizing search as part of the phone’s web browser;
• Two years of SpiderOak cloud file storage and sharing, with a limit of five gigabytes a month.

These services can be activated during set up of the phone by scanning a QR card included in the box. What’s not in the box is a phone contract. The phone comes unlocked; in the US, you’ll need a SIM from AT&T, T-Mobile, or one of a handful of smaller carriers that have compatible GSM, HSPA + and LTE network bands (Verizon and Sprint aren’t among them).

At first start up, Blackphone’s configuration wizard walks through getting the phone configured and secured. After picking a language and setting a password or PIN to unlock the phone itself, the wizard presents the option of encrypting the phone’s stored data with another password. If you decline to encrypt the phone’s mini-SD storage during setup, you’ll get the opportunity later (and in the release candidate version of the PrivatOS we used, the phone continued to remind me about that opportunity each time I logged into it until I did).

PrivatOS’ main innovation is its Security Center, an interface that allows the user to explicitly control just what bits of hardware functionality and data each application on the phone has access to. It even provides control over the system-level applications—you can, if you wish for some reason, turn off the Camera app’s access to the camera hardware and turn off the Browser app’s access to networks.

This feature is more valuable, from a consumer standpoint, for locking down what personal data commercial apps can access. But it’s easy to see how Security Center’s functionality could be attractive to corporate and government customers when tied to a mobile device management tool. It might also explain why SGP Technologies’ US offices are so close to Washington, DC.

Security Center presents an overview of what you have left to do to secure your Blackphone, plus a few helpful references on locking things down tighter.

Security Center presents an overview of what you have left to do to secure your Blackphone, plus a few helpful references on locking things down tighter.

A view of applications allows you to quickly block access to Android resources or drill down on them to be more selective.

A view of applications allows you to quickly block access to Android resources or drill down on them to be more selective.

Security Center presents an overview of what you have left to do to secure your Blackphone, plus a few helpful references on locking things down tighter.

A view of applications allows you to quickly block access to Android resources or drill down on them to be more selective.

When installing a new app, Security Center pops up and asks if you want to block any of the permissions the app requests.

When installing a new app, Security Center pops up and asks if you want to block any of the permissions the app requests.

The Remote Wipe feature allows (or at least will allow) users to zap the contents of their phones, if lost or stolen, through a web portal.

The Remote Wipe feature allows (or at least will allow) users to zap the contents of their phones, if lost or stolen, through a web portal.

When installing a new app, Security Center pops up and asks if you want to block any of the permissions the app requests.

The Remote Wipe feature allows (or at least will allow) users to zap the contents of their phones, if lost or stolen, through a web portal.

Another feature of PrivatOS is its enhanced remote wipe functionality. If you’re concerned about someone having an extended opportunity to try to break your phone’s encryption password and login password, you can create an account that will allow you to launch a remote wipe of the phone through a web portal. That is, at least in theory—the service wasn’t working for me when I tested it, but should be working when phones start shipping to customers.

There are a number of tools bundled with PrivOS that are available for other Android phones, but don’t usually come preinstalled. One of them is the Kismet Smarter Wi-Fi Manager, a system app that protects the phone from being spoofed to connect to untrusted networks. The software “learns” trusted Wi-Fi networks by sensing nearby cell towers. When you add a network as trusted, Smarter Wi-Fi records a location fingerprint based on the cell towers.

Once you’ve learned the locations of trusted networks, Smarter Wi-Fi can use your location to control whether Wi-Fi is turned on or off. Move out of range of your home network, for example, and the app will automatically shut down the phone’s Wi-Fi until you arrive at work—where it will automatically join your trusted network there. In between, networks can’t spoof your trusted networks, track your phone by its Wi-Fi MAC address, or get it to give up which networks you’ve trusted through Wi-Fi “poll” broadcasts.

Also bundled is the SpiderOak secure cloud file-sharing service. We’ve done an extensive review of SpiderOak before, so I won’t spend too much time on it here. SpiderOak has built a custom mobile app for the Blackphone to provide secure access to files from a desktop or laptop computer. It’s one-way sharing—you can’t mirror files off your Blackphone back to your computer, but you can open files in local apps and e-mail them to others.

The next piece of the Blackphone’s security quilt is Disconnect, an Internet anonymization service. Disconnect works on the Blackphone in two ways: as an OpenVPN-based virtual private network, and as a search proxy service that scrubs cookies out of web traffic.

When you run a search from the PrivatOS built-in browser’s address bar, it automatically runs the search through Disconnect’s service. You can choose from five search providers—Google, Bing, Yahoo, Blekko, and DuckDuckGo. Searches to DuckDuckGo are passed straight to the search engine because of its preexisting privacy protections, but all the others go through Disconnect’s proxy. As a result, your requests are anonymized. The returned links are anonymized as well, stripped of search engine referrer data; they just look to the visited website like you typed in the full URL of the page yourself.

The Disconnect Secure Wireless service, on the other hand, is an OpenVPN service that anonymizes the rest of your Internet traffic. It can be configured to automatically provide private browsing through Disconnect’s proxy, connected via VPN—or you can manually turn it on and force all your Internet traffic over the connection (and burn through your 1 gig of traffic that much quicker). Disconnect’s VPN puts traffic through a proxy to remove exposure of personal data through cookies on any website.

Smart Wi-Fi Manager can learn both which networks you trust and where they are, automatically connecting you when you're near them and shutting off Wi-Fi when you're not.

Smart Wi-Fi Manager can learn both which networks you trust and where they are, automatically connecting you when you're near them and shutting off Wi-Fi when you're not.

The locations of trusted networks are "fingerprinted" by data about nearby cell towers.

The locations of trusted networks are "fingerprinted" by data about nearby cell towers.

Disconnect Search in action with Bing. The results are stripped from Bing without ads or cookies, and referrer data is pulled from the links.

Disconnect Search in action with Bing. The results are stripped from Bing without ads or cookies, and referrer data is pulled from the links.

The locations of trusted networks are "fingerprinted" by data about nearby cell towers.

Disconnect Search in action with Bing. The results are stripped from Bing without ads or cookies, and referrer data is pulled from the links.

DuckDuckGo gets first-class citizenship in search because of its privacy policies.

The Disconnect VPN starts with a touch—if your network is trusted.

Setting Disconnect to "always on" pushes all app and browsing data through the VPN connection.

Security check

The flagship apps on the Blackphone are Silent Circle’s Silent Phone and Silent Text, a pair of encrypted communications tools that share a common directory service. Silent Circle comes with some serious crypto cred—the company’s president and cofounder is Phil Zimmermann, the creator of PGP.

Both Silent Phone and Silent Text work over broadband cellular or Wi-Fi. Combined, they’re like the privacy advocate’s version of Skype: they provide voice and video calls, conferencing, and text chat, but all via peer-to-peer key exchange without an intervening server. There’s also the added benefit of encrypted file transfer.

Silent Phone is essentially an encrypted SIP phone network. The Silent Circle cloud service provides a directory service that connects users’ account names and IP addresses and then brokers a connection between them based on a public key exchange. It also provides a bridge to Plain Old Telephone Service systems, allowing users to call landlines or cell phone users who are outside of the service, encrypting and anonymizing the source of the call. Silent Phone also can create peer-to-peer conference calls, with one phone acting as the hub for a conversation.

When you place a voice or video call to another Silent Circle user, there’s an exchange of public keys between the apps and then the call begins. As an additional verification measure, the system automatically generates a two-word verbal challenge that you can use to verify you’ve actually got a secure connection. Tap the words to confirm, and Silent Phone displays three green circles to show you’re secure.

Silent Text is the suite’s encrypted chat and file-exchange app. Based on the Jabber instant messaging protocol, it comes with a few other bells and whistles for the security-minded, including something called “Burn Notice”—a self-destruct setting for texts and other content that deletes them from the remote phone. You can also send location data automatically to someone in chat, so they can verify where you are or come looking for you.

The minimalist dialing screen for Silent Phone lets you dial a phone number or connect to another Silent Circle user by their username.

The minimalist dialing screen for Silent Phone lets you dial a phone number or connect to another Silent Circle user by their username.

A SIP phone call with Silent Phone connecting.

A SIP phone call with Silent Phone connecting.

Dan Goodin and me on a Silent Phone video call. Audio lag made us resort to land lines on the first attempt.

Dan Goodin and me on a Silent Phone video call. Audio lag made us resort to land lines on the first attempt.

A SIP phone call with Silent Phone connecting.

Dan Goodin and me on a Silent Phone video call. Audio lag made us resort to land lines on the first attempt.

Silent Text in action; Dan Goodin sends me a photo of his PC screen.

Burn Notice lets you set an expiration time for text messages—a whole lot more practical than SnapChat.

After configuring the various pieces of Blackphone’s privacy armor, it was time to check it for leaks. I connected my loaner phone to a Wi-Fi access point that was set up to perform a packet capture of my traffic, and we started to walk through the features. I also launched a few Wi-Fi attacks on the phone in an attempt to gather data from it.

First, Dan Goodin and I placed a few calls to each other, both video and voice. Reviewing the captured packets, I could see the exchange of public keys with a Silent Circle server, and then everything that followed was encrypted UDP traffic to an IP address that resolved as another Silent Circle server. If someone was monitoring our call from one end or the other, all they would know is that we were sending and receiving packets from Silent Circle—not that we were having a conversation with each other or the contents of that conversation.

The same was true of Silent Text. A packet capture of a conversation caught an initial exchange of keys through an HTTPS connection to Silent Circle’s login server, and then messages themselves were blocks of encrypted text in TCP packets. Dan successfully remotely deleted a few documents he sent me in a chat, and I turned on Burn Notice and watched my messages self-destruct out of the chat thread.

Disconnect searches did their job of keeping Google from identifying me. But the need to turn on the VPN for private browsing became readily apparent when I found a geolocation cookie being passed to Wikipedia in the clear. Once I switched on Disconnect’s VPN, there was absolutely nothing to sniff from my web visits.

For my last trick, I unleashed a malicious wireless access point on Blackphone, first passively listening and then actively trying to get it to connect. While I did capture the MAC address of the phone’s Wi-Fi interface passively, I was unable to get it to fall for a spoofed network or even give up the names of its trusted networks.

So, we’ve verified it: Blackphone is pretty damn secure.

But how well does it work as a smartphone?

Minus the secure applications, Blackphone works perfectly fine as a phone—it has all the basic Android stock applications, and they all work just as well as they do on a Samsung Galaxy S5—albeit with a little less zip. Across the board, Blackphone’s performance lagged significantly behind the S5, the HTC One (M8), and Apple’s iPhone 5s. It’s not really a fair comparison, given that this is a first-generation handset focused on privacy, and the other phones are neither of those things, but it demonstrates some of the trade-offs that the Blackphone team had to make to make the phone happen.

The real issue is the Blackphone’s usability, in the sense that we’ve become accustomed to using smartphones—like downloading and running apps. While PrivatOS is essentially Android, it’s Android without Google—which means no Google Play store and no easy access to Google’s collection of apps.

For many people, this won’t be an issue. I ended up downloading and installing the Amazon App Store app on the Blackphone to get a few of the apps I needed—and doing some clever sideloading tricks to get others installed. The Security Center features allowed me to toggle on and off features in some applications that are more difficult to get to from within the apps’ own settings—for example, I switched off Twitter’s access to location services easily from Security Center when I wanted to post a tweet from an undisclosed location.

Still, given my limited time and desire to do anything that would edge toward rooting the phone, I wasn’t able to get some of our benchmarking tools to install (including one we use for our battery test). But for the most part, I didn’t miss Google Chrome or the rest of the Google ecosystem. And given that Blackphone’s future corporate and government customers may want to have their own private app stores instead of Google’s for security reasons, the absence of Play may end up being a positive feature.

Then there was the experience of using those apps that are at the center of what Blackphone is. Goodin and I ran into a few rough spots along the way. Dan had some complaints about the interface, which is minimalist in the extreme and may not be entirely intuitive to a new user. The address book for Silent Phone is separate from the Android contact list, and it’s protected by its own password (on top of the phone password and the encryption password and the Silent Circle account credentials).

Then there were the calls themselves. Silent Phone’s call quality was obviously highly dependent on the network it travelled over. When Dan was on T-Mobile broadband (technically T-Mobile’s “3+G” service, since we were using European GSM phones), video was obviously a problem, and voice-only calls had some jitter and skip to them. But calls with full broadband connections on both ends were dramatically better.

Switching from one wireless network to another caused problems with the Silent Circle software. On a few occasions, I couldn’t connect to the SIP network servers until I turned the power on and off after a change from one Wi-Fi network to another or a switch to cellular data. Silent Circle’s customer support suggested cycling the power, so it’s clearly something the company is aware of and working on.

Conclusion

So, to be fair, the question of how well the Blackphone does as a consumer device has multiple answers. If you’re someone who’s comfortable with a little bit of app sideloading and living off the Google reservation and have particular concerns about your privacy, then the Blackphone is a good fit for you—especially if you’re not worried about getting a phone company subsidy to lower its price tag.