What happens when you design a smartphone to specifically place security and privacy in the hands of its users? You get an ultra-secure, attack resistant device right? Not exactly. Researchers on the BlueBox Labs security team discovered a potential vulnerability in Blackphone, a new Android smartphone model, in which core applications are leaking usernames and passwords to any SSL server.
Blackphone, a carrier-independent and vendor-independent model, was tested running Android-designed PrivatOS version 1.0.2. The device comes pre-installed with a slew of privacy-enabled applications for secure calling, text messaging and contact storage, and the Security Center app that allows users to control app permissions. The phone also has third-party apps installed, including a program creating a VPN connection to outside servers and a BlackBerry version of the online backup tool SpiderOak.
The team at BlueBox discovered a number of potential issues with the device and the apps installed on it. For example, there is currently no way for an individual to open a PDF or Word document using a core app.
To test vulnerabilities, researchers set up a man-in-the-middle attack on the device by installing their own root SSL certificate. They found that the core apps were leaking username and passwords to any SSL server the system could detect. The team also found 150+ pre-installed root certificates in the system credential storage, meaning the device is trusting many certificate authorities that may not be authentic.
On the bright side, all vulnerabilities disclosed by BlueBox’s report were closed within an impressive 11 days by Blackphone and patched in the next release of the operating system, PrivatOS 1.0.3. As security issues have always been prevalent in the Android market, the developer’s goal is to push out patches faster than any original manufacturer out there.