In our first blog on PRIV privacy and security, we talked about how protecting the privacy of users goes far beyond the engineering we’ve done to harden the device across all layers of hardware, firmware, and software. Android is a complex, rapidly changing, massively popular, open source product, which makes it an attractive and fertile target for attackers. BlackBerry’s security research team is constantly examining the firmware and software content in new releases to locate and address even more Android problems before they can cause harm.
(Also read “PRIV is for Private” and this deep dive into privacy monitoring app, DTEK, both by my colleague, Alex Manea.)
Android also demands world-class security incident response, and BlackBerry has a long history delivering that to customers with the highest value resources under their (and hence our) protection. A critical part of our response strategy is the Android vulnerability patch program – second to none in the industry. In this blog, we’ll provide more detail on this program, which is comprised of three new initiatives:
- Android monthly security update process
- “hotfix” patching
- Enterprise-managed updates
Android Monthly Security Updates
Each month Google releases to BlackBerry and other Android OEMs a security bulletin containing a list of recently discovered Android vulnerabilities. Approximately one month later, Google exposes these in the public domain, so it is critical that BlackBerry release software in advance of public disclosure. BlackBerry will release these monthly updates to users that have purchased PRIV through shopblackberry.com and to PRIV resellers (carriers and other authorized dealers) that have agreed to participate in our regular monthly update program and facilitate rapid approval of our monthly updates for over-the-air (OTA) to subscribers.
Some critical Android vulnerabilities – for example, one that can be easily and remotely exploited with a publicly disclosed method to execute “root” privileged malware – simply can’t wait for a monthly update cycle. Depending on the severity of the problem, complexity of the fix, and timing relative to the monthly update cycle, BlackBerry will opt to perform a hotfix, where the code to address only the specific critical problem is pushed to customers. Because a hotfix is typically limited in scope, the balance between a longer testing and approval process and the risk from the critical flaw makes this approach an important addition to helping keep users safe and secure. While BlackBerry will work with its go-to-market partners on approval and delivery of hotfixes, BlackBerry has the ability to directly patch all PRIV variants and will do so when necessary to protect users and enterprises.
Historically, IT has managed the delivery of OS updates to business PCs. By controlling when and to which devices and users that patches are delivered, IT can avoid expensive software incompatibilities and ensure that the security issues most important to the business are mitigated. In the mobile world, enterprises have lost this control. BlackBerry aims to bring back this control through BlackBerry Enterprise Server (BES) and OTA management systems.
PRIV by BlackBerry is leading the Android smartphone world in privacy and security. This leadership requires tremendous resources and hard-earned expertise in protecting users that go far beyond the engineering of the device itself. Setting the bar in incident response and patch management is a critical part of the BlackBerry end-to-end Android privacy strategy.