Secure smartphones are nice, but not enough

Everybody talks about smartphone security. But who's going to do something about it?

Smartphones are perfect targets for hacking, tracking, surveillance, industrial espionage and malware.

Unlike, say, desktop PCs, smartphones often connect promiscuously to many public Wi-Fi networks. They can connect to multiple types of wireless networks, including Wi-Fi, mobile data networks, Bluetooth and NFC -- all of which are potential doorways for unauthorized access.

Smartphones, in fact, run two operating systems: there's the one you know about -- the one that does normal operating system jobs, and which you may diligently update with the latest security patches; and there's one you may not know about -- the one that controls the radio hardware and is rarely updated.

Smartphones can report location, which the phone figures out with GPS. And even when GPS is turned off, phones connect to cell towers, which can be triangulated to pinpoint a phone's location, or to Wi-Fi networks, which give away your location when you connect.

Carriers routinely sell location information to any organization willing to pay for it.

Smartphones are more likely to run apps from developers the user has never heard of and that can be loaded with secret, backdoor functions that can harvest personal data and send it off to some unknown server.

Yes, smartphones are super insecure. Everybody knows it. Nobody likes it. Yet who really does anything about it?

In the past week, two new ultra-secure smartphones have been in the news. One is called the Blackphone. The other is called the Black phone. No, I'm not making this up. The difference in their names is a space.

Here's what we know about the two most secure smartphones ever created.

The Blackphone

At Mobile World Congress in Barcelona last week, a Spanish company called Geeksphone offered the first public demonstration of a product it's calling the Blackphone.

The $629 phone was made in partnership with Silent Circle, a U.S.-based company founded by a former Navy SEAL and the inventor of Pretty Good Privacy (PGP).

Silent Circle is also known for shutting down its Silent Mail service last August, which the company reportedly did because it believed it would soon receive requests from the government to turn over the email data of its customers.

Blackphone is an Android device and more or less looks and feels like a regular Android phone. However, it uses a forked version of Android called the PrivatOS, which prevents apps from accessing personal information and works with privacy-enabled apps. For example, the built-in Web browser doesn't track your Web surfing. The phone also enables you to choose what personal information is available to each app. When you install apps, the installer presents you with individual permissions on each source of data that each app requests.

The Blackphone prevents its wireless radios from being logged via Wi-Fi as you walk around. Wi-Fi turns off when you're outside the range of a trusted hotspot. All data on the phone is encrypted, so if your phone is lost or stolen nobody else can gain access to the data. It has its own remote-delete tools as well.

The phone comes with a two-year subscription to Silent Circle's platform that encrypts phone calls and emails. The subscription covers three people -- the owner of the Blackphone and two friends or colleagues, regardless of what phones they use. It also comes with a two-year subscription to Disconnect, which anonymizes Wi-Fi connections, and SpiderOak, which is an anonymous cloudstorage service.

Blackphone is designed for the general market, but Geeksphone claims that it's getting inquiries from government customers.

The Blackphone handset will go on sale in June for $629. It looks like a typical Android smartphone and is based on a security-hardened version of Android called PrivatOS. (Video: IDG News Service)

The Black phone

For the past two years, aerospace and defense contractor Boeing has been working on a special-purpose phone called the Black for customers who work in the government, the military and espionage. The phone was revealed in public FCC documents that all phone makers are required to file.

The Boeing Black phone is also an Android smartphone, but we know much less about it, because Boeing intends to keep its details secret. Papers filed with the FCC specifically request that information about the phone be kept secret, and a letter accompanying those papers says that even after the phone is available, it won't be available to the general public, nor will information about the phone be public.

The Black phone is small, thick and heavy. The handset is 5.2 in. tall. It's about twice as thick as an iPhone and much heavier. It has a modular design that enables users to attach add-ons, such as tracking tools, satellite transceivers, biometric sensors and solar charging devices.

The target market is government agencies and contractors who work with those agencies.

The Black phone will reportedly be "sealed." If the physical handset case is pried open, the phone will erase all of the data it holds. It will, essentially, self-destruct.

The Android-based Boeing Black smartphone is being marketed to government agencies and contractors. (Photo: Boeing)

It will also have two SIM card slots: one for regular public mobile networks and another for private government networks. When the phone is connected to a public network, its security features lock everything down so no data can be accessed. In order to gain access to certain information, the user has to disconnect the phone from the public network and connect to the private one.

Why Black is the new black

A smartphone that protects against intrusion, surveillance and hacking sounds like a good idea. But in the short term, at least, hardly anyone is likely to buy a phone like that.

Why not? For starters, hardly any carrier will sell the Geeksphone Blackphone. One of the Blackphone's security features is a stipulation that carriers who sell it are not allowed to install any software on the phone, and that makes it less appealing for them. The Dutch telecom KPN announced that it will sell the Geeksphone Blackphone starting in June in three European countries, but so far no other carrier has announced that it will sell it.

The Boeing Black phone won't be for sale to the public or to individuals at all. It will be purchased by government agencies and distributed by them.

Smartphones are insecure. But the Geeksphone Blackphone and the Boeing Black phone, as useful as they'll be to a tiny number of users, aren't going to solve the larger problem. It's unlikely that they'll account for anywhere close to even 1% of the total smartphone market anytime soon.

What we need is for regular, everyday smartphones to get better security. Consumers also need to care enough about security to seek out both more-secure phones and apps that provide better security. I just don't see either happening anytime soon.

This article, " Secure Smartphones Are Nice, But Not Enough," was originally published on

Mike Elgan writes about technology and tech culture. You can contact Mike and learn more about him on Google+. You can also see more articles by Mike Elgan on

Read more about mobile security in Computerworld's Mobile Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags consumer electronicssecuritymobile securitysmartphonesgovernmentGovernment/Industries

More about AppleBoeing AustraliaFCCGoogleIDGinventorKPNNFCPGPPretty Good PrivacyTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mike Elgan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place