To clarify my question, reading through BlackBerry's blog:
BlackBerry’s Android Devices Such as the New DTEK50 Are the Most Secure on the Market: Here’s Why [VIDEO, PICS] | Inside BlackBerry
The blog starts out with some false information, either due to confusion or deliberately to set up misinformation as a premise for the value argument for their product. It then goes on to praise their own performance on releasing security updates - which has been FANTASTIC, so we'll circle back to this point.
Blackberry makes the point that they encrypt user data and have built in malware protection, back up, wipe and restore.
It also highlights some security features that the Priv and DTEK50 share, such as (1) Hardware Root of Trust, (2) a locked down bootloader that won't load custom ROM's and (3) full disk encryption. (4) Part two is securty updates and part 3 is (5) being able to micromanage security and privacy settings.
So here's what prompted my question:
Android already does all or most of this in one fashion or another:
- Hardware Root of Trust is describing something that Snapdragon processors already have built in. It sounds like BB is just adding software security keys and are not doing anything differently from a hardware standpoint. Apple and Samsung both reference Hardware Root of Trust in their materials and it's actually built into the SoC's that most Android Flagships are using.
- The requirement to have a digitally signed OS is the only exception, however there are several phones that can't be unlocked which makes it somewhat of a moot point.
- Android has been available fully encrypted since Lollipop. Nougat actually improves upon this with file level encryption.
- Android already has monthly security updates and there is a device line that's just as fast as BlackBerry - Nexus. Nexus has the added advantage of being guaranteed 3 years of security updates, whereas BlackBerry is strongly hinting that they could fully abandon mobile at any point between today and whenever they feel like.
- While not as down in the details as DTEK, Marshmallow and Nougat already allow you to grant or revoke permissions for apps at will. It seems like all they did here was create an interface for it to be easier for the user to play with those settings.
Android on Marshmallow and Nougat (and iOS too) also has the added benefit of using a fingerprint sensor backed up with a password, pin or pattern, which the DTEK50 does not take advantage of.
So as far as I can tell, my Nexus 6P and Nexus 5X running on Nougat are actually equally or more secure in all areas except for #2. Both do have bootloaders that are easily unlockable, so only devices with applications such as Knox would match that criteria. That said, if one doesn't enable developer options, allow oem unlocking, set up an ADB bridge and then connect the unlocked phone to a PC - then the bootloader remains locked. And personal information is obviously protected from the process of unlocking the bootloader, given that it wipes the device. But the larger point is that your bootloader never accidentally becomes unlocked. No one has ever had a, "whoops, what happened to my bootloader?!" moment.
iOS does these things too ... so when I ask, "
What makes it the most secure, or if not, what is more secure?" - what I'm asking is... given that it doesn't look like they're doing anything unique, should we buy into the claims? Can we get an expert to break down what makes it more secure?
And a logical second question once that question is answered, is - at the same price point, why wouldn't a user buy a Nexus 5X or the Sailfish being released this quarter? They're better hardware, will be up to date longer, supported better and longer and have the added benefit of working on whatever carrier you want.