BlackBerry Dtek60
32 GB, Black, 5.50", Single SIM, 21 Mpx, 4G
The new Blackberry DTEK60 - A double-edged sword of security
26.10.2016
Translation: machine translated
Blackberry has reinvented itself. The DTEK60 is supposed to be the most secure smartphone in the world and yet offer the convenience of normal Android distributions. A test shows: The phone is not for security purists, but it is a strong signal in favour of security.
I've been staring at the screen of the Blackberry DTEK60 for 51 minutes now. I can't work with it because the device is currently optimising the fifth of six apps after the second upgrade of the operating system. All this updating has drained 30% of my battery, so the first recommendation is to fully charge the battery before making any settings: Fully charge the battery. Because at the end of all the updates, installations and settings, 39% battery remains.
The promise: security and convenience
A prejudice has somehow become ingrained in people's minds that security is always inconvenient, tedious and cumbersome. It's also half understandable when passwords now have to be at least eight characters long, contain a number and a special character and have to be changed every time the full moon falls on a Wednesday when a clown coughs 15 times. On mobile phones, there are PIN codes and pattern unlocks, which should preferably not be 2-5-8-0 or an S. In short, if you take security seriously, you'll end up with a mobile that is far more difficult to use than the latest Galaxy or iPhone.
Blackberry now wants to change that. The strategy of jumping on the Secure Phone bandwagon is no coincidence, as the company has been known to be in trouble at least since the slump in popularity following the market launch of the iPhone in 2007 and the mass redundancies of 2,000 employees in 2011. However, this does not mean that BlackberryLimited is endeavouring in vain. Because secure mobile phones are necessary.
The DTEK60 promises a lot of security:
- Built-in password manager
- Better handling when granting authorisations
- Encrypted hard drive
- Monitoring of apps on the device and warning if they do something unusual, such as taking unsolicited pictures and videos
- Promise to respond quickly to security vulnerabilities and quickly deploy patches
In addition, BlackBerry also promises that security is simple.
First worries with Basic Setup
The BlackBerry DTEK60 runs Android. The developers at BlackBerry have made very few changes to the stock Android released by Google. This may not only be for aesthetic reasons. A few changes to the stock Android can drastically shorten the response time when an update needs to be pushed. This can be the case if there is a security vulnerability such as Stagefright, which has not yet been patched on many Android devices.
However, fans of privacy, who are often opponents of big data, are likely to be annoyed by the first steps alone. Before the BlackBerry security environment even starts up, Android asks whether it is allowed to access the location and send diagnostic data to Google. Yes, dear developers, advertisers and decision-makers, this is also part of privacy. Just because Google is The Devil You Know, i.e. the known evil, does not mean that it can be trusted unconditionally in the context of security and privacy.
It is possible to prevent integration with Google by default in Android distributions, but this would probably be at the expense of response times for updates. Fortunately, Google is trying to give privacy-conscious users a way out, so tick boxes can be set and removed again. This allows a lot to be intercepted. However, anyone who simply clicks "Yes", "Next" and "Agree" during the basic installation without reading what the device is currently requesting runs the risk of violating their own standards.
Excellent security rating? We can change that
The device has an app called DTEK. It measures the safety standard of the current setup. Mine shows me "Fair" during the app tour. This means that my DTEK60 is "moderately secure, approximately". Shortly afterwards, i.e. after the tour, the app takes a second look at my system and says that the security is excellent.
Challenge accepted. Let's see how I can manipulate this rating. I don't yet know exactly how to do this. Although the DTEK app clearly documents which factors it monitors and measures, it doesn't tell me how I can influence them. So I simply install all the apps I have on my old Samsung Galaxy S5. I can certainly drag this rating down with privacy nightmares like Facebook or Google+.
During the app installation process, I notice that I don't have to enter my PIN code when the screen switches off. When I install my 91 apps as an avowed app sceptic, it takes around 15 minutes. During this time, I wouldn't necessarily stare at my mobile if I didn't have to put it through its paces. This gives an attacker enough time to tamper with the DTEK60. This must be done separately in the phone's settings, as the system is only locked when the user explicitly requests it. The lock timer is set to "Never" by default. Out-of-the-box security is different.
With the data slingshots installed, I check DTEK, the app, again. The rating is still "Excellent". Strange. A second look reveals what the DTEK app is monitoring:
The principle of the smallest possible authorisations in practice
The security features of the Android version from BlackBerry become exciting and, above all, obvious during use. The software blocks all access from everything to everything. The mail app is not allowed to access the picture gallery by default, nor is it allowed to access contacts. These authorisations must be granted manually and can be withdrawn from the app at any time, regardless of how much sense this makes in the context of the device's operation.
This is where security and convenience come up against each other. Of course I want WhatsApp to be able to access my contacts, because the last time I memorised a phone number was about ten years ago. I can still remember the number today, but I don't really know why I should write a WhatsApp message to the guy from back then.
However, this setting, the default removal of all permissions, is an important step on the road to security, because the main effect is not that users are safer, but that they are forced to deal with the tentacles of the data leeches on their phone. They see with their own eyes what data Faceboook, WhatsApp and co. want to view and use. Users are deliberately put in a position where they have to decide which app is allowed to do what and, in exchange for about three seconds of work and a few thoughts on security, they receive awareness.
Secure Unity.
Secure unified communication as a questionable sales argument
The DTEK Android environment also boasts that unified communications are possible. The BlackBerry Hub - just called Hub in the system - pulls together all incoming and outgoing communication strands of the phone and combines them on one screen.
Facebook Messenger, Hangouts and the like are not displayed in the Hub, which makes the app seem somewhat useless. This is mainly because Google's own products - Inbox by Gmail and Gmail - as well as Microsoft Outlook offer clearer applications at first glance. This is why the BlackBerry Hub will have a hard time establishing itself as a solution to the app clutter. And let's be honest, one mobile is enough when it comes to unified communications. We don't need apps that aggregate apps.
Definitely an Android phone
Under the bonnet, the DTEK60 is neither second-rate nor spectacular. It is a solid mobile that plays in the midfield. To all appearances, it makes no attempt to become an iPhone killer. And it doesn't play in the third league of Android phones either.
Cheap Android phones may not be able to keep up with the big names, but they don't have to hide.
The handling is straightforward, with the exception of authorisations, which have to be granted separately for each app. Just Android. Shrug your shoulders.
The camera leaves something to be desired. With the editorial intern as an involuntary photo model, it turns out that the camera can't cope with backlighting at all. The 21 megapixel camera reacts quickly and takes snapshots like Lucky Luke pulling from the hip. If you like unintentionally comical, pseudo-melancholic fog under obviously artificial light, then the DTEK60 is the right choice for you. In real daylight, however, the camera works like the rest of the phone: reliably, quickly and cleanly.
The response time of the device is solid. I never had to wait for anything and as unobtrusive as the design of the device is, the handling is equally unobtrusive. I was neither surprised nor angry. The DTEK60 simply works and does its job well. I don't expect more from a smartphone.
Conclusion and answers to the questions from the beginning
Is the DTEK60 the most secure smartphone ever? No. Definitely not. I would even venture to say that the DTEK Android distro is identical to stock Android, with the exception of the DTEK app. The talk of the "most secure smartphone ever" is probably just marketing blah-blah. Although the now infamous Stagefright vulnerability has been patched, as a small test shows, the DTEK60 otherwise seems as secure as any other smartphone. This particularly pisses me off because security is really something that should be taken more seriously by smartphone users. The DTEK60 would have been an ideal opportunity but, with one notable exception, fails to capitalise on it.
Apps from the Play Store, meanwhile, offer better encryption - or at least explicitly mentioned encryption - than any app I found on the DTEK60:
- SMS: Signal
- Telephony: Also Signal
- Chat: WhatsApp has been end-to-end encrypted since April 2016, even though Signal also has all of WhatsApp's features
The security features are purely cosmetic, with the exception of the enforced principle of least privilege - i.e. all authorisations must be granted manually. Even an absurdly large number of installed data traps and privacy nightmares for testing purposes have not stopped the DTEK app from complacently claiming that the level of security is "excellent".
New locking options are nowhere to be found. PIN code, fingerprint or pattern. That's it. This is not particularly convenient, nor is the handling of app privileges, as all the information is missing and I spent about three minutes trying to display the names of the people involved in the chat group in WhatsApp.
Overall, the DTEK60 can be described roughly as follows: "Mol mol, isch es Smartphone. That's how you do it."
Journalist. Author. Hacker. A storyteller searching for boundaries, secrets and taboos – putting the world to paper. Not because I can but because I can’t not.