Note from Justin: This excellent write-up on CopperheadOS comes to you from Andy at https://peopleforprivacy.com. I really appreciate this piece and learned a lot from it, and I’m sure you will, too! Please let him know your thoughts in the comments, and check out his site. Thanks!
I have been working towards more security and privacy in my digital life for a little less than a year now. One of the things I’ve done to move down that path was switching my Android phone from its stock ROM to using CyanogenMod, a custom open source ROM. Shortly after doing that, I heard about CopperheadOS which is an open source ROM specifically oriented towards fixing some of the big vulnerabilities in the Android OS. I was really excited about this new company and what they were doing. So, when I started having some hardware issues with my phone, and it was time for an upgrade, I decided to purchase a Nexus phone and flash the CopperheadOS on it. Below I’ll tell you a little bit about that experience, and then wrap up with my overall thoughts on the ROM.
For the sake of this article, I’ll assume that my readers are familiar with the rudiments of how Android works. If you’re not, I’ve got an article over on my website about custom ROMs that explains some of the terminology.
Installation of CopperheadOS was surprisingly easy, it requires fastboot and adb software on your computer, and the ROM is flashed using those. The whole process would probably take someone who’s familiar with flashing ROMs this way less than 30 minutes (I’m new to this stuff so it took me quite a bit longer to figure out). You simply unlock the bootloader, flash the ROM, and relock the bootloader. That’s it.
The Copperhead site has a documentation page that walks through this process. It’s very sparse, and assumes a fair level of expertise. For example, they say to use the command ./flash-all.sh to flash the ROM. This is command for a linux machine, and won’t work on Mac or Windows (ask me how I know). I had to find out elsewhere that on Windows you need flash-all.bat. All that said, if you know how to flash custom ROMs on Android, or are willing to learn, it’s pretty easy to install this ROM.
So far, after about six weeks of using CopperheadOS exclusively, I’ve not noticed any issues with it. It has run well and worked just as I expected every time. Updates have been impressively frequent, I installed the 9-14-16 version and by 10-14 had installed five OTA (over-the-air) updates which Copperhead pushed out. Given that this is a two-man operation, I am blown away that they’re pushing out updates that quickly.
One other notable difference between this and other custom ROMs is that it won’t allow you to keep a custom recovery installed.
CopperheadOS comes with several built in apps, though far less than most of us are accustomed to with a manufacturer skinned phone. I’ll give a brief review below.
Email: The email client is quite handy, I have a posteo account and an old gmail account that I still occasionally receive mail at on this app, and am quite happy with it. The organization is good, syncing works, and overall its quite functional. The only issue I’ve seen is that it sometimes doesn’t delete emails on the server when you delete them in the app.
Texting- silence: This messaging app looks and functions like every other messaging app I’ve used. It manages SMS messages fine. I’ve not used the encryption, as I don’t know anyone else who has the app. I am not sure whether it uses SMS based encryption (I suspect it does) or sends messages via data services.
Music player: To be blunt, this app sucks. It is hard to navigate, it is hard to read, and just overall unimpressive. That said, it is usable. I don’t listen to a lot of music, so I haven’t bothered to find a better app.
Browser-Custom version of Chromium: The interface is pretty standard. I was disappointed in the privacy and security setting defaults. As pictured below, they default to a fairly un-private set up. I’m faily invested in Firefox as my main browser, so I just use it as a backup. From my limited use, it appears to work satisfactorily; you just need to update the privacy and security settings.
The calendar app requires you to add an account to use. So far I’ve been unable to do that. Nothing happens when I press the add account button. This has made the calendar completely useless.
The camera app is just the basic android camera. As far as I can tell it’s no different from the stock camera in CyangenMod. That said, it’s not terribly impressive. It works just fine, but is pretty bare bones. Any moderate photo enthusiast will certainly want a better app.
These are also just the basic android apps. They work just fine.
The big problem with CopperheadOS
As I said, I’ve been using this OS for about six weeks, but I am very seriously thinking of switching back to CyanogenMod. The reason? I can’t get the Google Play store to work. The ROM comes with the F-droid app store installed. F-droid is an open source store, which I think is really great. I like to get anything I can from them, and hope that they’ll continue to develop. That said, the selection of apps is pretty small, and there is almost no overlap with Google Play apps. This means that even excellent, secure apps such as Signal or Private Internet Access VPN are not available. Also, while most of us would like to do everything via secure software, I’d guess that most of you reading this still use some mainstream apps at least occasionally.
How am I dealing with this? I’ve downloaded the Amazon app store (which is no better, and possibly worse than Google Play from a privacy standpoint) and I am also using apkmirror.com to download apps to install. This is a far from perfect solution. I still can’t get Signal to work (which I believe is because it relies on certain software in the Google Play Services app which is blocked by the OS). I am using an open source VPN client to route my PIA account through, which is as far as I can tell working fine. The other big problem with self-installed apps from APKmirror is that you have to manually check for updates. As I’m sure anyone reading Justin’s blog knows; keeping everything up to date is of utmost importance, so this is a big blow to the security of the overall system.
I’m continuing to try to figure out a way to get Google Play Store working on my phone. I’ve not yet read anything that says with certainty whether it is or isn’t possible. I actually have the app installed, but it won’t do anything when I open it. Since I’m installing it from an apk, it’s possible that I’m just doing something wrong. Unfortunately, there is almost nothing written about actually using CopperheadOS. There was a lot of press about it earlier this year, but it was all about the idea/concept/need not about actually using it.
Overall, I’m very impressed that two guys are putting this out, and updating it as frequently as they do. I believe that almost all of the work they’ve done is on the backend of Android, and is not visible to the average user. That’s good and necessary work, but I think that the front end still needs some improvement as well. As a unit the OS works flawlessly, if not much differently from vanilla stock android. The ONLY problem I’ve seen is the inability to get many apps that I (and others) rely on.
Why CopperheadOS matters: At this point, you may be wondering “why don’t you just switch to iphone?”. There are two answers to that. On the personal level, I’m simply unwilling to spend the money. I bought my brand new 5X (a one year old design) for $240 on ebay. A USED iphone 6s of the same vintage would run me $350-500, depending how much wear I was willing to accept. While $240 isn’t a $40 prepaid phone, it also got me a phone with relatively top of the line hardware (for 2015 anyway). The bigger reason that I wanted a copperhead phone, is that I want an open source OS with security and privacy as key concerns in its development. I want that to be a well-known alternative. I want people to have that option. I think that this is a tremendous step in the right direction, and I’d love to see CopperheadOS take off and do great! I am personally sending them a small donation on a regular basis, and intend to continue doing so. I’d love to see them “fix” android and expand it so that people can buy low cost secure phones with ease. I don’t know if that will happen, but that’s the future I want.
Andy is an average guy who is concerned about privacy and security both for himself and future generations. As someone new to thinking about digital safety, he is trying to consolidate what he learns and add to the dialogue on these critical topics at https://peopleforprivacy.com.