CopperheadOS Review

CopperheadOS

Note from Justin: This excellent write-up on CopperheadOS comes to you from Andy at https://peopleforprivacy.com. I really appreciate this piece and learned a lot from it, and I’m sure you will, too! Please let him know your thoughts in the comments, and check out his site. Thanks!

I have been working towards more security and privacy in my digital life for a little less than a year now. One of the things I’ve done to move down that path was switching my Android phone from its stock ROM to using CyanogenMod, a custom open source ROM. Shortly after doing that, I heard about CopperheadOS which is an open source ROM specifically oriented towards fixing some of the big vulnerabilities in the Android OS. I was really excited about this new company and what they were doing. So, when I started having some hardware issues with my phone, and it was time for an upgrade, I decided to purchase a Nexus phone and flash the CopperheadOS on it. Below I’ll tell you a little bit about that experience, and then wrap up with my overall thoughts on the ROM.

CopperheadOS Installation

For the sake of this article, I’ll assume that my readers are familiar with the rudiments of how Android works. If you’re not, I’ve got an article over on my website about custom ROMs that explains some of the terminology.

Installation of CopperheadOS was surprisingly easy, it requires fastboot and adb software on your computer, and the ROM is flashed using those. The whole process would probably take someone who’s familiar with flashing ROMs this way less than 30 minutes (I’m new to this stuff so it took me quite a bit longer to figure out). You simply unlock the bootloader, flash the ROM, and relock the bootloader. That’s it.

The Copperhead site has a documentation page that walks through this process. It’s very sparse, and assumes a fair level of expertise. For example, they say to use the command ./flash-all.sh to flash the ROM. This is command for a linux machine, and won’t work on Mac or Windows (ask me how I know). I had to find out elsewhere that on Windows you need flash-all.bat. All that said, if you know how to flash custom ROMs on Android, or are willing to learn, it’s pretty easy to install this ROM.

CopperheadOS Use

CopperheadOS is based on Android N, or 7.0 or Nougat, whichever you prefer to call it. This is Android’s newest release which just came out a few months ago. My only experience with stock N is a few minutes of exploring it on my new Nexus when I first got it. As far as I can tell, CopperheadOS is almost, if not completely identical to stock in terms of user interface. On the one hand this is nice for anyone who’s familiar with stock Android. On the other it gives a sense that you’ve not really updated anything. In fact, I flashed my phone 2-3 times because I thought I was doing something wrong, because it looked so similar. The only clue that something is different is the boot screen displays the (very cool) Copperhead logo. Also, because you are running a custom ROM, you’ll get a warning screen on booting the phone.  This is normal for Nexus phones, and you’ll see it running CyanogenMod or other custom ROMs.

CopperheadOS

So far, after about six weeks of using CopperheadOS exclusively, I’ve not noticed any issues with it. It has run well and worked just as I expected every time. Updates have been impressively frequent, I installed the 9-14-16 version and by 10-14 had installed five OTA (over-the-air) updates which Copperhead pushed out. Given that this is a two-man operation, I am blown away that they’re pushing out updates that quickly.

CopperheadOS

One other notable difference between this and other custom ROMs is that it won’t allow you to keep a custom recovery installed.

CopperheadOS Apps

CopperheadOS comes with several built in apps, though far less than most of us are accustomed to with a manufacturer skinned phone. I’ll give a brief review below.

Email: The email client is quite handy, I have a posteo account and an old gmail account that I still occasionally receive mail at on this app, and am quite happy with it. The organization is good, syncing works, and overall its quite functional. The only issue I’ve seen is that it sometimes doesn’t delete emails on the server when you delete them in the app.

Texting- silence: This messaging app looks and functions like every other messaging app I’ve used.  It manages SMS messages fine. I’ve not used the encryption, as I don’t know anyone else who has the app. I am not sure whether it uses SMS based encryption (I suspect it does) or sends messages via data services.

Music player: To be blunt, this app sucks. It is hard to navigate, it is hard to read, and just overall unimpressive. That said, it is usable. I don’t listen to a lot of music, so I haven’t bothered to find a better app.

Browser-Custom version of Chromium: The interface is pretty standard. I was disappointed in the privacy and security setting defaults.  As pictured below, they default to a fairly un-private set up.  I’m faily invested in Firefox as my main browser, so I just use it as a backup. From my limited use, it appears to work satisfactorily; you just need to update the privacy and security settings.

CopperheadOS

 CopperheadOS

Calendar

The calendar app requires you to add an account to use. So far I’ve been unable to do that. Nothing happens when I press the add account button.  This has made the calendar completely useless.

Camera

The camera app is just the basic android camera. As far as I can tell it’s no different from the stock camera in CyangenMod. That said, it’s not terribly impressive. It works just fine, but is pretty bare bones. Any moderate photo enthusiast will certainly want a better app.

Phone dialer/contacts

These are also just the basic android apps. They work just fine.

The big problem with CopperheadOS

As I said, I’ve been using this OS for about six weeks, but I am very seriously thinking of switching back to CyanogenMod. The reason?  I can’t get the Google Play store to work. The ROM comes with the F-droid app store installed. F-droid is an open source store, which I think is really great. I like to get anything I can from them, and hope that they’ll continue to develop. That said, the selection of apps is pretty small, and there is almost no overlap with Google Play apps. This means that even excellent, secure apps such as Signal or Private Internet Access VPN are not available. Also, while most of us would like to do everything via secure software, I’d guess that most of you reading this still use some mainstream apps at least occasionally.

How am I dealing with this? I’ve downloaded the Amazon app store (which is no better, and possibly worse than Google Play from a privacy standpoint) and I am also using apkmirror.com to download apps to install. This is a far from perfect solution. I still can’t get Signal to work (which I believe is because it relies on certain software in the Google Play Services app which is blocked by the OS). I am using an open source VPN client to route my PIA account through, which is as far as I can tell working fine. The other big problem with self-installed apps from APKmirror is that you have to manually check for updates. As I’m sure anyone reading Justin’s blog knows; keeping everything up to date is of utmost importance, so this is a big blow to the security of the overall system.

I’m continuing to try to figure out a way to get Google Play Store working on my phone. I’ve not yet read anything that says with certainty whether it is or isn’t possible. I actually have the app installed, but it won’t do anything when I open it. Since I’m installing it from an apk, it’s possible that I’m just doing something wrong. Unfortunately, there is almost nothing written about actually using CopperheadOS. There was a lot of press about it earlier this year, but it was all about the idea/concept/need not about actually using it.

Overall Thoughts

Overall, I’m very impressed that two guys are putting this out, and updating it as frequently as they do. I believe that almost all of the work they’ve done is on the backend of Android, and is not visible to the average user. That’s good and necessary work, but I think that the front end still needs some improvement as well.  As a unit the OS works flawlessly, if not much differently from vanilla stock android. The ONLY problem I’ve seen is the inability to get many apps that I (and others) rely on.

Why CopperheadOS matters: At this point, you may be wondering “why don’t you just switch to iphone?”.  There are two answers to that. On the personal level, I’m simply unwilling to spend the money. I bought my brand new 5X (a one year old design) for $240 on ebay. A USED iphone 6s of the same vintage would run me $350-500, depending how much wear I was willing to accept. While $240 isn’t a $40 prepaid phone, it also got me a phone with relatively top of the line hardware (for 2015 anyway).  The bigger reason that I wanted a copperhead phone, is that I want an open source OS with security and privacy as key concerns in its development.  I want that to be a well-known alternative. I want people to have that option.  I think that this is a tremendous step in the right direction, and I’d love to see CopperheadOS take off and do great! I am personally sending them a small donation on a regular basis, and intend to continue doing so.  I’d love to see them “fix” android and expand it so that people can buy low cost secure phones with ease. I don’t know if that will happen, but that’s the future I want.

Andy is an average guy who is concerned about privacy and security both for himself and future generations. As someone new to thinking about digital safety, he is trying to consolidate what he learns and add to the dialogue on these critical topics at https://peopleforprivacy.com.

Author: Andy

Andy is an average guy who is concerned about privacy and security both for himself and future generations. As someone new to thinking about digital safety, he is trying to consolidate what he learns and add to the dialogue on these critical topics at https://peopleforprivacy.com/

12 thoughts on “CopperheadOS Review”

  1. Thanks, Andy, for sharing your experiences and giving us such a detailed – and balanced – review of a very cool project. I’m still stuck on iPhone, but will now be watching for developments on CopperheadOS with greater interest.

    1. You’re welcome! I’m glad that you enjoyed it.

      I certainly can’t blame you for staying on iphone, but I’m glad to hear you’ll be tracking with Copperhead!

  2. Andy, thanks for the great review! I’ve been researching how to minimize the amount of data I send to giant search engine companies too. Check out https://www.aptoide.com/ for an app store. It has automatic updates and Signal and PIA VPN apps. Also check out the OpenVPN Connect app instead of the PIA VPN app. It’s open-source, and works better for me to connect to PIA.

    1. asdf,

      Thanks for the kind words, I’m glad you enjoyed the article! aptoide looks pretty interesting as an alternate source of apps. I actually just switched my phone over to cyanogenmod for the time being. I hope to go back to copperheadOS sometime soon, but was just missing too many apps.

      I didn’t go into much detail in the article, trying to keep it at readable length, but I was able to download the Signal APK, I think the reason that it didn’t work is because it depends on some parts of Google Play Services which don’t work on CopperheadOS…. I think. The whole subject is a bit murky to me, because I did install Google Play services, and it was running and appeared to be supporting Protonmail, but not Signal. I’m hoping that sometime as Copperhead takes off they’ll be able to clarify all of that for us non-developers. I wish I’d seen this earlier, and I’d have tried the aptoide store to see if I could get Signal that way.

      OpenVPN is actually the app I’d been using for my VPN, and I really liked it. I didn’t find any big improvements over PIA, and just for the sake of minimizing the number of parties touching my data, would have preferred PIA’s native app, but all in all it was a good, easy replacement.

  3. Hi,
    About the Play Store, you need Play Services to use it. Copperhead can’t ship with them because of legal reasons, and you can’t flash them because the CopperheadOs Recovery doesn’t allow you to flash stuff for security reasons (I think it would also break SecureBoot, as you flash them to /system).
    I don’t use Copperhead (yet?), but I roll without Play Services – the best way to get applications I’ve found so far it with Raccoon (http://www.onyxbits.de/raccoon). I have it on a server, and some glue to take the .apk and push them in a custom F-Droid repository.

    Remember that some applications will refuse to run as you don’t have Play Services.

  4. F-Droid has a fork of Signal called “Silence” (it used to be TextSecure). Does Silence meet your needs? I use it myself. https://silence.im/

    A few Copperhead questions, since I have never used it…

    Is there a PrivacyGuard, App ops, Xprivacy, or some other method of removing privilege from an installed app?

    If Copperhead forbids a custom recovery, does it allow Xposed? Is root access available at all?

    Have you tried flashing the gapps package from an equivalent version of Cyanogenmod directly onto /system?

    Does this gapps install procedure work?: https://gist.github.com/shawngustaw/0d6161249538bb618624

    From an architectural security perspective:

    Can /system/lib/libstagefright.so be disabled or removed, allowing Zygote to boot without it?

    Did you notice any unexpected app behavior with the extra stack protection and other grsecurity features that have been enabled in the kernel?

    Does Copperhead run Mediaserver in a chroot? Do any other well-known Android processes run this way?

    Have all the issues that compromised the Blackphone been rectified in Copperhead?

    Please don’t erase your Cyanogenmod to answer these questions, but I am curious.

  5. Where are some good instructions on how to install the Copperhead OS? The ones on the Copperhead site are not very good.

Leave a Reply

Your email address will not be published.