As longtime readers here know, I’ve never been a fan of Google’s mobile device collection platform known as Android. I have, however, been a fan of a few niche variants of Android that attempt to excise Google’s collection capabilities from the OS itself. One of those OSs is the very security-focused CopperheadOS.
Full Disclosure: This article is based on a conversation with Copperhead CEO James Donaldson. Mr. Donaldson agreed to share a great deal of information with me off-the-record. As a result of my agreement to permit him to speak off-the-record, I provided him with a copy of this article prior to publication for two purposes: ensuring I didn’t inadvertently overstep the bounds of what he intended to be made public, and to ensure technical accuracy.
A Note On Terminology: “Copperhead” is the company that makes “CopperheadOS.” In this article I have attempted to use the correct proper noun to disambiguate the company from their product.
I first learned of CopperheadOS back in 2016. At the time I reached out to the company to request a device for review. My request was declined, but my friend Andy flashed his own Nexus phone and reviewed the OS for the blog. Despite some of the shortcomings Andy identified, I continued to readily recommend Copperhead to Android users…up until June of 2018 when I abruptly stopped recommending it. I’ll get into why – and why I am once again behind Copperhead – but first some backstory is in order.
The CopperheadOS Saga
Copperhead began as a cybersecurity consultancy with clients who had demonstrable need for incredibly secure mobile devices. Thus began an intense period of research, during which they discovered no one was making a secure version of Android. So, they decided to solve their problem another way.
The firm took on Daniel Micay – a very talented security engineer – and began developing their own. Beginning with CyanogenMod, Copperhead quickly pivoted to the free and open-source Android code base, with the intention of making security and (to a lesser extent) privacy enhancements. CopperheadOS was the result. CopperheadOS was initially licensed under a completely free and open-source license and funded through donations.
Fast-forward to June of 2018 when then-CTO Daniel Micay severed his relationship with the company, destroying Copperhead’s signing keys on his way out. Micay made his exit very public, using Copperhead’s own Reddit and Twitter accounts [@copperheados] to do so.
In case you aren’t familiar with the importance of signing keys, these keys were necessary to update existing installations of the operating system. Without them CopperheadOS adopters were left without updates and a great deal of uncertainty about the future of their devices. In addition to destroying the keys, Daniel was also quite verbose on Reddit and Twitter, and the whole thing became rather ugly.
At this point I stopped following the project. Daniel constituted fully 50% of the company at this point, and provided the primary technical expertise. I assumed the project was dead, and at very least I (like many) had lost confidence in it if it wasn’t.
Copperhead CEO James Donaldson reached out to me out of the blue a few weeks ago, asking if I was still interested in their product. To be honest, I was surprised that Copperhead was still in operation. Intrigued to learn what had transpired over the last 15 months, I responded. James and I arranged a phone call and I’m happy to report that the project is still very much alive and well. Before we get to addressing some of the concerns about the company and project, let’s talk about what CopperheadOS actually is.
CopperheadOS is a custom Android operating system, that runs on certain Android devices. The only supported devices are the flagship Google phones, which are currently the Pixel/Pixel XL, and Pixel 2/Pixel 2 XL. Support is exclusive to flagship devices because Google guarantees OS updates for a minimum of three years for these devices, and provides a secure hardware baseline.
Copperhead offers a raft of security enhancements over stock Android. These include a hardened kernel with ASLR, a hardened C Standard library and compiler toolchain, enhanced sandboxing of applications, a hardened, sandboxed, 64-bit version of Chromium, better full-disk encryption and authentication protocols, and a lot more. Updates are provided over-the-air and are very frequent. Full details can be found in the Technical Overview document provided by Copperhead (a Usage Guide is also provided and I found reading it helpful, as well).
CopperheadOS is no longer licensed as fully free and open-source, but rather as “source-available” software. The license agreement has a “no commercial use” clause, but source code is available and may be modified and used for non-commercial purposes. The updated license terms are due to Copperhead’s new business model, which also speaks to the longevity of the project.
A reasonable hesitation to adopting an outlier operating system (like CopperheadOS) is the fear of finding that a few years (or even months) later it is no longer supported. This isn’t unheard of in the Android space; CyanogenMod died†, and the Blackphone (which I adopted briefly) is dead. This imposes significant financial cost on end-users, or the undesirable position of having to run an outdated, unsupported operating system. I asked James what steps had been taken to ensure the longevity of CopperheadOS.
First, controls have been put into the place to prevent a repeat incident of one individual having the ability to delete signing keys. A multiple-redundancy system is now in place to prevent this, but to still provide access to keys in the event of loss of any one individual.
Next, having found the donation model unsustainable, Copperhead’s business model has adapted to make it more financially viable. Copperhead did not make a profit with the donation model, and thus was unsustainable in the long term. A considerable amount of work goes into the keeping the OS updated and functional, and CopperheadOS is now a full time job for a team of six people. Copperhead’s strategy now is to provide secure technology to government and private sector clients, and return that investment (via improvements in CopperheadOS) to journalists, activists, and the community at large. Though the very public departure of Daniel was a blow to the company, James told me that Copperhead is, “…back on the path to profitability and sustainability.”
I specifically asked James how Copperhead saw itself as a market differentiator from products like the Blackphone, and how it intended to protect itself from a similar fate. James indicated that primary flaw with most “secure phone” business models (Blackphone, Blackberry, Boeing, et. al.) is that they attempt(ed) to do it all: hardware, OSs, and applications. Hardware requires massive up-front investment, and became a major issue with Blackphone. I was assured that Copperhead has no desire to invest in hardware in a fickle market, nor is there any intent to develop applications. Copperhead will remain focused on doing one thing and doing it exceptionally well.
Applications for CopperheadOS are available through the F-Droid repository, the Amazon app store (which as Andy pointed out in 2016 is hardly better than Google Play where privacy is concerned) or as downloadable APK files.
I was pleasantly surprised to learn that the reports of CopperheadOS’s death had been greatly exaggerated. I think the market has a distinct need for a secure version of Android. I don’t think CopperheadOS is a perfect solution to many of the issues in the Android ecosystem, but it is absolutely a step in the right direction. I will be purchasing a Pixel 2 and running CopperheadOS on it soon. This will let me give you a much more informed outlook on the device
†CyanogenMod was resurrected by the community as LineageOS, which is still around today.