CopperheadOS: Security features, installing apps, and more

Fly your open source flag proudly with Copperhead, a mobile OS that takes its FOSS commitment seriously.
428 readers like this.
How to find Android apps that respect user privacy

Norebbo via Flickr (Original: public domain). Modified by Opensource.com. CC BY-SA 4.0.

Editor's note: CopperheadOS is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 license (userspace) and GPL2 license (kernel). It is also based on Android Open Source Project (AOSP).

Several years ago, I made the decision to replace proprietary technologies (mainly Apple products) with technology that ran on free and open source software (FOSS). I can't say it was easy, but I now happily use FOSS for pretty much everything.

The hardest part involved my mobile handset. There are basically only two choices today for phones and tablets: Apple's iOS or Google's Android. Since Android is open source, it seemed the obvious choice, but I was frustrated by both the lack of open source applications on Android and the pervasiveness of Google on those devices.

So I entered the world of custom ROMs. These are projects that take the base Android Open Source Project (AOSP) and customize it. Almost all these projects allow you to install the standard Google applications as a separate package, called GApps, and you can have as much or as little Google presence on your phone as you like. GApps packages come in a number of flavors, from the full suite of apps that Google ships with its devices to a "pico" version that includes just the minimal amount of software needed to run the Google Play Store, and from there you can add what you like.

I started out using CyanogenMod, but when that project went in a direction I didn't like, I switched to OmniROM. I was quite happy with it, but still wondered what information I was sending to Google behind the scenes.

Then I found out about CopperheadOS. Copperhead is a version of AOSP that focuses on delivering the most secure Android experience possible. I've been using it for a year now and have been quite happy with it.

Unlike other custom ROMs that strive to add lots of new functionality, Copperhead runs a pretty vanilla version of AOSP. Also, while the first thing you usually do when playing with a custom ROM is to add root access to the device, not only does Copperhead prevent that, it also requires that you have a device that has verified boot, so there's no unlocking the bootloader. This is to prevent malicious code from getting access to the handset.

Copperhead starts with a hardened version of the AOSP baseline, including full encryption, and then adds a ton of stuff I can only pretend to understand. It also applies a number of kernel and Android patches before they are applied to the mainline Android releases.

About phone with extra patches

opensource.com

It has a couple of more obvious features that I like. If you use a PIN to unlock your device, there is an option to scramble the digits.

Option to scramble digits

opensource.com

This should prevent any casual shoulder-surfer from figuring out your PIN, although it can make it a bit more difficult to unlock your device while, say, driving (but no one should be using their handset in the car, right?).

Another issue it addresses involves tracking people by monitoring their WiFi MAC address. Most devices that use WiFi perform active scanning for wireless access points. This protocol includes the MAC address of the interface, and there are a number of ways people can use mobile location analytics to track your movement. Copperhead has an option to randomize your MAC address, which counters this process.

Randomize MAC address

opensource.com

Installing apps

This all sounds pretty good, right? Well, here comes the hard part. While Android is open source, much of the Google code, including the Google Play Store, is not. If you install the Play Store and the code necessary for it to work, you allow Google to install software without your permission. Google Play's terms of service says:

"Google may update any Google app or any app you have downloaded from Google Play to a new version of such app, irrespective of any update settings that you may have selected within the Google Play app or your Device, if Google determines that the update will fix a critical security vulnerability related to the app."

This is not acceptable from a security standpoint, so you cannot install Google applications on a Copperhead device.

This took some getting used to, as I had come to rely on things such as Google Maps. The default application repository that ships with Copperhead is F-Droid, which contains only FOSS applications. While I previously used many FOSS applications on Android, it took some effort to use nothing but free software. I did find some ways to cheat this system, and I'll cover that below. First, here are some of the applications I've grown to love from F-Droid.

F-Droid favorites

K-9 Mail

K-9 Mail

opensource.com

Even before I started using Copperhead, I loved K-9 Mail. This is simply the best mobile email client I've found, period, and it is one of the first things I install on any new device. I even use it to access my Gmail account, via IMAP and SMTP.

Open Camera

Open Camera

opensource.com

Copperhead runs only on rather new hardware, and I was consistently disappointed in the quality of the pictures from its default camera application. Then I discovered Open Camera. A full-featured camera app, it allows you to enable an advanced API to take advantage of the camera hardware. The only thing I miss is the ability to take a panoramic photo.

Amaze

Amaze

opensource.com

Amaze is one of the best file managers I've ever used, free or not. When I need to navigate the filesystem, Amaze is my go-to app.

Vanilla Music

Vanilla Music

opensource.com

I was unhappy with the default music player, so I checked out a number of them on F-Droid and settled on Vanilla Music. It has an easy-to-use interface and interacts well with my Bluetooth devices.

OCReader

OCReader

opensource.com

I am a big fan of Nextcloud, particularly Nextcloud News, a replacement for the now-defunct Google Reader. While I can access my news feeds through a web browser, I really missed the ability to manage them through a dedicated app. Enter OCReader. While it stands for "ownCloud Reader," it works with Nextcloud, and I've had very few issues with it.

Noise

The SMS/MMS application of choice for most privacy advocates is Signal by Open Whisper Systems. Endorsed by Edward Snowden, Signal allows for end-to-end encrypted messaging. If the person you are messaging is also on Signal, your messages will be sent, encrypted, over a data connection facilitated by centralized servers maintained by Open Whisper Systems. It also, until recently, relied on Google Cloud Messaging (GCM) for notifications, which requires Google Play Services.

The fact that Signal requires a centralized server bothered some people, so the default application on Copperhead is a fork of Signal called Silence. This application doesn't use a centralized server but does require that all parties be on Silence for encryption to work.

Well, no one I know uses Silence. At the moment you can't even get it from the Google Play Store in the U.S. due to a trademark issue, and there is no iOS client. An encrypted SMS client isn't very useful if you can't use it for encryption.

Enter Noise. Noise is another application maintained by Copperhead that is a fork of Signal that removes the need for GCM. While not available in the standard F-Droid repositories, Copperhead includes their own repository in the version of F-Droid they ship, which at the moment contains only the Noise application. This app will let you communicate securely with anyone else using Noise or Signal.

F-Droid workarounds

FFUpdater

Copperhead ships with a hardened version of the Chromium web browser, but I am a Firefox fan. Unfortunately, Firefox is no longer included in the F-Droid repository. Apps on F-Droid are all built by the F-Droid maintainers, so the process for getting into F-Droid can be complicated. The Compass app for OpenNMS isn't in F-Droid because, at the moment, it does not support builds using the Ionic Framework, which Compass uses.

Luckily, there is a simple workaround: Install the FFUpdater app on F-Droid. This allows me to install Firefox and keep it up to date through the browser itself.

Amazon Appstore

This brings me to a cool feature of Android 8, Oreo. In previous versions of Android, you had a single "known source" for software, usually the Google Play Store, and if you wanted to install software from another repository, you had to go to settings and allow "Install from Unknown Sources." I always had to remember to turn that off after an install to prevent malicious code from being able to install software on my device.

Allowing sources to install apps

opensource.com

With Oreo, you can permanently allow a specified application to install applications. For example, I use some applications from the Amazon Appstore (such as the Amazon Shopping and Kindle apps). When I download and install the Amazon Appstore Android package (APK), I am prompted to allow the application to install apps and then I'm not asked again. Of course, this can be turned on and off on a per-application basis.

The Amazon Appstore has a number of useful apps, such as IMDB and eBay. Many of them don't require Google Services, but some do. For example, if I install the Skype app via Amazon, it starts up, but then complains about the operating system. The American Airlines app would start, then complain about an expired certificate. (I contacted them and was told they were no longer maintaining the version in the Amazon Appstore and it would be removed.) In any case, I can pretty simply install a couple of applications I like without using Google Play.

Google Play

Well, what about those apps you love that don't use Google Play Services but are only available through the Google Play Store? There is yet another way to safely get those apps on your Copperhead device.

This does require some technical expertise and another device. On the second device, install the TWRP recovery application. This is usually a key first step in installing any custom ROM, and TWRP is supported on a large number of devices. You will also need the Android Debug Bridge (ADB) application from the Android SDK, which can be downloaded at no cost.

On the second device, use the Google Play Store to install the applications you want. Then, reboot into recovery. You can mount the system partition via TWRP; plug the device into a computer via a USB cable and you should be able to see it via ADB. There is a system directory called /data/app, and in it you will find all the APK files for your applications. Copy those you want to your computer (I use the ADB pull command and copy over the whole directory).

Disconnect that phone and connect your Copperhead device. Enable the "Transfer files" option, and you should see the storage directory mounted on your computer. Copy over the APK files for the applications you want, then install them via the Amaze file manager (just navigate to the APK file and click on it).

Note that you can do this for any application, and it might even be possible to install Google Play Services this way on Copperhead, but that kind of defeats the purpose. I use this mainly to get the Electric Sheep screensaver and a guitar tuning app I like called Cleartune. Be aware that if you install TWRP, especially on a Google Pixel, security updates may not work, as they'll expect the stock recovery. In this case you can always use fastboot to access TWRP, but leave the default recovery in place.

Must-have apps without a workaround

Unfortunately, there are still a couple of Google apps I find it hard to live without. Google Maps is probably the main Google application I use, and yes, while I know I'm giving up my location to Google, it has saved hours of my life by routing me around traffic issues. OpenStreetMap has an app available via F-Droid, but it doesn't have the real-time information that makes Google Maps so useful. I also use Skype on occasion, usually when I am out of the country and have only a data connection (i.e., through a hotel WiFi network). It lets me call home and other places at a very affordable price.

My workaround is to carry two phones. I know this isn't an option for most people, but it is the only one I've found for now. I use my Copperhead phone for anything personal (email, contacts, calendars, pictures, etc.) and my "Googlephone" for Maps, Skype, and various games.

My dream would be for someone to perfect a hypervisor on a handset. Then I could run Copperhead and stock Google Android on the same device. I don't think anyone has a strong business reason to do it, but I do hope it happens.

Devices that support Copperhead

Before you rush out to install Copperhead, there are some hurdles you'll have to jump. First, it is supported on only a limited number of handsets, almost all of them late-model Google devices. The logic behind this is simple: Google tends to release Android security updates for its devices quickly, and I've found that Copperhead is able to follow suit within a day, if not within hours. Second, like any open source project, it has limited resources and it is difficult to support even a fraction of the devices now available to end users. Finally, if you want to run Copperhead on handsets like the Pixel and Pixel XL, you'll either have to build from source or buy a device from Copperhead directly.

When I discovered Copperhead, I had a Nexus 6P, which (along with the Nexus 5X) is one of the supported devices. This allowed me to play with and get used to the operating system. I liked it so much that I donated some money to the project, but I kind of balked at the price they were asking for Pixel and Pixel XL handsets.

Recently, though, I ended up purchasing a Pixel XL directly from Copperhead. There were a couple of reasons. One, since all of the code is available on GitHub, I set out to do my own build for a Pixel device. That process (which I never completed) made me appreciate the amount of work Copperhead puts into its project. Two, there was an article on Slashdot discussing how people were selling devices with Copperhead pre-installed and using Copperhead's update servers. I didn't appreciate that very much. Finally, I support FOSS not only by being a vocal user but also with my wallet.

Putting the "libre" back into free

Another thing I love about FOSS is that I have options. There is even a new option to Copperhead being developed called Eelo. Created by Gaël Duval, the developer of Mandrake Linux, this is a privacy-based Android operating system based on LineageOS (the descendant of CyanogenMod). While it should be supported on more handsets than Copperhead is, it is still in the development stage, and Copperhead is very stable and mature. I am eager to check it out, though.

For the year I've used CopperheadOS, I've never felt safer when using a mobile device to connect to a network. I've found the open source replacements for my old apps to be more than adequate, if not better than the original apps. I've also rediscovered the browser. Where I used to have around three to four tabs open, I now have around 10, because I've found that I usually don't need to install an app to easily access a site's content.

With companies like Google and Apple trying more and more to insinuate themselves into the lives of their users, it is nice to have an option that puts the "libre" back into free.

14 Comments

Excellent, thanks.

The list of supported devices is here:
https://copperhead.co/android/docs/install

As of 2018-01-29:

Nexus 5X (bullhead)
Nexus 6P (angler)
Pixel (sailfish)
Pixel XL (marlin)
Pixel 2 (walleye)
Pixel 2 XL (taimen)
HiKey (hikey)
HiKey 960 (hikey960)

As far as I can tell, CopperheadOS isn't Open Source software as it restricts commercial redistribution. See their license:

* https://github.com/CopperheadOS/platform_system_core/blob/oreo-mr1-rele…

The COPPERHEAD_LICENSE files contain the "Attribution-NonCommercial-ShareAlike 4.0 International" license, which is non-Open Source.

Very good article.
For security, efficiency and convenience the very best way of downloading Google Play apps AND INSTALLING via them on your phone via adb or scanning an image is Raccoon:

raccoon.onyxbits.de/

I am a user of several years history. I can't understand why people struggle with the civilization threatening Google.

Raccoon is free with a few extras being delivered for less than 10 EUR.

I got a nice angry e-mail complaining that we weren't clear on the license for CopperheadOS. For reference their licensing information is here:

https://copperhead.co/android/docs/building#redistribution

Note that some of the project is Creative Commons Non-Commercial, which isn't an OSI approved open source license. The term for this kind of project is "source available", just to be clear.

Hello there,

I've got to respectfully disagree with posting this article on opensource.com.

Copperhead OS is not open-source, since it does not permit commercial distribution, its userspace components being licensed under CC-NC-SA, which is neither an open source or free software license.

It's a great project, but it's important to be correct when talking about it.

All the best,
-G

One of the main points I tried (and obviously failed) to get across in the article was that Copperhead made me use F-Droid, and after a learning curve I found I could do without most non-free apps. I really struggled to find a mobile operating system that I was comfortable using from a freedom standpoint. All mobile devices include some proprietary code, even the very FOSS focused Replicant, and I am I willing to live with Copperhead's non-commercial use clauses in exchange for a secure, reliable operating system that lets me see the source.

I will concede that I could have added a paragraph about Copperhead's licensing for clarity, but I won't concede that this article doesn't belong on opensource.com. My year spent using the product has greatly reduced my reliance on closed source mobile applications, and it is hoped that others can also benefit from my experience.

In reply to by George Hollande

Please check out Yalp Store in F-droid for installing and updating apps from the Play Store.

It's a far more convenient solution than the one posted here.

Security is an illusion in Android. Once you ditch the Google Play stuff and compile Android with those security patches, you still have to cope with those binary-only highly-secretive bits that are needed to make the base-band modem, the wifi and even the touchscreen to work.
That code is running on everyone's phone with high privilege levels.
That unreviewed code can do anything, from eavesdropping on all your activities to provide for a command-and-control center inside your smartphone. Way before any cryptography can kick in.
If you are lucky, all these "extra features" will be used just by your Government, your carrier or your manufacturer.
If you are not, then these back doors are available to whoever manages to enter them.

Nice article.

Have you tried the maps app maps.me? They do include local traffic, at least in my region.

It's based on OSM, and stores maps offline in regional chunks, which also makes it perfect on travel.

They do provide an .apk, although I'm not sure if the app is in f-droid.

.os

No, I hadn't seen that. I don't think it is FOSS so it won't be in F-Droid but they do offer their own apk's for direct download. Thanks for sharing.

In reply to by Oystein (not verified)

Replicant is definitely worth giving a try, fully free Android distribution. They have replaced all propriotery Android codes with free ones and are officialy supported by FSF. https://www.replicant.us/

I'm a fan of that project, but even they have issues with proprietary drivers. I ran into Karen Sandler at Linuxconf.au and she's now using an S3 with Replicant, but if you look at their device page for the S3:

https://redmine.replicant.us/projects/replicant/wiki/GalaxyS3I9300

You'll see there is still some proprietary driver code (wi-fi, bluetooth, GPS for example).

I honestly don't think there is enough of a demand for a totally free handset for us to see one in the near future, which is a shame because I'd buy one.

In reply to by Ryan Ichiriwa (not verified)

Creative Commons LicenseThis work is licensed under a Creative Commons Attribution-Share Alike 4.0 International License.