A Review of CopperheadOS
by Ron Porter
CopperheadOS (COS) is a smartphone operating system based on the Android Open-Source Project (ASOP).
In that, it is like any other AOSP customization produced by the various manufacturers and carriers. What makes it different is the modification philosophy. Rather than adding a bunch of bells and whistles or worse, COS has a single-minded focus on security and privacy.
Like ASOP, COS is an open-source project.
That means the code can be inspected and modified by those with the skills to do so. It also means that those with proper skills can submit changes for the COS team to evaluate for inclusion in the mainstream OS.
At the time of writing, the main revenue stream supporting COS is the sale of the Pixel line with COS installed and the installation of COS to Pixels you send in. Copperhead is working on a reseller network, which may be in place by the time this is published. A reseller network will presumably stabilize and increase revenue or at least reduce distractions to continued development.
How Does COS Achieve Its Goals?
The developers behind COS do a number of things to enhance security and privacy over ASOP.
ASOP is itself based on Linux, so they take the obvious step of pulling in the relevant security and privacy features of Linux that Google does not already include. They also look to other open-source operating systems like BSD.
Copperhead is committed to keeping COS up-to-date with the latest security patches from Google, other sources, and their own work. Updates are pushed to the phone about once a week and most of those have some security- or privacy-enhancing features.
COS does not include Play Services, the foundation of the Play Store, and Google Apps like Maps, Wear, voice assistant, etc. Many third-party apps also depend on Play Services. Even many who are concerned about Google's practices will find this tradeoff unacceptable.
F-Droid is installed as the default app store. The selection is not as good as the Play Store, but as a major distributor of vetted Android open-source software, F-Droid seems to be a good fit.
COS also does not include a true SMS app because of concerns surrounding the privacy and security of SMS. Silence, the secure messaging app installed by default, does provide SMS as a fallback, but the clear intent is to avoid the use of SMS. Silence can also be used to make secure voice calls.
DuckDuckGo is set as the default search engine. It is a privacy-focused search engine, making it a good match for COS. It also happens to already be the choice of many privacy-minded people.
Does COS Meet Its Goals?
Keeping in mind that COS is young and the team small, I would say that yes, the goals are being met. To me, there are some misses, but I'm also not willing to second guess the team at this point.
I would like to see a default email client that easily supports public-key encryption and signatures, but K-9 Mail is easy enough to install from F-Droid.
I would like to see some fingerprint and password failure options. The fingerprint sensor does get disabled after five failed attempts, but there are no options to manage how frequently you are forced to use your password, no quick way to temporarily disable the fingerprint sensor, and no way to force a wipe of the phone after a number of failed password attempts.
What's Really Missing?
Apps for social media, banking, and other Internet-based services like Google Maps are easily worked around by using the websites directly. In many cases, that is less convenient or leaves you without some very desirable features. In some cases, there are effective alternatives available on F-Droid.
The real loss is in offline apps. F-Droid doesn't come close to Play Store for the variety of high-quality apps and games. There are alternatives, but I still feel like I've taken more than a few steps backward in what I can actually do with my little pocket computer.
Who Is It For?
There are two things that probably make COS unsuitable for the average user.
First is price. Although Nexus 5 and 6 versions of COS are available for free download, the pre-installed Pixel is over $1000 and the Pixel XL is nearly $1500. If you already have a Pixel or Pixel XL, you can send it to Copperhead and have them install COS for $300. If you don't have a Nexus 5 or 6 and the skills to build and install an alternative OS, then you are going to have to buy one of the Pixels or send one in for Copperhead to install the OS for you.
The second issue is lack of utility. At any price, few are interested in a phone that has limited app selection, and virtually no access to the services we have come to take for granted: voice assistant, media stores and players, touch-to-pay, wearable support, etc. I don't know if it's even possible to address the apparent conflict between security and utility, but as long as consumers have to choose, security will always lose.
My Personal Experience
I purchased a Pixel XL direct from Copperhead.
I think I have what it takes to do the work myself, but this was my way of supporting Copperhead. I also wanted to get a feel for what a regular user would experience so that I could make appropriate recommendations to others.
I consider these devices to be computers, not phones, so the price was not really a deciding factor beyond how it affected our budget. My perspective might be colored by the fact that I'm old enough to still be amazed by the technology we have. I was thrilled to be able to buy a real computer for only $1000 a few years after my son was born. Yes, it was only a VIC-20, but the Apple was over $3000. Every computer I've ever bought or assembled has cost $1500-$3000, so $1500 for a real, Internet-connected computer that fit in my pocket was really a no-brainer.
Being a programmer, I was also not put off by the initial lack of utility. Other than big things like voice assistance, I know I can work around or develop my own solutions for the things I really miss.
So far, I've managed to find alternatives or workarounds for everything except Tasker,an automation tool. There are alternatives, but they are not nearly as capable as Tasker, so I'm going to have to start writing "real" software instead of building Tasker scripts. The only function provided by an app that I've had to do without completely is Prairie Coordinates. As a volunteer firefighter, I used this to convert Township-based land locations to GPS coordinates for navigation. Now I have to pull out the paper map like everyone else.
If I had a true need for apps available only on Play Store, I would not have elected to go with COS. As I mentioned earlier, F-Droid is the default place to get apps. Amazon App Store is also available, although selection is still limited and may not be suitable for the truly privacy conscious. If you really need both COS and Play apps, Yalp, available on F-Droid, will get you access to Play Store. I haven't tried it, mostly because use of Yalp seems to be against Google's terms of service. I don't think Google has ever banned Yalp or Yalp users, but, for me, that's not really the point.
The Pixel camera hardware is pretty good, but neither the default app nor anything I could find on F-Droid really takes full advantage of its capabilities.
Android Wear is not available. Gadgetbridge, available on F-Droid, enables the use of some wearables, but with reduced function. For example, I thought the killer feature of my Pebble was the ability to send canned replies to incoming messages. That feature is available when Gadgetbridge is running on the stock Pixels, so COS notification security must be getting in the way.
I didn't even try switching to Silence. A few years ago, I convinced some key contacts to switch from their default SMS apps to Signal. I don't want to start that all over again, so I just grabbed Noise from F-Droid. Noise is an alternative build of Signal that is fully interoperable with stock Signal.
I've been getting COS updates about once a week.
In addition to direct COS enhancements, the updates include security patches from ASOP and elsewhere. COS, at least on the Pixel line, is now based on Oreo, the latest from Google. I'm on the stable channel, but it's easy to switch to the beta channel if you want to. Personally, I'm not quite ready to go beta on my only phone.
The update process is trivially simple, at least from the user's point of view. COS comes with automatic updates turned on for all connection types. Updates are pushed as deltas (difference between current install and updated version) to minimize traffic. They are downloaded and installed in the background.
COS takes full advantage of modern A/B technologies so that the only downtime is for a very quick reboot. Even that reboot can be set to happen automatically when the system is idle. If the reboot fails for some reason, the A/B system means that it just automatically reboots again, this time to the previous version.
Conclusion
Overall, I'm very happy with my decision to go with COS.
My personal attack surface has always and will always be my responsibility, but I'm grateful to have smarter people than me trying to make sure that I'm starting on a solid foundation.
While it's definitely not for everyone, COS should be a welcome addition to the operating system space. It's not the only Android-based OS that claims to provide improved security and privacy, but it's probably the easiest one to get into if you can handle the price.
Shout-out to The Revisionists.