Tor‑Powered Secure Smartphone on CopperheadOS: How It Works and Why It Matters for Privacy

“A ‘secure smartphone from the developers of anonymizing software’—sounds odd, doesn’t it? But don’t jump to conclusions. Unlike the BlackBerry Priv, the ‘Tor phone’ is built on open-source software from multiple companies and independent developers, and the handset itself is a Nexus 6P. They’re not even planning to sell the device; instead, they’re distributing a custom firmware image.”

The firmware is, of course, based on Android—but not the Android you’re used to on your smartphone. It’s a hardened variant called CopperheadOS, created by security specialists at the Canadian company Copperhead. They’re not especially known for anything else, but judging by the features already built into the firmware, these folks clearly know what they’re doing.

CopperheadOS

The standout feature of CopperheadOS is its substantially expanded exploit mitigations. The OS includes a hardened implementation of OpenBSD’s memory allocator (malloc) (more details here) that randomizes the location of allocated pages and junk-fills (poisons) freed memory pages. This makes use-after-free attacks much harder to pull off. OpenBSD’s malloc also places canaries at the end of allocated regions and verifies them on free, helping to detect and prevent heap overflows.

When building CopperheadOS, compiler-based hardening is used to prevent stack smashing and similar memory-safety bugs. Specifically: _FORTIFY_SOURCE in GCC (Android < 7.0), -fsanitize=bounds and -fsanitize=object-size in Clang (Android 7.0), and -fsanitize=integer to guard against integer overflows. Google enables these in AOSP, but the CopperheadOS developers extended their use to many more C standard library functions—and, importantly, got those changes merged upstream.

To prevent code tampering, CopperheadOS uses Android’s Verified Boot, introduced in Android 4.4, and it also avoids relying on pre-optimized app bytecode stored in /data/dalvik-cache. That cache is generated on first boot to speed up app startup (the “Optimizing apps…” message). However, it can also be abused to inject malicious code: there’s little point in replacing an app in /system—Verified Boot will refuse to start the phone if the system partition is modified—whereas swapped optimized code in /data/dalvik/cache is unlikely to raise suspicion.

The CopperheadOS kernel is built with the PaX patch, which includes several attack-prevention mechanisms:

• PAX_RANDMMAP — a more advanced address space layout randomization (ASLR) than the stock Android kernel, making stack and heap overflow exploits harder.
• PAX_PAGEEXEC — enforces non-executable data pages and immediately kills a process if it tries to execute code from data segments (Android has a similar feature, but it’s more permissive).
• PAX_MPROTECT — blocks modification of application code at runtime by preventing pages from becoming writable and executable.
• PAX_MEMORY_SANITIZE — zeroes memory pages on free (kernel space only).
• PAX_REFCOUNT — hardens reference counting to prevent overflows and use-after-free attacks (kernel space only).
• PAX_USERCOPY — checks object sizes during copy operations to prevent buffer overflows (kernel space only).
• PAX_KERNEXEC — enforces non-executable memory in the kernel (kernel space only).

CopperheadOS enforces stricter SELinux policies—the mandatory access control system that governs access to files, system calls, and hardware. For example, you can’t execute code from temporary directories (mounted via the tmpfs pseudo-filesystem), and you can’t access sensitive system data or information about other processes by reading files under /proc.

CopperheadOS imposes several other restrictions. By default, the stock camera app doesn’t embed location data in photo metadata, and the lock screen doesn’t show notifications that could expose sensitive information (Android and iOS allow such notifications, with an option to turn them off). Apps running in the background can’t access the clipboard (which breaks functionality for some otherwise useful apps from the app store). The MAC address of all network interfaces is randomized by default. The WebView component, which renders web pages inside third‑party apps (and many browsers), uses the isolatedProcess feature to sandbox each WebView instance in its own process.

Chromium—the engine behind WebView—includes several hardening tweaks to reduce data leakage: address bar error correction, page preloading, contextual search, telemetry, and hyperlink auditing are all disabled. The default search engine is DuckDuckGo, which doesn’t track users.

Tor Goodies

CopperheadOS is just the base layer of the firmware. On top of it run several components: Orbot, orWall, F-Droid, My App List, and Google Play—bundled not so much for app store access (F-Droid covers that) as for Signal, which relies on Google services for push notifications.

The two main components here are, of course, Orbot and orWall. The former is a Tor build for Android that can run either as a local SOCKS proxy forwarding traffic into Tor, or in root mode, where an iptables-based firewall forces all traffic through Tor to prevent any leaks.

By default, however, the firmware uses neither approach. Instead, it relies on orWall, a kind of firewall wrapper that lets you route traffic through Orbot selectively on a per‑app basis. This gives you fine-grained control over which apps go online via Tor, which connect directly, and which are blocked from the internet altogether.

OrWall completely blocks all internet connections until the OS has fully booted. This helps prevent any data leaks if you intend to use the internet exclusively via Tor, or if you want to completely block internet access for untrusted apps.

My App List is another interesting app bundled with the firmware. It was originally created as a convenient way to save a list of apps installed via the F-Droid store, but the Tor developers repurposed it for quick installation of recommended apps: they prepared a list of software that a typical user might need and preloaded it into My App List.

The list includes:

• Amaze file manager
• XMPP clients Conversations and Xabber
• Cool Reader e-book reader
• VoIP clients CSipSimple and Linphone
• Firefox browser
• K-9 Mail email client
• Twidere Twitter client
• OsmAnd~ (OpenStreetMap) online maps
• VLC media player

Installation

At the moment the firmware is available for the Nexus 5X and Nexus 6P, but installing it is quite different from installing CyanogenMod or any other custom ROM. In practice, it’s just a set of Linux scripts that pull the latest CopperheadOS from the official site, download the extra components, integrate them into the build, sign it, and flash it to the device using the fastboot tool.

For this reason, to install the firmware you’ll need:

• A Linux distribution
• fastboot and ADB installed
• Java JDK
• Git, cpio, GCC, and g++
• OpenSSL

On Ubuntu, you can install all of this as follows:

Next, enable USB debugging on the phone: Settings → About phone, tap Build number five times, then go to Settings → Developer options → enable USB debugging, and also enable OEM unlocking.

Connect your smartphone via USB and run the following command:

Your phone should display a “Trust this computer?” prompt—tap Trust.

All that’s left is to download the scripts and start the flashing process:

The script will walk you through every step of the installation. Be aware that this will wipe all data from the device.

Final thoughts

Firmware from the Tor developers is certainly an interesting project. When configured and used properly, it can give you a smartphone that’s almost untraceable on the internet. However, keep in mind the device will still be exposed to tracking via mobile networks and to side-channel attacks—for example, capturing passwords by analyzing changes in Wi‑Fi signals.

Further reading

Firmware announcement
Overview of CopperheadOS modifications
Overview of PaX protection mechanisms