Hello Pine community, I'm a linux newbie and was wondering if there are certain mobile Linux OSes that are more secure than others? From reading various posts on reddit I've come across some saying Ubuntu Touch is secure because of the apps being isolated from each other, and being able to choose app permissions. Is that not the case for other mobile OSes? It looks like Mobian is the preferred OS for Pinephone for many people right now because of stability/usability. How is it as far as security? I'm trying to learn Linux for privacy and security reasons, and wanting to get away from the Apple/Google duopoly and am happy to support the free/libre philosophy. Can you explain to me how each mobile distro differs in security, or point to resources I can dive into? Thank you
12-10-2020, 12:05 AM
(This post was last modified: 12-10-2020, 12:10 AM by ryo.)
In Linux the general rule is, safety depends on what's between the keyboard and chair (or in the case of smartphones, what's touching the screen).
Mobian is the most daily driver ready OS for Pinephone.
However, if you have a Nexus 5 or a Moto G7, then Ubuntu Touch will be the ultimate daily driver ready OS.
Some examples of OS independent privacy concerns:
・Do you go online using your real name, a nickname, or a fake name (not the same as a nickname).
・If you use a nickname and/or fake name, do you use the same name on all websites, or do you invent new names on each site or service?
・If you use your real name, do you just blast it all over the internet, or just limit it to certain websites?
・How about your address, birth date, phone number, among other person specific information?
・Do you use Fakebook or any of its other services (WhatsApp, Instagram)?
・Do you use a VPN? If so, which provider?
・Do you have multiple email addresses for multiple purposes, or do you use the same one again and again?
・Do you have different, randomly generated passwords for every site or service? And where do you store your passwords?
・Are you active exclusively on big tech SNS, exclusively on alt tech SNS, or do you diversify your content across many different SNS?
And it's just a very few things that really determine security issues that aren't specific to a certain OS.
For some of the OS specific stuff:
・iOS sends your information to Apple, and there's no way to stop it.
・Android sends your information to Google, you can block it to a certain extend.
・Degoogled Android sends misinformation to Google (is needed for it to operate).
・Linux does not send anything to Google, Apple, Pine64, Purism, distro maker, etc.
On the other hand, degoogled Android has storage encryption, while Linux doesn't have it yet (although it's in development).
And there are 2 more entities to consider: your carrier, and the government.
Your carrier tracks you using your SIM card and the cell towers.
You can hide using a VPN, to a carrier it'll just seem like you're just using a VPN and nothing else.
Government on the other hand has its own methods they'll refuse to let the public know unless some hacker leaks it.
母語は日本語ですが、英語も喋れます(ry
(12-10-2020, 12:05 AM)ryo Wrote: In Linux the general rule is, safety depends on what's between the keyboard and chair (or in the case of smartphones, what's touching the screen).
Mobian is the most daily driver ready OS for Pinephone.
However, if you have a Nexus 5 or a Moto G7, then Ubuntu Touch will be the ultimate daily driver ready OS.
Some examples of OS independent privacy concerns:
・Do you go online using your real name, a nickname, or a fake name (not the same as a nickname).
・If you use a nickname and/or fake name, do you use the same name on all websites, or do you invent new names on each site or service?
・If you use your real name, do you just blast it all over the internet, or just limit it to certain websites?
・How about your address, birth date, phone number, among other person specific information?
・Do you use Fakebook or any of its other services (WhatsApp, Instagram)?
・Do you use a VPN? If so, which provider?
・Do you have multiple email addresses for multiple purposes, or do you use the same one again and again?
・Do you have different, randomly generated passwords for every site or service? And where do you store your passwords?
・Are you active exclusively on big tech SNS, exclusively on alt tech SNS, or do you diversify your content across many different SNS?
And it's just a very few things that really determine security issues that aren't specific to a certain OS.
For some of the OS specific stuff:
・iOS sends your information to Apple, and there's no way to stop it.
・Android sends your information to Google, you can block it to a certain extend.
・Degoogled Android sends misinformation to Google (is needed for it to operate).
・Linux does not send anything to Google, Apple, Pine64, Purism, distro maker, etc.
On the other hand, degoogled Android has storage encryption, while Linux doesn't have it yet (although it's in development).
And there are 2 more entities to consider: your carrier, and the government.
Your carrier tracks you using your SIM card and the cell towers.
You can hide using a VPN, to a carrier it'll just seem like you're just using a VPN and nothing else.
Government on the other hand has its own methods they'll refuse to let the public know unless some hacker leaks it. Hi ryo thanks for your very informative reply that will be helpful to more noobs like me. I am aware of those anonymization strategies, and yes it all depends on what the user is doing on the device as well. So I'm more specifically wondering what I need to look for in a secure Linux mobile OS. Are some more secure than others as far as sandboxing apps or how the OS is built? Or are the various Linux mobile OS mostly the same security-wise? I don't know how to evaluate what makes a distro secure and private, other than staying away from ones that are partly proprietary. Why do some say Ubuntu Touch is more secure because of app isolation, does Mobian or other mobile OS not do that? I guess what I'm asking is, when I'm reading about all the different mobile OS for the Pinephone, what characteristics should I look out for that indicates it's built with security/privacy in mind? Sorry if my questions are confusing, hard to articulate it since I still don't know what I'm talking about lol.
12-10-2020, 03:47 AM
(This post was last modified: 12-10-2020, 03:49 AM by ryo.)
Just like on PC and server, Linux on a smartphone has multiple distributions.
The most obvious difference are the package manager, release model, and file structure.
For example, Debian has a new major release once every 0.5~5 years, Ubuntu is every 6 months or 2 years for long term support, and Arch and Manjaro doesn't have major releases at all.
But for security and/or privacy, you might look for whether there are hardware kill switches (in the case of Pinephone and Librem 5, they have), what exactly they kill (Librem 5 might be more secure), etc.
When it comes to software, sandboxing is a good point.
Look at Qubes OS for example, where every app runs in its own isolated virtual machine.
The trade off is usually performance.
The reason why Ubuntu Touch has more security is probably because it's been existing for much longer than Phosh, and has a much more bigger and active community than Plasma Mobile.
All other Linux distro are in development, but Ubuntu Touch is more mature.
However, Ubuntu Touch doesn't run desktop apps, and you're often stuck with HTML5 apps.
It has a VM built in for desktop apps, but it's hard to set up, often doesn't work, and drains battery like an idiot.
But what I said previously is basically you don't need to pick a secure OS, you need to operate an OS secure.
Usually we Linux users pick an OS that is best for its purpose (for example, I pick Debian or CentOS for server soft (Debian for websites running modern technology, and CentOS for ancient websites and customers refuse to change), Manjaro for my own PC, Linux Mint for PC of friends who are new to Linux, etc).
Do you even need app isolation if you're already careful?
Do you even need app isolation if you know how to avoid malware?
A computer user is both the best anti virus and the worst exploit at the same time.
I've seen so many times when people would use Tor to go on Fakebook, and upload photos of clearly the street they're living in, or chat with all their friends they usually chat with.
In that case, the ultra secure Tor browser will not help at all, and you might as well just use Google Chrome instead.
As I said, you can hide from big tech with Linux as long as you're using a computer securely, but you most likely won't escape your carrier, and you definitely won't escape your government + 3 letter agencies (Clowns In America, No Such Agency, etc).
母語は日本語ですが、英語も喋れます(ry
12-10-2020, 04:06 AM
(This post was last modified: 12-10-2020, 04:07 AM by displacefish.)
Usually, there isn't that much fundamental difference between distros - probably the biggest defining factor is the package manager and its repositories. Most of the other differences come from the way the maintainers set it up, and generally, if there's some excellent security enhancement on one distro, there shouldn't be much stopping it from being added to another distro (or you setting it up yourself, even, if the maintainers refuse to do so).
Now, you ask which of the available ones is built with security/privacy in mind. While I haven't been keeping closely up to date with all of them, I think it's likely the case that right now, they're mostly built with getting features working properly in mind. There's still a not insignificant amount of work to do for things like getting the modem to reliably cooperate, improving power management, and generally improving user experience (better camera, porting more software to be mobile-ready, etc.)
However, some pointers if you want to either vet for, or set up yourself, secure systems:
- Sandboxing, as you mentioned. There are multiple sandboxing solutions. However, sandboxes are also hard to get right; a simple one might be very effective against a malicious program that doesn't take sandboxes into account, but as soon as it turns adversarial, it can be very hard to ensure a sandbox is secure against a program actively trying to escape it. Anyway, a sandbox is still usually better than no sandbox; a common solution is e.g. firejail. Both iOS and Android come with extensive sandboxing as part of their fundamental app architecture; on Pinephone this is harder because there are no "apps" with special properties; everything is just normal Linux software like you'd find on your computer, so it's much less straightforward to implement e.g. smartphone-like permission controls and such.
- Encryption. This is more for physical security (as in if your phone gets stolen), than security against malicious software. It's generally good practice to set up full disk encryption. You can go from a basic "password needed on boot" solution to really paranoid setups like Heads (though probably not on a pinephone, at least not easily). Support for encryption in installers is WIP for pinephone distributions (and this is one of those things that, once one of them gets it working, can be very easily added to the others); you might be able to set it up manually in the meantime, if you know what you're doing.
- Mandatory Access Controls (MAC), such as SELinux. If you're not familiar, this essentially involves defining a set of rules (policies) regarding what kinds of processes can access what kinds of resources. It stands in juxtaposition with Discretionary Access Controls, such as UNIX filesystem permissions, due to being much more fine-grained and forcing explicit permissions for different users, processes, or classes thereof, rather than letting you just "chmod 777" and having everyone be able to do anything. In turn, this allows file and resource access to be hardened much more effectively, up to being able to contain a malicious process and prevent it from effecting anything. However, due to being much more fine-grained, it is in turn a chore to set up. I am fairly certain it should be possible to do it yourself if you feel inclined, but I'm almost certain none of the distros ship with SELinux enabled, nor plan to enable it in the foreseeable future. For context, Android integrated SELinux a few years ago, but almost no desktop Linux distribution I know of enables it out of the box since the configuration must necessarily depend on individual usecases: Android works around this by having essentially a completely standardised userspace, with all "apps" running inside its ART environment rather than on the OS natively.
These are the biggest things that come to mind when I think of a "hardened Linux OS". Of course there's more, such as having a decent firewall set up, enabling kernel hardening features which might be disabled by default, and ensuring your system is up to date, but hopefully this gives you a decent idea of how greater security could be achieved on a Linux phone.
As for privacy, Ryo covered it pretty well already.
(12-10-2020, 03:47 AM)ryo Wrote: Do you even need app isolation if you're already careful?
Do you even need app isolation if you know how to avoid malware?
Defense in depth dictates that you shouldn't trust any measure to be infallible. Maybe tomorrow your nice secure chat app (Signal, Matrix, Jami, anything you like) has a vulnerability discovered and an attacker is able to execute remote code just by sending a message; no matter how much common sense you used, you are then at risk.
In practice, the risk is definitely tiny, and it may be true that in general you really don't need it, provided you don't believe you will be the victim of targeted attacks. But I wouldn't state that as an objective answer.
12-10-2020, 06:41 AM
(This post was last modified: 12-10-2020, 07:04 AM by ryo.)
(12-10-2020, 04:06 AM)displacefish Wrote: (12-10-2020, 03:47 AM)ryo Wrote: Do you even need app isolation if you're already careful?
Do you even need app isolation if you know how to avoid malware?
Defense in depth dictates that you shouldn't trust any measure to be infallible. Maybe tomorrow your nice secure chat app (Signal, Matrix, Jami, anything you like) has a vulnerability discovered and an attacker is able to execute remote code just by sending a message; no matter how much common sense you used, you are then at risk.
In practice, the risk is definitely tiny, and it may be true that in general you really don't need it, provided you don't believe you will be the victim of targeted attacks. But I wouldn't state that as an objective answer. Mind you, I'm using 2 chat apps (3 if you count the Jabber server at work), neither of them are considered secure.
They're both closed source even.
But because of that, I keep the risks in mind, and not simply assume that they will keep me safe.
That's why I said "A computer user is both the best anti virus and the worst exploit at the same time." immediately after these 2 sentences.
Speaking of Signal, thanks for pointing out a "secure chat app" that isn't actually secure at all.
Consider this, are you sure you want to trust an app recommended by 2 rather questionable individuals (one being the CEO of Twitter, and the other being a CIA agent who might probably not even be in Russia but in China instead, working closely with the CCP)?
For reference:
And:
Edit:
As for URLs to the last 2 screenshots:
https://wikileaks.org/ciav7p1/#PRESS
https://qalerts.pub/?n=4672
https://8kun.top/qresearch/res/10608751.html#10609489
No need to link to the first one, it's on the front page of Signal.
Edit 2:
The Wikileaks part is rather a breach in Android and iOS, not specifically the app.
But still a way too commonly ignored fact.
For Signal specific issues, consider @\jack and ES.
母語は日本語ですが、英語も喋れます(ry
Concerning the PureOS, you can find the discussion of security here: https://source.puri.sm/Librem5/community...roid-phone. The link is about Librem 5, but practically everything is the same for Mobian on Pinephone.
(12-10-2020, 06:41 AM)ryo Wrote: Mind you, I'm using 2 chat apps (3 if you count the Jabber server at work), neither of them are considered secure.
They're both closed source even.
But because of that, I keep the risks in mind, and not simply assume that they will keep me safe. And therefore, the logical thing to do is employ techniques like app isolation.
My point is that being careful is great, and no security system can't be improved by using it carefully. The most hardened, airgapped system in the world can be defeated by a privileged human logging in and manually running malware with root access out of carelesness. However, the opposite is true as well: you can be as careful as you want, but there's always both the possibility of slipping up (we're all human after all), or that it turns out you weren't careful enough.
That's what defense in depth is. More layers of defense, rather than trusting any single one to be infallible. Being careful is a layer of defense like any other - a perfectly good one, but best used in complement with others.
Quote:Speaking of Signal, thanks for pointing out a "secure chat app" that isn't actually secure at all.
Consider this, are you sure you want to trust an app recommended by 2 rather questionable individuals (one being the CEO of Twitter, and the other being a CIA agent who might probably not even be in Russia but in China instead, working closely with the CCP)?
I mostly mentioned it because it's widely used and generally accepted to have good quality e2e encryption (unlike Telegram, Whatsapp, etc.). I myself mostly use Jami.
While I'm all for being paranoid, the fact is Signal is open source, and has received plenty of scrutiny. They're using established crypto protocols (Telegram, looking at you here) and no significant issues have come up yet. I've heard plenty of criticism about requiring a phone number to sign up, which was a privacy issue, but I believe that has been relaxed some time ago.
In the end, one thing is true: if all your acquantainces use Facebook Messenger, and you download The Perfect Secure Chat App, your conversations are all still gonna be as secure as Facebook Messenger. If Signal is what you can convince your family, friends, etc. to use, because things like Matrix or Jami aren't polished enough or suffer from issues due to their federated and p2p nature (respectively), then it's far, far better to talk to everyone over Signal, than to have all your favourite chat software installed but still talk to people over Whatsapp and the like because nobody else is using it.
(12-10-2020, 08:50 AM)displacefish Wrote: (12-10-2020, 06:41 AM)ryo Wrote: Mind you, I'm using 2 chat apps (3 if you count the Jabber server at work), neither of them are considered secure.
They're both closed source even.
But because of that, I keep the risks in mind, and not simply assume that they will keep me safe. And therefore, the logical thing to do is employ techniques like app isolation.
My point is that being careful is great, and no security system can't be improved by using it carefully. The most hardened, airgapped system in the world can be defeated by a privileged human logging in and manually running malware with root access out of carelesness. However, the opposite is true as well: you can be as careful as you want, but there's always both the possibility of slipping up (we're all human after all), or that it turns out you weren't careful enough.
That's what defense in depth is. More layers of defense, rather than trusting any single one to be infallible. Being careful is a layer of defense like any other - a perfectly good one, but best used in complement with others. That's a very good point.
(12-10-2020, 08:50 AM)displacefish Wrote: While I'm all for being paranoid, the fact is Signal is open source, and has received plenty of scrutiny. They're using established crypto protocols (Telegram, looking at you here) and no significant issues have come up yet. I've heard plenty of criticism about requiring a phone number to sign up, which was a privacy issue, but I believe that has been relaxed some time ago.
In the end, one thing is true: if all your acquantainces use Facebook Messenger, and you download The Perfect Secure Chat App, your conversations are all still gonna be as secure as Facebook Messenger. If Signal is what you can convince your family, friends, etc. to use, because things like Matrix or Jami aren't polished enough or suffer from issues due to their federated and p2p nature (respectively), then it's far, far better to talk to everyone over Signal, than to have all your favourite chat software installed but still talk to people over Whatsapp and the like because nobody else is using it. I don't necessarily consider myself paranoid, rather I question everything regardless of security.
Of course you can say "my app is fully open source, therefore you can see for yourself that no spyware is available" as much as you want, it takes 1 OTA update to sneak in spyware in a way (or even pre-install it) to completely destroy the entire point you made.
The most obvious example of that is Android.
Android is open source, private, secure, etc as long as Google remains entirely absent.
"I can't install anything, so I'll install the Play Store and login to my Gmail account" → privacy is gone.
母語は日本語ですが、英語も喋れます(ry
@ ryo
Well, I wouldn't say the Android example is relevant here, because a) AOSP is a gigantic codebase and nobody has truly audited it, so it's natural to not trust it, while a simple app like Signal is tiny in comparison; and b) of course if you instal proprietary components like gplay then everything is gone, but I don't see how that's relevant.
The possibility of malicious updates is there but just one such incident would ruin the reputation of Signal, so there would need to be some truly exceptional circumstances. It's also always possible to just build from source every time, if desired.
Anyway the pros and cons of Signal are probably not too relevant to a general discussion about hardening a pinephone.
|