12-10-2020, 04:06 AM
(This post was last modified: 12-10-2020, 04:07 AM by displacefish.)
Usually, there isn't that much fundamental difference between distros - probably the biggest defining factor is the package manager and its repositories. Most of the other differences come from the way the maintainers set it up, and generally, if there's some excellent security enhancement on one distro, there shouldn't be much stopping it from being added to another distro (or you setting it up yourself, even, if the maintainers refuse to do so).
Now, you ask which of the available ones is built with security/privacy in mind. While I haven't been keeping closely up to date with all of them, I think it's likely the case that right now, they're mostly built with getting features working properly in mind. There's still a not insignificant amount of work to do for things like getting the modem to reliably cooperate, improving power management, and generally improving user experience (better camera, porting more software to be mobile-ready, etc.)
However, some pointers if you want to either vet for, or set up yourself, secure systems:
- Sandboxing, as you mentioned. There are multiple sandboxing solutions. However, sandboxes are also hard to get right; a simple one might be very effective against a malicious program that doesn't take sandboxes into account, but as soon as it turns adversarial, it can be very hard to ensure a sandbox is secure against a program actively trying to escape it. Anyway, a sandbox is still usually better than no sandbox; a common solution is e.g. firejail. Both iOS and Android come with extensive sandboxing as part of their fundamental app architecture; on Pinephone this is harder because there are no "apps" with special properties; everything is just normal Linux software like you'd find on your computer, so it's much less straightforward to implement e.g. smartphone-like permission controls and such.
- Encryption. This is more for physical security (as in if your phone gets stolen), than security against malicious software. It's generally good practice to set up full disk encryption. You can go from a basic "password needed on boot" solution to really paranoid setups like Heads (though probably not on a pinephone, at least not easily). Support for encryption in installers is WIP for pinephone distributions (and this is one of those things that, once one of them gets it working, can be very easily added to the others); you might be able to set it up manually in the meantime, if you know what you're doing.
- Mandatory Access Controls (MAC), such as SELinux. If you're not familiar, this essentially involves defining a set of rules (policies) regarding what kinds of processes can access what kinds of resources. It stands in juxtaposition with Discretionary Access Controls, such as UNIX filesystem permissions, due to being much more fine-grained and forcing explicit permissions for different users, processes, or classes thereof, rather than letting you just "chmod 777" and having everyone be able to do anything. In turn, this allows file and resource access to be hardened much more effectively, up to being able to contain a malicious process and prevent it from effecting anything. However, due to being much more fine-grained, it is in turn a chore to set up. I am fairly certain it should be possible to do it yourself if you feel inclined, but I'm almost certain none of the distros ship with SELinux enabled, nor plan to enable it in the foreseeable future. For context, Android integrated SELinux a few years ago, but almost no desktop Linux distribution I know of enables it out of the box since the configuration must necessarily depend on individual usecases: Android works around this by having essentially a completely standardised userspace, with all "apps" running inside its ART environment rather than on the OS natively.
These are the biggest things that come to mind when I think of a "hardened Linux OS". Of course there's more, such as having a decent firewall set up, enabling kernel hardening features which might be disabled by default, and ensuring your system is up to date, but hopefully this gives you a decent idea of how greater security could be achieved on a Linux phone.
As for privacy, Ryo covered it pretty well already.
Defense in depth dictates that you shouldn't trust any measure to be infallible. Maybe tomorrow your nice secure chat app (Signal, Matrix, Jami, anything you like) has a vulnerability discovered and an attacker is able to execute remote code just by sending a message; no matter how much common sense you used, you are then at risk.
In practice, the risk is definitely tiny, and it may be true that in general you really don't need it, provided you don't believe you will be the victim of targeted attacks. But I wouldn't state that as an objective answer.
Now, you ask which of the available ones is built with security/privacy in mind. While I haven't been keeping closely up to date with all of them, I think it's likely the case that right now, they're mostly built with getting features working properly in mind. There's still a not insignificant amount of work to do for things like getting the modem to reliably cooperate, improving power management, and generally improving user experience (better camera, porting more software to be mobile-ready, etc.)
However, some pointers if you want to either vet for, or set up yourself, secure systems:
- Sandboxing, as you mentioned. There are multiple sandboxing solutions. However, sandboxes are also hard to get right; a simple one might be very effective against a malicious program that doesn't take sandboxes into account, but as soon as it turns adversarial, it can be very hard to ensure a sandbox is secure against a program actively trying to escape it. Anyway, a sandbox is still usually better than no sandbox; a common solution is e.g. firejail. Both iOS and Android come with extensive sandboxing as part of their fundamental app architecture; on Pinephone this is harder because there are no "apps" with special properties; everything is just normal Linux software like you'd find on your computer, so it's much less straightforward to implement e.g. smartphone-like permission controls and such.
- Encryption. This is more for physical security (as in if your phone gets stolen), than security against malicious software. It's generally good practice to set up full disk encryption. You can go from a basic "password needed on boot" solution to really paranoid setups like Heads (though probably not on a pinephone, at least not easily). Support for encryption in installers is WIP for pinephone distributions (and this is one of those things that, once one of them gets it working, can be very easily added to the others); you might be able to set it up manually in the meantime, if you know what you're doing.
- Mandatory Access Controls (MAC), such as SELinux. If you're not familiar, this essentially involves defining a set of rules (policies) regarding what kinds of processes can access what kinds of resources. It stands in juxtaposition with Discretionary Access Controls, such as UNIX filesystem permissions, due to being much more fine-grained and forcing explicit permissions for different users, processes, or classes thereof, rather than letting you just "chmod 777" and having everyone be able to do anything. In turn, this allows file and resource access to be hardened much more effectively, up to being able to contain a malicious process and prevent it from effecting anything. However, due to being much more fine-grained, it is in turn a chore to set up. I am fairly certain it should be possible to do it yourself if you feel inclined, but I'm almost certain none of the distros ship with SELinux enabled, nor plan to enable it in the foreseeable future. For context, Android integrated SELinux a few years ago, but almost no desktop Linux distribution I know of enables it out of the box since the configuration must necessarily depend on individual usecases: Android works around this by having essentially a completely standardised userspace, with all "apps" running inside its ART environment rather than on the OS natively.
These are the biggest things that come to mind when I think of a "hardened Linux OS". Of course there's more, such as having a decent firewall set up, enabling kernel hardening features which might be disabled by default, and ensuring your system is up to date, but hopefully this gives you a decent idea of how greater security could be achieved on a Linux phone.
As for privacy, Ryo covered it pretty well already.
(12-10-2020, 03:47 AM)ryo Wrote: Do you even need app isolation if you're already careful?
Do you even need app isolation if you know how to avoid malware?
Defense in depth dictates that you shouldn't trust any measure to be infallible. Maybe tomorrow your nice secure chat app (Signal, Matrix, Jami, anything you like) has a vulnerability discovered and an attacker is able to execute remote code just by sending a message; no matter how much common sense you used, you are then at risk.
In practice, the risk is definitely tiny, and it may be true that in general you really don't need it, provided you don't believe you will be the victim of targeted attacks. But I wouldn't state that as an objective answer.
