Apk security on Sailfish

Some background, I am modifying Android roms since forever and I have practically the setup which disallows the applications to send out any data. Degoogled etc. But I am really sick of android while on the other hand I have one application that I really need, for accessing the bank. It is using safetynet but this is not an issue as I am reversing and removing the checks on each version where upgrade is necessary.

I was just a click away from buying xperia 10 to run sailfish on it (I have Cosmo Communicator but I dont believe anything useful will come out of that, I could make my own rom without google and with microg but the selinux permissions and compiled selinux support into kernel is just too much hassle to go for it. On the other side, linux is not having a camera which again makes it useless) but that it gave me some thought as I am worried that what I have done to my existing rom far exceeds everything sailfish has to offer regarding blocking unauthorized access to the data from the android applications (which probably, at least to some part I will use, example would be firefox that only can access ssh tunnel on loopback, pointing to proxy at my server).

What support for limiting android application access to the internet/phone data/… sailfish is offering?

I know I am quite spoiled with XPrivacy Lua and NetGuard, but is it possible to install applications like xposed framework (XPrivacyLua module) or NetGuard (works as a VPN plugin into android, but it is a firewall applicaition), or you maybe provide similar functionality?

2 Likes

As SailfishOS is not Android-derived, I think you are not addressing SailfishOS, but the Alien-Dalvik Android runtime environment, which is available for SailfishOS when using a paid license.

Alien-Dalivik is basically an AOSP running in an LXC container with some “integration components” for letting run AOSP inside a container and on a “non-Android kernel”, plus filesystem integration, Intents integration, a shared clipboard etc.

Jolla uses many modern measures to confine the Android container: at LXC level, with cgroups, firewall rules, SElinux policies etc.
You may configure additional measures at all these levels, it is just a Linux machine and you are the administrator!

But why are you so concerned about confining Android apps to the max, if you only plan to use a single and trustworthy Android app?

4 Likes

Ah, ok, so it is just AOSP, fine, this should work than.

There is a hell of a lot of various things I don’t know about sailfish yet and I really don’t want to throw away 200 euros for Xperia 10 plus. For instance my common setup was ssh tunnel to my home server where (in jail) squid proxy is running under different routing table for vpn and doing mitming and removing all the garbage from the websites, while on android (and all my other hardware) browser was set up to use https proxy with ca cert imported for mitming.

I have no clue if this will work on sailfish browser directly, if about:config is supported etc. (importing ca certificate into browser, setting up browser proxy) and I want to have a backup plan (installing firefox nightly (official releases for android don’t support about:config yet) into alien-dalvik).

But than again, firefox does sometimes try to connect to internet directly (which is by some old issue a feature) so I also need a way to block it from accessing anything except loopback. And since I am in just end stages of developing a great replacement for squid regarding the performance and filtering capabilities (including injecting scripts into pages for fingerprint spoofing), I don’t want to get the device and sailfish to then figure out I would need some huge amount of work to modify it.

Never mind the long text… thank you very much for your answer :slight_smile:, you were very helpful.

2 Likes