Integrity of SFOS?

How is it made sure that the SFOS is integral, i.e. the system hasn’t been compromised in a sense of installed malware and worse?

Do you know any checks which assure this ?

This depends on how you use your device. For example, if you only install software from the official Jolla Store, then while this doesn’t guarantee you won’t get malware, the restrictions are intended to help. For example there are checks aimed at preventing an app getting root and other privileges. As I say, it’s not a guarantee, but that’s the aim.

If you install software from other sources, such as OpenRepos, then all bets are off I’m afraid. As far as I’m aware there’s never been any malware on OpenRepos, but it’s up to the integrity of the individuals who upload software there to ensure this.

3 Likes

Using open source apps kind of guarantees that you will be ok.

you can’t.
current state on current devices is totally not secure, cause we have a phone with unlocked bootloader and luks encryption with password consisting of digits only.

1 Like

How about AlienDavlik and installing .apk ? Where from should the apks come, in order to keep the risk minimal ?

If somebody has reviewed the code of course

This means, that tha culprit should have a physicial access to the phone. Im basically more concerned with remote spoofing.

1 Like

That’s a really good question. I’m no expert on Android stuff, but (following advice from people who are) my approach is to only use apps from the Aurora Store. I’m also comfortable downloading apks from the websites of companies I trust (e.g. my bank over an HTTPS connection). Similarly F-Droid, since it’s all open source, but that has similar characteristics to OpenRepos (i.e. you must trust the individual submitters).

The Aurora Store is a mirror of the Google Play Store, so it benefits from Google’s malware protections. This also doesn’t guarantee there’s no malware (in fact there’s plenty), but if you’re aiming to minimise risk, this has some merit. It does also absolutely require you to trust the Aurora team as well.

So it’s all very much a matter of trust, and so nothing guarantees you protection. This is how I try to minimise my risk, and I’m sure there’s plenty of other good advice out there, which I’d also be interested to hear. In fact I’d love to see a guide/wiki on Sailfish OS security good practice.

1 Like

Is there any way or possibility to lock the bootloader again after installing SFOS for protecting it against malware/virus attacks?

1 Like

The bootloader doesn’t protect you from that.

It only protects device and OS makers from consumer freedom.

4 Likes

As nephros said.

And:
no, there is no chance to lock the bootloader. As this can only be done for vendor trusted and signed images and that means Sony would have to sign every flashable image.

2 Likes

There are degrees of security. Edward Snowden for example would never use a smart phone. Even if you managed to secure the 4G, you’ve still got towers tracking your position.

There are machines which can strip all the core data off all but the latest iPhones and all Android phones within minutes, even when locked. Do they work on Sailfish phones? Probably not.

From what I read, there are no vulnerabilities in LUKS. If the machines were updated to deal with Sailfish, an 8 digit code (minimum on XA2) will protect your phone for 2-3 days.

But that’s only if encrypted. I believe a Sailfish phone was hacked into at one of the hacking conventions in an hour.

It still won’t decrypt without the PIN, afaik.

1 Like

Interesting that you should mention this, since there was a recent publication looking at just this (thanks to Fernando Lanero for highlighting it). There’s a time limited link to the full paper on one of the author’s LinkedIn feeds:

This is a little off-the-topic of malware though (still relevant in the broader context of security, so I hope you’ll forgive me).

7 Likes

Numeric pins are brute-forced on GPU in a matter of minutes/hours.
So if you phone gets stolen/imaged, current state encryption on SFOS is useless.
And even worse, it gives people a false sense of security.

Unfortunately, no access here. Could you summarise or send me a copy?

You can’t.
Also SFOS only runs as a slave OS on top of the closed baseband.
RAM is shared with the basebaand. It has full access and full rights on your GSM device. Your SIM provider can install code without anyone taking notice. Since everything is integrated in the SoC nowerdays, it could log your WiFi, BT, RAM… Everything. And it does.
Do never use a GSM device for critical things. Not that we have alternatives though.

1 Like

If this is true, the default encryption of Sailfish leaves a lot to be desired.

Under the term “malware”, I personally also understand apps that lead to an undesired data leak without informing the user. It is correct that an app is checked in the Google Store, but trackers are allowed. Almost every app these days sends to any server, regardless of whether it is paid software or not. There is no obligation to state that an app contains trackers from Google, Facebook, Amazon (only the largest listed), etc., or that frameworks from data analysts are integrated. A look at the manifest file of an APK shows what is also included. You might think that apps are only offered to collect data. You no longer need a particularly secure operating system if you give away your data to someone in this way.

At F-Droid, apps are also checked to see whether they comply with the rules (FOSS) and whether they are doing something undesirable. Apps that are FOSS but connect to other networks to offer a service are marked. So everyone can decide. There is at least a bit of transparency and the source code is available.

You can never be sure at all. I think F-Droid is the lesser evil and the better choice. Incidentally, I find the notes on encryption above from SFOS very interesting.

What you say about trackers in Play store apps is of course true. But if you access the Play store via Aurora, the apps are labeled if they contain trackers, ads, and if they need GSF.
Does anybody know if this is reliable?

Sure, but people ignore warnings when they really want a popular app :wink:

Aurora uses parts from “ClassyShark3xodus” for the analysis, also downloadable from F-Droid.
Sometimes the standalone ClassyShark will find 1 or 2 more trackers than Aurora in one app. The version seems to be slightly different.

How it work:
ClassyShark analyzes the manifest file in the APK, compares the embedded foreign module list with a tracker list and shows the result. Hint: With the names and servers of the modules found, anyone can do their own research on the Internet and find out what exactly the module is doing.

New trackers are added or changed every day, so you can never really be sure that the result is always correct.

2 Likes

One method to verify what’s going on on a device is

rpm -Va

or

rpm -V <<packagename>>

which will use the RPM database to verify files on the system vs. what was contained in the original RPM package. It can be in certain cases used to detect tampering, but one must read the output wisely, as many files are okay to be different from the RPM checked version.

2 Likes

Q: Is there a way to permanently remove/uninstall all this Android stuff (Android support) from the SFOS phone? and btw. save memory space and maybe gain speed or reduce processor load? I do not use any Android apps and don’t need the Android support. It’s always switched off, and for safety or to prevent starting it by error I would be happy if it was away forever.