Privacy and security of SailfishOS

In the next few weeks I intend to get a new phone. Currently, I am considering Sailfish OS on Sony Xperia 10 II or Graphene OS on Pixel 4a. Since I intend to use the phone as a sole daily driver, the device will need only to be stable, but also offer privacy and security. Therefore, I would like to hear a bit more about the security and privacy aspects of Sailfish OS. Since it may affect the responses, I will be forced to use ~5-7 android apps via Android VM if I opt for Sailfish OS.

1. Security.
   After reading about both projects, there seem to be several areas in which Graphene OS has an advantage over Sailfish OS:

• The bootloader on Selfish OS on Sony devices cannot be locked so a malicious manipulation of the OS itself becomes possible. I understand that it requires a physical access to the device or can it be done online?
• Graphene OS does harden not online android, but also the kernel. Does Sailfish also harden kernels in any way?
• From the information that I managed to find, it looks like Sailfish uses outdated libraries, such as Qt or SSL. On the other hand, Graphene is based on the latest Android version and supports specific devices only as long as Google provides firmware for them as outdated firmware is a security vulnerability on its own. I understand that Jolla can provide software for many years for the supported devices, but does Sony keep updating firmware as well?

While Graphene OS does seem to offer better security in the above areas, Sailfish OS is more likely to benefit from security via obscurity as the majority of malware will focus on Android devices. I would still imagine that to be the case even if Android VM is used to run Android apps on Sailfish to some extent. Is that correct? How big protection does sandboxing offer for Android based vulnerabilities?

2. Privacy.
   Due to a small number of users, I would expect that Sailfish OS is easier to fingerprint when browsing on the net as Graphene OS tries to appear as a standard Android device. The only connections that Graphene OS seems to be making to Google are for A-GPS. This seems to be a problem for all de-Googled Android based OSes. How does Sailfish OS do it as not an Android OS?
   I understand that Sailfish OS and the apps don’t have trackers. However what are the privacy protection measures for android apps that may have trackers? Are the Android apps sandboxed from each other so that they cannot see what other Android apps are installed or does it only prevent them from tracking what happens on the Sailfish OS part of the system?

While it may seem like I highlight Graphene OS advantages over Sailfish OS, the reason for it is that Graphene OS emphasizes its security and privacy strengths so it is easier to verify whether Sailfish has comparable measures. On the other hand, while Jolla’s website mentions Sailfish OS as secure and private, the exact strengths in these areas areas not spelled out clearly for non-developers. In fact as a former N9 user, I really would like to shift away from Android environment even if it is de-Googled. However, since I intend to use banking apps, read emails and have other sensitive data on a device, I want to be sure that the device is really secure and privacy respecting. If there are some other aspects on which Sailfish OS shines on these 2 dimensions that I did not think about, I would love to hear about it.

I think you’re pretty much on the mark with your comments, although Jolla is starting to take steps with improving security in Sailfish OS 4 with SailJail but it’s all very much in the early days. AFAIK at the moment only some Sailfish system apps are being sandboxed.

Like you said, you’d pick Sailfish for the security through obscurity (and for the steps you can take yourself because it’s just a Linux system) and because you want to support a mobile OS that is neither iOS nor Android.

Fingerprinting-wise I don’t think there’s much of a difference because they’re both so niche.

There is a very good article that talks about these security issues around mobile OS but it is in French:

I heard recently that iOS is making a big move towards privacy - you now are getting asked if you want to share - same with latest Sailfish OS.

You can not compare Sailfish OS with Android. You could try understand the philosophy and see if it fits your needs.

For me it is almost perfect, but I am technically skilled. I also bought Intex Aquafish in 2016 and my wife is using it on daily bases and she is not skilled at all.

There were many wining around that they miss this or that feature, this or that android app etc.

I think the best is to try it.

Regarding outdated libraries I disagree regarding SSL - which wouldbe critical. It might be in the past it was a problem, but recent version of Sailfish (4.0.1.48) has recent version of ssl

• openssl-libs-1.1.1h+git1-1.2.6.jolla.armv7hl (installed)

Qt5 libraries - again - some i***ts think Jolla is St. Nicolaus and they can order their beloved toy for Christmas. From what I see Jolla is speeding and catching up and I believe they prepare for Qt6, but I can not speak for them and also do not have time to follow the devs closely.
For me it is important that the phone works as a phone.
You can make a check list and evaluate

• SMS works,
• Firefox works
• Whatsapp and similar work.
• Syncrhonization of PIM works

these are my usecases

I suggest you get a cheaper phone, you flash the free version and get familiar. If you like it, you buy the license and install Alien Dalvik for Android apps or buy a newer phone and put the payed version on it.

I am also former N9 user. I had Android just for 3months, went back to N9 and moved to Sailfish then

regards

I also wanted to choose between Sailfish OS and a ‘secure’ Android but after I read the article (with link bellow), I was more in favor of Sailfish OS.

but, this article is from 2019 so the security might be better now.

Regarding Sailfish OS, I’ve not tried the paid version yet since first I wanted to know how well isolated the Android apps are. From the native apps, I can see that I cannot individually select what type of access I can allow. So, the settings work by allowing all access to everything or none access to anything. I just wonder if for Android apps, it follows the same way.

Honestly I do not remember or know. I use mainly HERE WeGo, Firefox and Signal and HERE I use in offline mode.
I hope someone else can help you. It depends on the type of user you are - for me it is almost perfect (I know I already said this, but it feels good when I repeat it)
As for the other OS - I do not have the time to evaluate and from what I have heard they are not better than Sailfish (except in the promises they make)
IMO Sailfish is excellent compromise between hardware cost, freedom and security. Regarding the security I guess it depends on you how you set up the phone, but do not forget what Snowden said: The most secure phone is without a speaker and a camera … so never say something on the phone, that you do not regret being heard by others.

Thanks for all the replies and bringing up various points to the discussion.

@aerique Cheers for pointing out Sailjail. After reading about it, I see that it is based on Firejail so it may be a good time to finally learn how to create your own profiles instead of counting only on the existing ones on Linux. I think that you are right that privacy-wise both options are comparable.

@Ehermellin That’s a great website! It worked like charm with a translator and I even went ahead and read few more articles from it. It’s also a bit depressing reading regarding the state of security of Linux in general. It’s really a shame that other (mobile) platforms are so much ahead in that department and worrisome that more work is not dedicated to improve the security of Linux. Not sure if it was in the original article which you linked to or another on that website, but it looks like that even when the inclusion of AppArmor, SELinux and Firejail solutions will be more widespread, it still won’t be on par with those other OSes. Sadly that would imply that in the foreseeable future, one may be better off with Graphene OS than Linux based solutions if security is the priority.

@deloptes Thanks for pointing out that openssl library has been updated as I read some other posts on the forum and got an impression that this and some other libraries on Sailfish OS are outdated, which as you said would have been critical so I am glad that the update solved it.
There are multiple aspects of SFOS that make it a much more appealing option for me than any Android-based OS. Just to name a few: the philosophy, being an alternative OS, community and especially the UX. After watching several videos of SFOS 4, I have no doubt that I would enjoy using it as a lot of things that I loved in N9 are still there. However, to make a conscious decision I am trying to gauge how much I would need to sacrifice on the security department. I agree that comparing SFOS as a whole and Android is not that productive, but I think that it is worthwhile to understand the security implications of choosing one over the other. From the article linked by @Ehermellin it does look like Linux based OSes are sadly much behind Graphene OS when it comes to security. That being said, I am a Linux user and I am not gonna change it as the other factors outweigh the drawbacks for a desktop.

I am familiar with /e/ OS. In fact, that is what runs on my phone right now. They have fixed those issues mentioned in the article. In general that OS is fine. I get a random reboot once a week and some sporadic error message. However, my phone is not officially supported anymore by them, which means that I am running a version compiled by someone from a community that hasn’t been updated recently. Moreover, since Samsung doesn’t support my device anymore, the firmware is getting more and more outdated and as the majority of exploits on Android happen on outdated components, I feel that it may be time to move on.

I could shift to a newer device supported by /e/ OS, but since it does not allow to lock the bootloader and doesn’t benefit from some security advantages of Android, I would rather move to Graphene OS (for security) or Sailfish OS (for UX).

I think that you ask a very important question: How good is the isolation of Android apps? Is it like running a VM with Windows on it and Windows applications, or is it more like Wine? As far as I am aware, Windows malware can cause hovac on Linux machine via an emulator such as Wine. It is much harder to escape a VM.

Also how long does Sony keep updating firmware for AOSP devices?

Maybe that’s interesting for you too. For me it is also important how often Jolla provides the Aliendalvik with security patches. After 30 years as a developer, the word “privacy” is just an empty phrase. It’s an honorable goal that hangs in the sky like a sausage and you don’t have a ladder It’s a myth like “Bigfoot”.

Regarding Sailfish native apps: The SailJails are just at there beginning, Jolla promised to improve this by 1) selectively allowing/denying permissions per app and 2) extending it to all Apps. idiom That’s all still up in the air.

Regarding Android apps: The Android layer uses the standard Android permission systems, so you can selectively select the permissions per app. (Settings > Apps > select the Android app you want to configure > Open Android settings > App Permissions).

I think as regular users, we could do some basic checks to test the privacy/security of several OSs, so we could have a discussion based on actual data.

For example, one quick check is to monitor the network traffic when a phone is idle and all apps that connects to internet are turned off. This can be done by setting a hotspot on a Laptop/Desktop and connecting it to internet with a wired connection. Then, the phone with a specific OS under testing can get internet from the hotspot of the laptop (of course, 4G off). After the setup is ready, the network traffic can be checked with tcpdump, over few hours, to see what is actually happening.

Sailfish OS is not completely FLOSS, so there are parts in the Software where nobody except Jolla knows what it does.

But i think you won’t build GrapheneOS yourself rather than just downloading an image ready to flash. So you don’t know whats in there either.

So it is basically a question of who you trust more rather than technical facts.

In the past, at the time of J1 and JC, this was already possible with the Nethogs app from Openrepos. Unfortunately, since Sailfish X the app doesn’t work that well anymore, but it still offers an insight into the data traffic.

That’s the key. Do you prefer a Google system or Sailfish OS? Can you trust a given Google system? Sailfish, on the other hand, needs Androidblobs to be able to communicate with the hardware.

In any case, the source of the apps used is decisive. Any system (like SFOS, LOS, Graphene OS, /e/ and others AOSP’s) could theoretically protect privacy well, but not if apps come from Google Play or other stores with advertising and trackers. Then why do you need a secure system? With apps like this, you blow your data home to many unknown recipients. F-Droid offers fair apps, but you won’t find any mainstream apps there.

Regardless, in 2021, privacy is an illusion. You have to trust a promise.

You can build AOSP yourself, directly from source.android.com (pretty easily). If you do so, you checkout the source from GIT and built a system where you could at least have checked the source (most likely its clean as houndrets of people are working on the source code and constantly check it. But there is no guarantee)

You then have an 100% FLOSS AOSP (to make it run you need additional drivers, but thats no real issue as you use an FLOSS Kernel you know to run the drivers and so you have control over them. Non of the binary blobs bypasses the Kernel).

The Next step would be to use F-Droid as App Store and even when you use Aurora to install PlayStore Apps, the Aurora Store shows you Trackers and those Apps run on an FLOSS System you built yourself.

You still can’t be 100% sure but as you lack the GSF on a self built AOSP, the chance of getting Data sent to Google is extremely small.

So in my personal opinion (i am sure someone sees that different), if you say that you need the most protection of your privat data that you can get, you have to build AOSP yourself from source. Then you only have to care about that your apps won’t go apeshit and if your carefully select your apps and/or use FLOSS Apps mostly, that risk is tiny.

Well, I see privacy not as something that can ever be considered totally absolute in any practical manner. As with many other things it exists on a gradient where the best thing we can do is pick the shade we’re the most comfortable with.

Maybe the relative obscurity of Sailfish OS will keep us safe for a little bit longer

I have several Android apps installed on my SFOS phone (the only one I do invoke on a regular basis is the browser, though, so I’m probably not a good example of a typical user) but keep AD switched off 90% of the time and keep it running only while completing the task I need the Android app for.
This is something I really like about SFOS - I can use Android apps when I feel the need to but don’t have to deal with that ugly UI most of the time

@anon29340114:
As already noted by the others here, I think it would be helpful to you to think about your threat model, i.e., which trust assumptions you are willing to make.

I hope the following helps with that.

So who do you trust (to write software which is not acting against you)?
Sony? Jolla? Some random AOSP developer? Some random community people compiling and hosting stuff? Some random Android-App dev? Some random SFOS-App dev?

Define this set of people, and then go on to draw conclusions.

Example: If you trust Jolla, then you trust that their SailJail is properly implemented. Butat the same time you also trust Jolla that all their apps (which happen to be the only ones constrained by SailJail as of right now) are okay.
As of now, the existence or not of something like Sailjail is therefore irrelevant for your decision regarding SFOS (of course this changes as soon as SailJail is used to restrict all apps).

Now, let’s say that you trust, in addition to Jolla, some external app developers of a messaging application to properly protect your messages to your friends.
This means that all security measures which apply to this app are not important any more, because you already trust this app in the first place. If you now say that you still want to have security measures in place, this means that you (don’t have)/(have only restricted) trust in these app developers.
Which in turn raises the question why you still trust them to keep you messages private.

Note that partial trust is tricky: Why would you trust someone to keep your messages private but not trusting this person with accessing files you might send via this app one day?
Of course I’m a bit exaggerating here, and restricting an IM app to IM-related stuff is a good thing, but this should help you to get an idea of how much trust and reduced functionality you want to accept.

This IM app is just an example, it also works for banking, browsers or any other app.

The bad thing is:
I would predict that you either end up trusting very many people or have a phone which can do nothing, not even consuming electricity

One solution could be to simply not store any super critical data on a phone in general.
There are issues with the hardware and, for example, full disk encryption (against physical theft) is worse on devices without a physical keyboard than on devices with one:

You don’t (want to) enter your 20+ character passphrase each time you unlock your phone, don’t you?
Your phone passphrase is even shorter than the one on your computer, isn’t it ?

(sorry for the wall of text, this became longer than anticipated)

Considering: https://www.forbes.com/sites/thomasbrewster/2021/04/26/update-your-mac-now-the-worst-hack-in-years-hits-apple-computers/?sh=642869635da0

Where we are speaking of a company with a very deep war chest, I think it’s safe to say, it’s all a crap shoot if you don’t know what your doing. And also if you do.

For instance. I run linux vserver (a set of kernel patches, cgroups like, predating cgroups) which is a form of para-virtualization. Now, this is ‘outmoded’ and few use it these days.

Well, turns out it’s sometimes advantageous to not go with latest greatest. Linux Vserver containers (not the kernel itself) are immune to Spectre and Meltdown. The two most serious kernel vulnerabilties introduced by HARDWARE! in, well, for ever.

Long story short. All the latest greatest software (even older stuff, kvm, xen, etc) is toast. Vulnerable. Unless to you patch the kernel, suspend a bunch of cpu features, etc. You take a 20% performance hit.

I don’t. i don’t patch my kernels. My virtuals are not vulnerable. blah, blah, blah.

So why the long post. Well, I know very, very few, ever seasoned, admins who are aware of this. It’s obscure knowledge.

And on the othe rhand, one of the richest companies on the planet (Kalifornia, ueber alles, ueber alles Kalifnornia!) can’t do security audits.

My very quick look at the security aspects of SFOS left me secure in the knowledge that I CAN inspect it. My apple developer license is lapsed. I doubt I can get a really good look at the internals.

And apple is the only alternative, until the bugs are out of Ubuntu Touchl, Plasma and co. Except maybe Librem. Librem might be a recomend. I haven’t had the time to look but it’s probably a step up from SFOS. I’m saving up my Kopecs.

But I’ll still develop for SFOS. I guess I’m just an old Nokia Fan Boy (I was an apple fan boy. I am a Commodore/Amiga fan boy).

Oh jah. Graphene. Hard, we are. Ah ah. The only recomended devices are from a company called google.
Pixel 5 (redfin)
Pixel 4a (5G) (bramble)
Pixel 4a (sunfish)
That does not install confidence in me.

Using the buzzword DNSSEC (and then describing it incorrectly) on you PR page is not secure. It’s just talk.

Sorry for the rant. I spent most of my day doing … security updates on servers.

@4carlos, @Vamp898 the trust is the key here, but doing some basic testing helps to have some evince in which the trust is based on.

@4carlos, for network traffic testing no apps on the phone are needed. Just a linux computer with a wireless card. Actually, it’s better not to use something running on the device under testing

@Vamp898 AOSP is 100% FLOSS, but even if you could compile AOSP following the instructions from open devices, it will not pass a simple network testing without noticing how many times it is connecting to external IP addresses

…