Privacy and security of SailfishOS

I also wanted to choose between Sailfish OS and a ‘secure’ Android but after I read the article (with link bellow), I was more in favor of Sailfish OS.

but, this article is from 2019 so the security might be better now.

Regarding Sailfish OS, I’ve not tried the paid version yet since first I wanted to know how well isolated the Android apps are. From the native apps, I can see that I cannot individually select what type of access I can allow. So, the settings work by allowing all access to everything or none access to anything. I just wonder if for Android apps, it follows the same way.

Honestly I do not remember or know. I use mainly HERE WeGo, Firefox and Signal and HERE I use in offline mode.
I hope someone else can help you. It depends on the type of user you are - for me it is almost perfect (I know I already said this, but it feels good when I repeat it)
As for the other OS - I do not have the time to evaluate and from what I have heard they are not better than Sailfish (except in the promises they make)
IMO Sailfish is excellent compromise between hardware cost, freedom and security. Regarding the security I guess it depends on you how you set up the phone, but do not forget what Snowden said: The most secure phone is without a speaker and a camera … so never say something on the phone, that you do not regret being heard by others.

Thanks for all the replies and bringing up various points to the discussion.

@aerique Cheers for pointing out Sailjail. After reading about it, I see that it is based on Firejail so it may be a good time to finally learn how to create your own profiles instead of counting only on the existing ones on Linux. I think that you are right that privacy-wise both options are comparable.

@Ehermellin That’s a great website! It worked like charm with a translator and I even went ahead and read few more articles from it. It’s also a bit depressing reading regarding the state of security of Linux in general. It’s really a shame that other (mobile) platforms are so much ahead in that department and worrisome that more work is not dedicated to improve the security of Linux. Not sure if it was in the original article which you linked to or another on that website, but it looks like that even when the inclusion of AppArmor, SELinux and Firejail solutions will be more widespread, it still won’t be on par with those other OSes. Sadly that would imply that in the foreseeable future, one may be better off with Graphene OS than Linux based solutions if security is the priority.

@deloptes Thanks for pointing out that openssl library has been updated as I read some other posts on the forum and got an impression that this and some other libraries on Sailfish OS are outdated, which as you said would have been critical so I am glad that the update solved it.
There are multiple aspects of SFOS that make it a much more appealing option for me than any Android-based OS. Just to name a few: the philosophy, being an alternative OS, community and especially the UX. After watching several videos of SFOS 4, I have no doubt that I would enjoy using it as a lot of things that I loved in N9 are still there. However, to make a conscious decision I am trying to gauge how much I would need to sacrifice on the security department. I agree that comparing SFOS as a whole and Android is not that productive, but I think that it is worthwhile to understand the security implications of choosing one over the other. From the article linked by @Ehermellin it does look like Linux based OSes are sadly much behind Graphene OS when it comes to security. That being said, I am a Linux user and I am not gonna change it as the other factors outweigh the drawbacks for a desktop.

I am familiar with /e/ OS. In fact, that is what runs on my phone right now. They have fixed those issues mentioned in the article. In general that OS is fine. I get a random reboot once a week and some sporadic error message. However, my phone is not officially supported anymore by them, which means that I am running a version compiled by someone from a community that hasn’t been updated recently. Moreover, since Samsung doesn’t support my device anymore, the firmware is getting more and more outdated and as the majority of exploits on Android happen on outdated components, I feel that it may be time to move on.

I could shift to a newer device supported by /e/ OS, but since it does not allow to lock the bootloader and doesn’t benefit from some security advantages of Android, I would rather move to Graphene OS (for security) or Sailfish OS (for UX).

I think that you ask a very important question: How good is the isolation of Android apps? Is it like running a VM with Windows on it and Windows applications, or is it more like Wine? As far as I am aware, Windows malware can cause hovac on Linux machine via an emulator such as Wine. It is much harder to escape a VM.

Also how long does Sony keep updating firmware for AOSP devices?

Maybe that’s interesting for you too. For me it is also important how often Jolla provides the Aliendalvik with security patches. After 30 years as a developer, the word “privacy” is just an empty phrase. It’s an honorable goal that hangs in the sky like a sausage and you don’t have a ladder It’s a myth like “Bigfoot”.

Regarding Sailfish native apps: The SailJails are just at there beginning, Jolla promised to improve this by 1) selectively allowing/denying permissions per app and 2) extending it to all Apps. idiom That’s all still up in the air.

Regarding Android apps: The Android layer uses the standard Android permission systems, so you can selectively select the permissions per app. (Settings > Apps > select the Android app you want to configure > Open Android settings > App Permissions).

I think as regular users, we could do some basic checks to test the privacy/security of several OSs, so we could have a discussion based on actual data.

For example, one quick check is to monitor the network traffic when a phone is idle and all apps that connects to internet are turned off. This can be done by setting a hotspot on a Laptop/Desktop and connecting it to internet with a wired connection. Then, the phone with a specific OS under testing can get internet from the hotspot of the laptop (of course, 4G off). After the setup is ready, the network traffic can be checked with tcpdump, over few hours, to see what is actually happening.

Sailfish OS is not completely FLOSS, so there are parts in the Software where nobody except Jolla knows what it does.

But i think you won’t build GrapheneOS yourself rather than just downloading an image ready to flash. So you don’t know whats in there either.

So it is basically a question of who you trust more rather than technical facts.

In the past, at the time of J1 and JC, this was already possible with the Nethogs app from Openrepos. Unfortunately, since Sailfish X the app doesn’t work that well anymore, but it still offers an insight into the data traffic.

That’s the key. Do you prefer a Google system or Sailfish OS? Can you trust a given Google system? Sailfish, on the other hand, needs Androidblobs to be able to communicate with the hardware.

In any case, the source of the apps used is decisive. Any system (like SFOS, LOS, Graphene OS, /e/ and others AOSP’s) could theoretically protect privacy well, but not if apps come from Google Play or other stores with advertising and trackers. Then why do you need a secure system? With apps like this, you blow your data home to many unknown recipients. F-Droid offers fair apps, but you won’t find any mainstream apps there.

Regardless, in 2021, privacy is an illusion. You have to trust a promise.

You can build AOSP yourself, directly from source.android.com (pretty easily). If you do so, you checkout the source from GIT and built a system where you could at least have checked the source (most likely its clean as houndrets of people are working on the source code and constantly check it. But there is no guarantee)

You then have an 100% FLOSS AOSP (to make it run you need additional drivers, but thats no real issue as you use an FLOSS Kernel you know to run the drivers and so you have control over them. Non of the binary blobs bypasses the Kernel).

The Next step would be to use F-Droid as App Store and even when you use Aurora to install PlayStore Apps, the Aurora Store shows you Trackers and those Apps run on an FLOSS System you built yourself.

You still can’t be 100% sure but as you lack the GSF on a self built AOSP, the chance of getting Data sent to Google is extremely small.

So in my personal opinion (i am sure someone sees that different), if you say that you need the most protection of your privat data that you can get, you have to build AOSP yourself from source. Then you only have to care about that your apps won’t go apeshit and if your carefully select your apps and/or use FLOSS Apps mostly, that risk is tiny.

Well, I see privacy not as something that can ever be considered totally absolute in any practical manner. As with many other things it exists on a gradient where the best thing we can do is pick the shade we’re the most comfortable with.

Maybe the relative obscurity of Sailfish OS will keep us safe for a little bit longer

I have several Android apps installed on my SFOS phone (the only one I do invoke on a regular basis is the browser, though, so I’m probably not a good example of a typical user) but keep AD switched off 90% of the time and keep it running only while completing the task I need the Android app for.
This is something I really like about SFOS - I can use Android apps when I feel the need to but don’t have to deal with that ugly UI most of the time

@anon29340114:
As already noted by the others here, I think it would be helpful to you to think about your threat model, i.e., which trust assumptions you are willing to make.

I hope the following helps with that.

So who do you trust (to write software which is not acting against you)?
Sony? Jolla? Some random AOSP developer? Some random community people compiling and hosting stuff? Some random Android-App dev? Some random SFOS-App dev?

Define this set of people, and then go on to draw conclusions.

Example: If you trust Jolla, then you trust that their SailJail is properly implemented. Butat the same time you also trust Jolla that all their apps (which happen to be the only ones constrained by SailJail as of right now) are okay.
As of now, the existence or not of something like Sailjail is therefore irrelevant for your decision regarding SFOS (of course this changes as soon as SailJail is used to restrict all apps).

Now, let’s say that you trust, in addition to Jolla, some external app developers of a messaging application to properly protect your messages to your friends.
This means that all security measures which apply to this app are not important any more, because you already trust this app in the first place. If you now say that you still want to have security measures in place, this means that you (don’t have)/(have only restricted) trust in these app developers.
Which in turn raises the question why you still trust them to keep you messages private.

Note that partial trust is tricky: Why would you trust someone to keep your messages private but not trusting this person with accessing files you might send via this app one day?
Of course I’m a bit exaggerating here, and restricting an IM app to IM-related stuff is a good thing, but this should help you to get an idea of how much trust and reduced functionality you want to accept.

This IM app is just an example, it also works for banking, browsers or any other app.

The bad thing is:
I would predict that you either end up trusting very many people or have a phone which can do nothing, not even consuming electricity

One solution could be to simply not store any super critical data on a phone in general.
There are issues with the hardware and, for example, full disk encryption (against physical theft) is worse on devices without a physical keyboard than on devices with one:

You don’t (want to) enter your 20+ character passphrase each time you unlock your phone, don’t you?
Your phone passphrase is even shorter than the one on your computer, isn’t it ?

(sorry for the wall of text, this became longer than anticipated)

Considering: https://www.forbes.com/sites/thomasbrewster/2021/04/26/update-your-mac-now-the-worst-hack-in-years-hits-apple-computers/?sh=642869635da0

Where we are speaking of a company with a very deep war chest, I think it’s safe to say, it’s all a crap shoot if you don’t know what your doing. And also if you do.

For instance. I run linux vserver (a set of kernel patches, cgroups like, predating cgroups) which is a form of para-virtualization. Now, this is ‘outmoded’ and few use it these days.

Well, turns out it’s sometimes advantageous to not go with latest greatest. Linux Vserver containers (not the kernel itself) are immune to Spectre and Meltdown. The two most serious kernel vulnerabilties introduced by HARDWARE! in, well, for ever.

Long story short. All the latest greatest software (even older stuff, kvm, xen, etc) is toast. Vulnerable. Unless to you patch the kernel, suspend a bunch of cpu features, etc. You take a 20% performance hit.

I don’t. i don’t patch my kernels. My virtuals are not vulnerable. blah, blah, blah.

So why the long post. Well, I know very, very few, ever seasoned, admins who are aware of this. It’s obscure knowledge.

And on the othe rhand, one of the richest companies on the planet (Kalifornia, ueber alles, ueber alles Kalifnornia!) can’t do security audits.

My very quick look at the security aspects of SFOS left me secure in the knowledge that I CAN inspect it. My apple developer license is lapsed. I doubt I can get a really good look at the internals.

And apple is the only alternative, until the bugs are out of Ubuntu Touchl, Plasma and co. Except maybe Librem. Librem might be a recomend. I haven’t had the time to look but it’s probably a step up from SFOS. I’m saving up my Kopecs.

But I’ll still develop for SFOS. I guess I’m just an old Nokia Fan Boy (I was an apple fan boy. I am a Commodore/Amiga fan boy).

Oh jah. Graphene. Hard, we are. Ah ah. The only recomended devices are from a company called google.
Pixel 5 (redfin)
Pixel 4a (5G) (bramble)
Pixel 4a (sunfish)
That does not install confidence in me.

Using the buzzword DNSSEC (and then describing it incorrectly) on you PR page is not secure. It’s just talk.

Sorry for the rant. I spent most of my day doing … security updates on servers.

@4carlos, @Vamp898 the trust is the key here, but doing some basic testing helps to have some evince in which the trust is based on.

@4carlos, for network traffic testing no apps on the phone are needed. Just a linux computer with a wireless card. Actually, it’s better not to use something running on the device under testing

@Vamp898 AOSP is 100% FLOSS, but even if you could compile AOSP following the instructions from open devices, it will not pass a simple network testing without noticing how many times it is connecting to external IP addresses

…

@ Vamp898

This is also my recommended way and the only correct way to minimize the risk of data leaking from my phone. So you have to trust the developers of an OS. However, this also means achieving very little comfort because many “useful” apps cannot be used.

Unfortunately, that’s only a small part that I can control. To be even more secure, I would have to forego visiting the Internet. Search engines, internet forums, social networks, internet shops, companies are all waiting for me there. A transfer via PayPal, for example, is shared with 600 companies that you do not know, have never seen and will never see (https://netzpolitik.org/2018/visualisiert-mit-diesen-600-firmen-teilt-paypal -your data/#). Every website with the Facebook link tracks you whether you are a member or not. Big data then allows the anonymous data records to be assigned to an existing person. Try to turn off all access (advertising, cookies, super cookies, trackers, pixel traps and so on) and you can barely use internet sites. It takes a very long time for an interested user to want to protect himself against everything. You can never reach 100%. And you can never achieve that all data records that are circulating about you on the Internet are actually effectively protected by (e.g.) companies, insurance companies, banks. You can only hope that employees at all companies think like you and do the best they can. The reality looks different.

Linking the Internet to a phone eliminates privacy. The modern internet is there to make money. Hundreds of thousands of developers are looking for ways to get your data. Because the web has no real product to offer, it takes your data and sells it. Convenience comes at a high price and consequently the internet has to be seen as a honeypot.

If you are concerned with the security of a phone, you also have to keep an eye on the usage and not just a handset. It’s just a small link in the chain.

That’s what I mean and thank you for your patience with my philosophical reflections

For sure. I only mentioned nethogs as a way to see if a process is exchanging data with the internet. This is not a perfect solution and is only enough for a rough overview.

That’s’ my shop (netzpolitik.org) Needless to say, security themes occupy too much of my time.

I had overlooked, in my rant, that the pine gang made a decision: Manjaro with Plasma Mobile OS build. Given the community and company time involved in going through multiple iterations of different distributions and desktops, I’d guess the pinephone way may be the future?

I just didn’t like the hardware specs and had a Jolla phone and built (privately) some apps for SFOS. So given my level of involvement in security stuff I felt good about SFOS. But I’m certain getting involved with any of the ‘pure’ linux phone communities would be a good place to find the security concerned and informed people.

As for hardening your own device, well it’s a bit of a problem when the browers take 20 years! to do the obvious, like making the cookie jar jailed. Why in the world wasn’t ‘private browsing’ standard long ago? I’ve hacked my FF for years because of that nonsense.

While I generally trust Jolla, I must say that their ties with some obscure Russian company developing part of the OS are worrisome in this respect.