Privacy and security of SailfishOS

Maybe that’s interesting for you too. For me it is also important how often Jolla provides the Aliendalvik with security patches. After 30 years as a developer, the word “privacy” is just an empty phrase. It’s an honorable goal that hangs in the sky like a sausage and you don’t have a ladder :wink: It’s a myth like “Bigfoot”.

6 Likes

Regarding Sailfish native apps: The SailJails are just at there beginning, Jolla promised to improve this by 1) selectively allowing/denying permissions per app and 2) extending it to all Apps. idiom That’s all still up in the air.

Regarding Android apps: The Android layer uses the standard Android permission systems, so you can selectively select the permissions per app. (Settings > Apps > select the Android app you want to configure > Open Android settings > App Permissions).

1 Like

I think as regular users, we could do some basic checks to test the privacy/security of several OSs, so we could have a discussion based on actual data.

For example, one quick check is to monitor the network traffic when a phone is idle and all apps that connects to internet are turned off. This can be done by setting a hotspot on a Laptop/Desktop and connecting it to internet with a wired connection. Then, the phone with a specific OS under testing can get internet from the hotspot of the laptop (of course, 4G off). After the setup is ready, the network traffic can be checked with tcpdump, over few hours, to see what is actually happening.

Sailfish OS is not completely FLOSS, so there are parts in the Software where nobody except Jolla knows what it does.

But i think you won’t build GrapheneOS yourself rather than just downloading an image ready to flash. So you don’t know whats in there either.

So it is basically a question of who you trust more rather than technical facts.

2 Likes

In the past, at the time of J1 and JC, this was already possible with the Nethogs app from Openrepos. Unfortunately, since Sailfish X the app doesn’t work that well anymore, but it still offers an insight into the data traffic.

That’s the key. Do you prefer a Google system or Sailfish OS? Can you trust a given Google system? Sailfish, on the other hand, needs Androidblobs to be able to communicate with the hardware.

In any case, the source of the apps used is decisive. Any system (like SFOS, LOS, Graphene OS, /e/ and others AOSP’s) could theoretically protect privacy well, but not if apps come from Google Play or other stores with advertising and trackers. Then why do you need a secure system? With apps like this, you blow your data home to many unknown recipients. F-Droid offers fair apps, but you won’t find any mainstream apps there.

Regardless, in 2021, privacy is an illusion. You have to trust a promise.

1 Like

You can build AOSP yourself, directly from source.android.com (pretty easily). If you do so, you checkout the source from GIT and built a system where you could at least have checked the source (most likely its clean as houndrets of people are working on the source code and constantly check it. But there is no guarantee)

You then have an 100% FLOSS AOSP (to make it run you need additional drivers, but thats no real issue as you use an FLOSS Kernel you know to run the drivers and so you have control over them. Non of the binary blobs bypasses the Kernel).

The Next step would be to use F-Droid as App Store and even when you use Aurora to install PlayStore Apps, the Aurora Store shows you Trackers and those Apps run on an FLOSS System you built yourself.

You still can’t be 100% sure but as you lack the GSF on a self built AOSP, the chance of getting Data sent to Google is extremely small.

So in my personal opinion (i am sure someone sees that different), if you say that you need the most protection of your privat data that you can get, you have to build AOSP yourself from source. Then you only have to care about that your apps won’t go apeshit and if your carefully select your apps and/or use FLOSS Apps mostly, that risk is tiny.

1 Like

Well, I see privacy not as something that can ever be considered totally absolute in any practical manner. As with many other things it exists on a gradient where the best thing we can do is pick the shade we’re the most comfortable with.

Maybe the relative obscurity of Sailfish OS will keep us safe for a little bit longer :grinning:

I have several Android apps installed on my SFOS phone (the only one I do invoke on a regular basis is the browser, though, so I’m probably not a good example of a typical user) but keep AD switched off 90% of the time and keep it running only while completing the task I need the Android app for.
This is something I really like about SFOS - I can use Android apps when I feel the need to but don’t have to deal with that ugly UI most of the time :smile:

7 Likes

@anon29340114:
As already noted by the others here, I think it would be helpful to you to think about your threat model, i.e., which trust assumptions you are willing to make.

I hope the following helps with that.

So who do you trust (to write software which is not acting against you)?
Sony? Jolla? Some random AOSP developer? Some random community people compiling and hosting stuff? Some random Android-App dev? Some random SFOS-App dev?

Define this set of people, and then go on to draw conclusions.

Example: If you trust Jolla, then you trust that their SailJail is properly implemented. Butat the same time you also trust Jolla that all their apps (which happen to be the only ones constrained by SailJail as of right now) are okay.
As of now, the existence or not of something like Sailjail is therefore irrelevant for your decision regarding SFOS (of course this changes as soon as SailJail is used to restrict all apps).

Now, let’s say that you trust, in addition to Jolla, some external app developers of a messaging application to properly protect your messages to your friends.
This means that all security measures which apply to this app are not important any more, because you already trust this app in the first place. If you now say that you still want to have security measures in place, this means that you (don’t have)/(have only restricted) trust in these app developers.
Which in turn raises the question why you still trust them to keep you messages private.

Note that partial trust is tricky: Why would you trust someone to keep your messages private but not trusting this person with accessing files you might send via this app one day?
Of course I’m a bit exaggerating here, and restricting an IM app to IM-related stuff is a good thing, but this should help you to get an idea of how much trust and reduced functionality you want to accept.

This IM app is just an example, it also works for banking, browsers or any other app.

The bad thing is:
I would predict that you either end up trusting very many people or have a phone which can do nothing, not even consuming electricity :stuck_out_tongue_winking_eye:

One solution could be to simply not store any super critical data on a phone in general.
There are issues with the hardware and, for example, full disk encryption (against physical theft) is worse on devices without a physical keyboard than on devices with one:

You don’t (want to) enter your 20+ character passphrase each time you unlock your phone, don’t you?
Your phone passphrase is even shorter than the one on your computer, isn’t it ?

(sorry for the wall of text, this became longer than anticipated)

4 Likes

Considering: https://www.forbes.com/sites/thomasbrewster/2021/04/26/update-your-mac-now-the-worst-hack-in-years-hits-apple-computers/?sh=642869635da0

Where we are speaking of a company with a very deep war chest, I think it’s safe to say, it’s all a crap shoot if you don’t know what your doing. And also if you do.

For instance. I run linux vserver (a set of kernel patches, cgroups like, predating cgroups) which is a form of para-virtualization. Now, this is ‘outmoded’ and few use it these days.

Well, turns out it’s sometimes advantageous to not go with latest greatest. Linux Vserver containers (not the kernel itself) are immune to Spectre and Meltdown. The two most serious kernel vulnerabilties introduced by HARDWARE! in, well, for ever.

Long story short. All the latest greatest software (even older stuff, kvm, xen, etc) is toast. Vulnerable. Unless to you patch the kernel, suspend a bunch of cpu features, etc. You take a 20% performance hit.

I don’t. i don’t patch my kernels. My virtuals are not vulnerable. blah, blah, blah.

So why the long post. Well, I know very, very few, ever seasoned, admins who are aware of this. It’s obscure knowledge.

And on the othe rhand, one of the richest companies on the planet (Kalifornia, ueber alles, ueber alles Kalifnornia!) can’t do security audits.

My very quick look at the security aspects of SFOS left me secure in the knowledge that I CAN inspect it. My apple developer license is lapsed. I doubt I can get a really good look at the internals.

And apple is the only alternative, until the bugs are out of Ubuntu Touchl, Plasma and co. Except maybe Librem. Librem might be a recomend. I haven’t had the time to look but it’s probably a step up from SFOS. I’m saving up my Kopecs.

But I’ll still develop for SFOS. I guess I’m just an old Nokia Fan Boy (I was an apple fan boy. I am a Commodore/Amiga fan boy).

Oh jah. Graphene. Hard, we are. Ah ah. The only recomended devices are from a company called google.
Pixel 5 (redfin)
Pixel 4a (5G) (bramble)
Pixel 4a (sunfish)
That does not install confidence in me.

Using the buzzword DNSSEC (and then describing it incorrectly) on you PR page is not secure. It’s just talk.

Sorry for the rant. I spent most of my day doing … security updates on servers.

1 Like

@4carlos, @Vamp898 the trust is the key here, but doing some basic testing helps to have some evince in which the trust is based on.

@4carlos, for network traffic testing no apps on the phone are needed. Just a linux computer with a wireless card. Actually, it’s better not to use something running on the device under testing

@Vamp898 AOSP is 100% FLOSS, but even if you could compile AOSP following the instructions from open devices, it will not pass a simple network testing without noticing how many times it is connecting to external IP addresses


:+1:

2 Likes

@ Vamp898

This is also my recommended way and the only correct way to minimize the risk of data leaking from my phone. So you have to trust the developers of an OS. However, this also means achieving very little comfort because many “useful” apps cannot be used.

Unfortunately, that’s only a small part that I can control. To be even more secure, I would have to forego visiting the Internet. Search engines, internet forums, social networks, internet shops, companies are all waiting for me there. A transfer via PayPal, for example, is shared with 600 companies that you do not know, have never seen and will never see (https://netzpolitik.org/2018/visualisiert-mit-diesen-600-firmen-teilt-paypal -your data/#). Every website with the Facebook link tracks you whether you are a member or not. Big data then allows the anonymous data records to be assigned to an existing person. Try to turn off all access (advertising, cookies, super cookies, trackers, pixel traps and so on) and you can barely use internet sites. It takes a very long time for an interested user to want to protect himself against everything. You can never reach 100%. And you can never achieve that all data records that are circulating about you on the Internet are actually effectively protected by (e.g.) companies, insurance companies, banks. You can only hope that employees at all companies think like you and do the best they can. The reality looks different.

Linking the Internet to a phone eliminates privacy. The modern internet is there to make money. Hundreds of thousands of developers are looking for ways to get your data. Because the web has no real product to offer, it takes your data and sells it. Convenience comes at a high price and consequently the internet has to be seen as a honeypot.

If you are concerned with the security of a phone, you also have to keep an eye on the usage and not just a handset. It’s just a small link in the chain.

That’s what I mean and thank you for your patience with my philosophical reflections :wink:

4 Likes

For sure. I only mentioned nethogs as a way to see if a process is exchanging data with the internet. This is not a perfect solution and is only enough for a rough overview.

That’s’ my shop (netzpolitik.org) :slight_smile: Needless to say, security themes occupy too much of my time.

I had overlooked, in my rant, that the pine gang made a decision: Manjaro with Plasma Mobile OS build. Given the community and company time involved in going through multiple iterations of different distributions and desktops, I’d guess the pinephone way may be the future?

I just didn’t like the hardware specs and had a Jolla phone and built (privately) some apps for SFOS. So given my level of involvement in security stuff I felt good about SFOS. But I’m certain getting involved with any of the ‘pure’ linux phone communities would be a good place to find the security concerned and informed people.

As for hardening your own device, well it’s a bit of a problem when the browers take 20 years! to do the obvious, like making the cookie jar jailed. Why in the world wasn’t ‘private browsing’ standard long ago? I’ve hacked my FF for years because of that nonsense.

While I generally trust Jolla, I must say that their ties with some obscure Russian company developing part of the OS are worrisome in this respect.

A state-owned telecoms provider can hardly be called obscure.

1 Like

Finally, I found time to do some tcpdumps on different OSs for an Xperia X, the result is the following:

1- Ubuntu touch. Fresh install, I left the phone idle without running any apps.
Capturing 1 hour of tcpdump was enough. It’s connecting every several minutes to some canonical and ubports servers. I didn’t dig into what processes were doing this, but this is kind of unacceptable from the privacy/security perspective. I think that this behavior could be tuned by adjusting the services but I did not spent anytime on this.

2- Android 8.1 from vendor. Same condition: fresh install, I left the phone idle without running any apps.
This time, capturing 1 minute was enough, hahha. It’s connecting everywhere

3- Sailfish OS X. Same condition: fresh install, I left the phone idle without running any apps
As soon as it’s connected to internet, it connects to some NTP servers, to ipv4.jolla.com and to some aws server. Exchanges few bytes and stops. It repeats the same process after ~12 hours. It seems some type of network clock synchronization, but I’m not sure.

4- Sailfish OS X. Same as before, but I changed the /etc/connman/main.conf. I removed all the FallbackTimeservers, Ipv4StatusUrl and Ipv6StatusUrl configuration.
It does not connect to anywhere, the tcpdump is totally clean. To me, it’s really unbelievable to see a smartphone network connection complete clean.

16 Likes

That’s the detection for capture portals (WiFi Login pages) I believe.

2 Likes

I think it is more about respect. A person that wants to keep things private would wisely not use any electronic devices in network or at all.

2 Likes

Do you remember the names of the servers called?