Privacy and security of SailfishOS

@ Vamp898

This is also my recommended way and the only correct way to minimize the risk of data leaking from my phone. So you have to trust the developers of an OS. However, this also means achieving very little comfort because many “useful” apps cannot be used.

Unfortunately, that’s only a small part that I can control. To be even more secure, I would have to forego visiting the Internet. Search engines, internet forums, social networks, internet shops, companies are all waiting for me there. A transfer via PayPal, for example, is shared with 600 companies that you do not know, have never seen and will never see (https://netzpolitik.org/2018/visualisiert-mit-diesen-600-firmen-teilt-paypal -your data/#). Every website with the Facebook link tracks you whether you are a member or not. Big data then allows the anonymous data records to be assigned to an existing person. Try to turn off all access (advertising, cookies, super cookies, trackers, pixel traps and so on) and you can barely use internet sites. It takes a very long time for an interested user to want to protect himself against everything. You can never reach 100%. And you can never achieve that all data records that are circulating about you on the Internet are actually effectively protected by (e.g.) companies, insurance companies, banks. You can only hope that employees at all companies think like you and do the best they can. The reality looks different.

Linking the Internet to a phone eliminates privacy. The modern internet is there to make money. Hundreds of thousands of developers are looking for ways to get your data. Because the web has no real product to offer, it takes your data and sells it. Convenience comes at a high price and consequently the internet has to be seen as a honeypot.

If you are concerned with the security of a phone, you also have to keep an eye on the usage and not just a handset. It’s just a small link in the chain.

That’s what I mean and thank you for your patience with my philosophical reflections

For sure. I only mentioned nethogs as a way to see if a process is exchanging data with the internet. This is not a perfect solution and is only enough for a rough overview.

That’s’ my shop (netzpolitik.org) Needless to say, security themes occupy too much of my time.

I had overlooked, in my rant, that the pine gang made a decision: Manjaro with Plasma Mobile OS build. Given the community and company time involved in going through multiple iterations of different distributions and desktops, I’d guess the pinephone way may be the future?

I just didn’t like the hardware specs and had a Jolla phone and built (privately) some apps for SFOS. So given my level of involvement in security stuff I felt good about SFOS. But I’m certain getting involved with any of the ‘pure’ linux phone communities would be a good place to find the security concerned and informed people.

As for hardening your own device, well it’s a bit of a problem when the browers take 20 years! to do the obvious, like making the cookie jar jailed. Why in the world wasn’t ‘private browsing’ standard long ago? I’ve hacked my FF for years because of that nonsense.

While I generally trust Jolla, I must say that their ties with some obscure Russian company developing part of the OS are worrisome in this respect.

A state-owned telecoms provider can hardly be called obscure.

Finally, I found time to do some tcpdumps on different OSs for an Xperia X, the result is the following:

1- Ubuntu touch. Fresh install, I left the phone idle without running any apps.
Capturing 1 hour of tcpdump was enough. It’s connecting every several minutes to some canonical and ubports servers. I didn’t dig into what processes were doing this, but this is kind of unacceptable from the privacy/security perspective. I think that this behavior could be tuned by adjusting the services but I did not spent anytime on this.

2- Android 8.1 from vendor. Same condition: fresh install, I left the phone idle without running any apps.
This time, capturing 1 minute was enough, hahha. It’s connecting everywhere

3- Sailfish OS X. Same condition: fresh install, I left the phone idle without running any apps
As soon as it’s connected to internet, it connects to some NTP servers, to ipv4.jolla.com and to some aws server. Exchanges few bytes and stops. It repeats the same process after ~12 hours. It seems some type of network clock synchronization, but I’m not sure.

4- Sailfish OS X. Same as before, but I changed the /etc/connman/main.conf. I removed all the FallbackTimeservers, Ipv4StatusUrl and Ipv6StatusUrl configuration.
It does not connect to anywhere, the tcpdump is totally clean. To me, it’s really unbelievable to see a smartphone network connection complete clean.

That’s the detection for capture portals (WiFi Login pages) I believe.

I think it is more about respect. A person that wants to keep things private would wisely not use any electronic devices in network or at all.

Do you remember the names of the servers called?

chilipepper.canonical.com.ntp
golem.canonical.com.ntp
pugot.canonical.com.ntp
alphyn.canonical.com.ntp
alphyn.canonical.com.ntp
0.push.ubports.com.https
cactuar.canonical.com.http
davybones.canonical.com.https

etc.

@takimata I agree with you in principle. Personally, I am less concerned about software deliberately acting against me due to a developer’s actions and more about it being exploited. That is, I have no reason to distrust Jolla or (some) SFOS community developers as it would make much more sense to develop malware for Android considering the size of userbase. However, the number of open source supply chain attacks is increasing rapidly. Even if a developer has no malintentions, it suffice that s/he does not carefully check the code of updated that he is using. Similarly, a bug in software can be exploited by third parties. Moreover, even if there is no bug, the unclear security model of the OS can cause problems when things that users don’t expect can happen (see the above mentioned discussion about an Android app which was able to open websites in Sailfish browser while in the background).

Obviously, these are challenges not unique to SFOS. Each projects introduces different measures to prevent such problems and to mitigate the damage when they occur. SFOS may have a bigger potential attack surface due to Linux and Android components.

Sure, I could not keep critical data on the phone, but then if I must treat it as as untrustworthy device, I should not connect it to home network or my computer. Of course we are not discussing targeted attacks, but an opportunistic ones when unspecified users are affected.

That’s interesting. Thanks for doing it. I compared it with what GrapheneOS states to be sending (https://grapheneos.org/faq#default-connections) and Sailfish OS X had even less connections. Did you have location services turned on as that AWS connection may have been related to A-GPS if SFOS uses it?

I don’t remember if the location services were on or off. But, I did a tcpdump -vvv and figured out that that AWS connection was related to connman. So, I modified the /etc/connman/main.conf as I mentioned in the previous message. After that, the tcpdump was totally clean, no conection whatsoever going out.

@poetaster Are you satisfied with the default security offered by SFOS or do you tend to harden it in some way?

As for Graphene OS, I agree that it sounds ridiculous that only Google devices can be used. To be fair to them, they explain that only few devices meet their requirements, such as “the hardware-backed keystores, verified boot, attestation and a decent integration of IOMMUs for isolating components such as the GPU, radios media decode / encode, image processor”. Of course that still means that one has to trust Google at least for the security aspect.

Ahh sorry, I somehow missed it initially.

The jolla team adheres to a fairly strict regimen. As such, the paucity of attack surfaces (which is also a ‘lack’ of libraries /features) makes it a LOT less scary as distributions go. I don’t do ‘anything’ other that look at wireshark dumps and enjoy

But also I don’t do anything sensitive on a phone, although my phones, I believe, are safer than my laptops. FAR too much software running on my laptops.

I do, however, also discount a bunch of things that others value:
I do not do filesystem level encryption (although I have used it with Freebsd and Linux).
I do do gnupg for things I care for. And I have rescued data for people who fuck up FS encryption.
I do not do password stores.
I do memorize epic poems (well, just 2) which serve as password stores.

So basically, I’m too strange for good advice.

ntp would be time servers and the push service is a proxy for some apps to push back via, presumably, wewbsockets.

Your snippet looks like periodically searched time servers that belong to Ubuntu and, in case that one of them could not be reached, dial the next one. A fallback list is processed and not stopped if a server cannot be reached. The calls to UBPorts communicate with the push service for notifications. The default options are set to automatically check for system updates and notifications. In contrast to Sailfish, where updates take months to come, Ubuntu Touch is immediately supplied with the latest packages when they are available. In the case of UT bugs, fixes are sent immediately after they have been corrected.

This is certainly not a disadvantage and SFOS users should also wish that from Jolla

Thanks for further details! I would note however, that most of these operations don’t need to be done more than once or twice a day. Or?

The push service usage is heavily dependent on applications and, if I understand correctly, is more of a ‘service’ for the community from Canonical?

You’re right. Checking the time once or twice a day would be enough, but maybe the localization was activated. The Canonical ntp-servers are an old relic I think. UBPorts could have chosen any other ntp-server.

The UBPorts pushserver are responsible for many tasks and have nothing to do with Canonical. UBPorts has taken over the UT project from Canonical and is responsible for porting and maintaining UT (simply).