Privacy and security of SailfishOS

ntp would be time servers and the push service is a proxy for some apps to push back via, presumably, wewbsockets.

Your snippet looks like periodically searched time servers that belong to Ubuntu and, in case that one of them could not be reached, dial the next one. A fallback list is processed and not stopped if a server cannot be reached. The calls to UBPorts communicate with the push service for notifications. The default options are set to automatically check for system updates and notifications. In contrast to Sailfish, where updates take months to come, Ubuntu Touch is immediately supplied with the latest packages when they are available. In the case of UT bugs, fixes are sent immediately after they have been corrected.

This is certainly not a disadvantage and SFOS users should also wish that from Jolla :wink:


Thanks for further details! I would note however, that most of these operations don’t need to be done more than once or twice a day. Or?

The push service usage is heavily dependent on applications and, if I understand correctly, is more of a ‘service’ for the community from Canonical?

You’re right. Checking the time once or twice a day would be enough, but maybe the localization was activated. The Canonical ntp-servers are an old relic I think. UBPorts could have chosen any other ntp-server.

The UBPorts pushserver are responsible for many tasks and have nothing to do with Canonical. UBPorts has taken over the UT project from Canonical and is responsible for porting and maintaining UT (simply).

Of course, I was aware the foundation had taken over, I just hadn’t looked at the Address :< Sorry!

Good to mention this! To me there is general secury by preventing hackingand anti-virus, etc. and security by not being subject to surveillance. Not being a developer or techsavvy, I have no idea to how make my Sailfish device more secure. A VPN can be installed, but what more? So I have to trust Jolla.
Open source/Floss doesn’t guarantee that apps are safe. I remember that we once had a torch app in Jolla store that had trackers. Other dev’s noticed it after a while and the app was removed. Why is there still Here Wego in the store?
What about Storeman? Are all those apps privacy safe?
Most Android apps have trackers. Just search for Exodus Privacy, a wonderful organisation. What about Aurora Store? I would like to know what an app from the Guardian does when installed with Aurora Store on my Sailfish device.
Then Google. I am quite allergic to this company. I don’t want to be spied upon and I don’t agree with their mission and policy. Try to avoid them a.m.a.p. So I would like to know if Jolla has connections with Google. Why is there no list of alternative search engines default in the browser? Why is Google in the list of accounts? And why Dropbox in ‘clouds’ and not alternative ones?
Surely we have to trust a company and I am glad that Jolla Sailfish is still alive. The idea that it only can stay alive through the support of Rostelecom however is a bit of a concern. Are the two kinds of Sailfish separated?
I think we have to support the moves from the EU and also from the VS to implement laws that makes us more safe, such as the quest for the abolishment of personalisation that is now going on. Is has to be done by law and by tech.

If you install apps via Aurora the number of trackers is shown to you ( think it comes from ExodusPrivacy). Also there is an app in F-Droid which checks the tracker of installed Android Apps. It also works for apps in Alien Dalvik. Its name is ClassyShark3xodus.


Thanks, yes, ExodusPrivacy is a wonderful org. I use it quite often in order to show others what trackers Android apps (and iOS apps too) contain. What I didn’t know is: does Sailfish not prevent this in Android. So the answer is no. This confirms that laws are necessary in order to get rid of these trackers. There is now a movement in the EU and in the US that promotes laws that forbid personalisation. I think this would be a good step.

1 Like

If it’s checking for update or notifications, why is it doing it so often? If you have a ubuntu touch phone, you could do a quick tcpdump from the phone itself (as root), just to see the network traffic.

This is a summary of the dump I did with the hotspot:

  • As soon as I connect:

This line I don’t really understand (the phone’s ip was, and the hotspot’s ip was > 54201+ AAAA? (31) > 52134 1/0/0 A (47) (this IP probably is related to the open-store, I’m not sure)

  • Few minutes later:

  • Few minutes later:

  • Few minutes later:

  • Few minutes later:

  • Few minutes later:

  • Few minutes later:

I didn’t dig more to know what processes or daemons are connecting to those servers.

That’s DNS lookup for and is the local (m)DNS server. is the IP address of the looked-up domain
EDIT: Plus the actual HTTPS connection to the server, of course.

interesting, why is it connecting to if I did not open any store app?

Checking for updates maybe?

In SFOS this did not happen, unless I open the store app

Not really. If you provide a layer between the actual data and the data obtained by application (, you have done quite a lot in a generic way.

Should be advertised. “Buy SFOS and you can get yourself the next smaller data plan” :money_mouth_face:
With no spyware using up your allowance silently in the background (at least compared to Android) that could actually be true.

hahah, yeah. And, this also impacts on the battery life. I noticed that in SFOS the battery life is much longer compared to Ubuntu touch

There is an app in F-droid store, called TrackerControl where you can block trackers pr. app basis. I haven’t been able to make it work with Sailfish, as it work through a local vpn. It failes with the message “VPN connection cancelled Did you configure another VPN to be an always-on VPN?” Which I don’t think I’ve done tbh.

The app seem handy afik, and something similar or a workaround for the android part of Sailfish would be much appreciated if needed

Sounds like it should technically be possible to do the same thing natively, which would reflect on the Android side.

1 Like

does anyone know the aliendalvik architecture? is it based on LXC?

aliendalvik cannot be based on LXC in any trivial way. As LXC is based on linux cgroups as a means of paravirtualization where cgroups are context limits for processes and the like… That doesn’t have anything to do with java VMs per se.

Alien Dalvik is a JVM. A java virtual machine. You can run Dalvik IN an LXC container. But that would be pointless. I think?

The Alien bit was a proprietary wrapper/re-write around which is a particular kind of JVM.