Privacy and security of SailfishOS

Of course, I was aware the foundation had taken over, I just hadn’t looked at the Address :< Sorry!

Good to mention this! To me there is general secury by preventing hackingand anti-virus, etc. and security by not being subject to surveillance. Not being a developer or techsavvy, I have no idea to how make my Sailfish device more secure. A VPN can be installed, but what more? So I have to trust Jolla.
Open source/Floss doesn’t guarantee that apps are safe. I remember that we once had a torch app in Jolla store that had trackers. Other dev’s noticed it after a while and the app was removed. Why is there still Here Wego in the store?
What about Storeman? Are all those apps privacy safe?
Most Android apps have trackers. Just search for Exodus Privacy, a wonderful organisation. What about Aurora Store? I would like to know what an app from the Guardian does when installed with Aurora Store on my Sailfish device.
Then Google. I am quite allergic to this company. I don’t want to be spied upon and I don’t agree with their mission and policy. Try to avoid them a.m.a.p. So I would like to know if Jolla has connections with Google. Why is there no list of alternative search engines default in the browser? Why is Google in the list of accounts? And why Dropbox in ‘clouds’ and not alternative ones?
Surely we have to trust a company and I am glad that Jolla Sailfish is still alive. The idea that it only can stay alive through the support of Rostelecom however is a bit of a concern. Are the two kinds of Sailfish separated?
I think we have to support the moves from the EU and also from the VS to implement laws that makes us more safe, such as the quest for the abolishment of personalisation that is now going on. Is has to be done by law and by tech.

If you install apps via Aurora the number of trackers is shown to you ( think it comes from ExodusPrivacy). Also there is an app in F-Droid which checks the tracker of installed Android Apps. It also works for apps in Alien Dalvik. Its name is ClassyShark3xodus.


Thanks, yes, ExodusPrivacy is a wonderful org. I use it quite often in order to show others what trackers Android apps (and iOS apps too) contain. What I didn’t know is: does Sailfish not prevent this in Android. So the answer is no. This confirms that laws are necessary in order to get rid of these trackers. There is now a movement in the EU and in the US that promotes laws that forbid personalisation. I think this would be a good step.

1 Like

If it’s checking for update or notifications, why is it doing it so often? If you have a ubuntu touch phone, you could do a quick tcpdump from the phone itself (as root), just to see the network traffic.

This is a summary of the dump I did with the hotspot:

  • As soon as I connect:

This line I don’t really understand (the phone’s ip was, and the hotspot’s ip was > 54201+ AAAA? (31) > 52134 1/0/0 A (47) (this IP probably is related to the open-store, I’m not sure)

  • Few minutes later:

  • Few minutes later:

  • Few minutes later:

  • Few minutes later:

  • Few minutes later:

  • Few minutes later:

I didn’t dig more to know what processes or daemons are connecting to those servers.

That’s DNS lookup for and is the local (m)DNS server. is the IP address of the looked-up domain
EDIT: Plus the actual HTTPS connection to the server, of course.

interesting, why is it connecting to if I did not open any store app?

Checking for updates maybe?

In SFOS this did not happen, unless I open the store app

Not really. If you provide a layer between the actual data and the data obtained by application (, you have done quite a lot in a generic way.

Should be advertised. “Buy SFOS and you can get yourself the next smaller data plan” :money_mouth_face:
With no spyware using up your allowance silently in the background (at least compared to Android) that could actually be true.

hahah, yeah. And, this also impacts on the battery life. I noticed that in SFOS the battery life is much longer compared to Ubuntu touch

There is an app in F-droid store, called TrackerControl where you can block trackers pr. app basis. I haven’t been able to make it work with Sailfish, as it work through a local vpn. It failes with the message “VPN connection cancelled Did you configure another VPN to be an always-on VPN?” Which I don’t think I’ve done tbh.

The app seem handy afik, and something similar or a workaround for the android part of Sailfish would be much appreciated if needed

Sounds like it should technically be possible to do the same thing natively, which would reflect on the Android side.

1 Like

does anyone know the aliendalvik architecture? is it based on LXC?

aliendalvik cannot be based on LXC in any trivial way. As LXC is based on linux cgroups as a means of paravirtualization where cgroups are context limits for processes and the like… That doesn’t have anything to do with java VMs per se.

Alien Dalvik is a JVM. A java virtual machine. You can run Dalvik IN an LXC container. But that would be pointless. I think?

The Alien bit was a proprietary wrapper/re-write around which is a particular kind of JVM.

So, why don’t we do a free JVM for android stuff on sailfish :slight_smile:

Take a look on your phone:
It is as AOSP running in an LXC on an patched “Android kernel” to suffice AOSP’s as well as regular Linux userland’s needs.

Oh, that is old, outdated info, which was true for Myriad Groups AlienDalvik based on AOSP 4.x, which old devices still use.
That one also utlises a simple chroot environment with bindmounts (i.e., not LXC) on SailfishOS.

Android 5 brought “native apps” hence the JVM-only approach became obsolete.

Years later, Myriad Group stopped selling bulk AlienDalvik licenses and Jolla bought the right to develop a new “AlienDavik for SailfishOS”, which they did for the Xperia XA2 series and later devices (Xperia 10 and 10 II).
I think, the integrations (intents, clipboard, notifications etc. between native and Android apps) were crucial to license, as most of the other code is just AOSP.

I thought that all that was being used here is hardware abstraction? My understanding was that the chipsets are so variegated that there is not way for the kernel drivers to be managed as they would be, for instance, for desktops and so on. The Android stuff is not posix (libbionic) which led to being required as a compatibility wrapper. I believe this is mostly android functionality wrappers…

AOSP running in an LXC ? AOSP IS a modified kernel (just re-read, AOSP doen’t specify the kernel directly) so I’m not entirely clear, but I’m running a debug kernel and LXC is not (directly) in use. cgroups are always in use. I’m not running LXC anymore but used to run a cluster (openstack) and I do not see even a remote sign of LXC being in use?