alt Hacker NewsLike what the person you replied to said. Sandboxing on Linux phones is incredibly weak outside of non-Flatpak Chromium browsers. And even Flatpak itself is a pretty weak sandbox compared to iOS/Android sandboxing. Part of this stems from Android and iOS being developed as sandbox-first OSes, so this could be said for any desktop operating system really aside from ChromeOS.
Also sure you could avoid crapware from Meta, Google and the likes but you will still could be exposed to nefarious programs via things like supply chain attacks (i.e. npm), or the developer turning coat or not realizing their app has an exploit, etc.
Linux also lacks a thorough permissions system unlike iOS/Android and the even more granular GrapheneOS.
Linux phones lack verified boot meaning persistent malware is trivial on linux devices. There is no MTE/MIE on Linux phones and even Google themselves say like 70% of malware spawns from memory exploits[1].
Also linux only really has block level encryption, not file based encryption like iOS/Android. It would be trivial for LEO to access your device unless it was totally powered off and then the only protection is LUKS. Or really even if you lose your phone and someone was so inclined to they could just extract all the data if it was powered on but on the “lock screen,” as most if not all desktop (and I’d imagine linux phone) environments do not actually do any encryption or anything when the system is locked, it’s just a cosmetic lock for all intents and purposes.
It would maybe be possible to somewhat mitigate that with cryptomator or somehow using fscrypt since that’s what Android uses but I dont know
Also even for basic things like clipboard protection, even with Wayland there are ways around it so that an app can read anything from the clipboard (not usually done for nefarious means in my experience, but it’s possible — see an app like Vicinae’s clipboard history and clipboard-centric features running on Wayland).
There’s more but this is like a short overview.
This doesn’t even get into people preferring Firefox on Linux which is light years behind Chromium based browsers in terms of security.
While it’s not a huge issue on desktop depending on how you view it, I would imagine phones see way more of people’s private data than their computers do and so I think it’s more beneficial to have higher security here than give that up for Linux.
—-
[1] https://security.googleblog.com/2024/10/safer-with-google-ad...
Replies
> 70% of malware spawns from memory exploits[1].
I think that's because they don't consider the apps in their app store to be malware despite doing things like starting a server on localhost to circumvent sandbox.
> Linux phones lack verified boot meaning persistent malware is trivial on linux devices.
Librem 5 has a 3FF Smart card reader. Also, it can be completely wiped and reinstalled, ensuring that your phone is cleaned whenever you suspect a compromise.
> supply chain attacks (i.e. npm)
Nobody uses npm on a GNU/Linux phone. As the OP correctly mentioned, the whole security model relies on the trusted apps. See also: https://source.puri.sm/Librem5/docs/community-wiki/-/wikis/F...
> Or really even if you lose your phone and someone was so inclined to they could just extract all the data if it was powered on but on the “lock screen,” as most if not all desktop
I never heard about such possibility. Could you provide some details or links on how this could be done? AI says it's not really possible without very sophisticated instruments.
> It would maybe be possible to somewhat mitigate that with cryptomator or somehow using fscrypt since that’s what Android uses but I dont know
Indeed, GNU/Linux phones can and probably will improve their security with time taking some things from Android.
> Also even for basic things like clipboard protection, even with Wayland there are ways around it so that an app can read anything from the clipboard
You can't just say this without any evidence.
> This doesn’t even get into people preferring Firefox on Linux which is light years behind Chromium based browsers in terms of security.
Unless you switch off JavaScript, which is what I do.