this post was submitted on 09 Feb 2024
60 points (96.9% liked)
Linux Phones
5009 readers
1 users here now
Community about running GNU/Linux on phones. Projects like Ubuntu Touch, Plasma Mobile, PostmarketOS, Mobian etc. Either on former Android phones or hardware like the PinePhone.
See also:
Related chats:
founded 4 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
For a non technical guy, in what way is /e/os insecure?
It is built on regular Android which is okay secure. Then they add microG which is less secure than the Google Play services as they leave out checks, and dont have such a secure connection to the servers.
Also microG is Google code. Less code, but with full access to your device, no isolation at all. This includes personal information and permanent unchangeable device IDs.
MicroG may also be a vector for Pegasus etc, just like Play Services, at least I assume that.
MicroG is not privacy friendly, as all apps that depend on Google stuff already include the Google Play Libraries and SDK themselves. They could already do many things without any Play services installed.
Just that with microG they get privileged access to the device, while with sandboxed Play services they dont get any more than they already have.
I dont even know what Browser they preinstall, but they stated to use Bromite as Webview, which is unmaintained.
Also they ship QKSMS, an overly complex app that is also not maintained anymore.
In general if they bundle in tons of apps installed in the system partition (not sure if they do but if they are preinstalled this implies that). But that would give them full access to your stuff.
System apps cannot be uninstalled, while sandboxed Play can be installed, disabled, removed etc how you want. And it is not installed by default.
MicroG is also highly unreliable. Apps may need more Google stuff to work, which is not included. Google might increase security requirements, and microG may completely stop working.
MicroG is sandboxed on DivestOS, which is still less secure/reliable than sandboxed Play though. The app needs to fake Signatures to work, which is privileged access and only works when the security level of such verification is very low. (There is for example SafetyNetFix which also supports the Play Integrity simply by disabling hardware authentication, which is really insecure.)
They dont implement any of GrapheneOSses security features
Dont get me wrong, I am sure Murena is a good company. And shipping microG (often needing to be manually flashed) on LineageOS which people install on their own, is tolerable. But its very unreliable software, and as soon as you sell a device you are responsible for that. It is extremely irresponsible of Murena to ship such an OS.
Some links as I am just parroting what smarter people told me:
Thanks for the answer. I’ll look a bit more into that and see if it would be a deal breaker for me.
Your arguments are right, indeed, though they are rendered a bit moot when we're in a thread discussing Ubuntu Touch, which is like, 10 times more insecure than any custom Android ROM, since it uses a desktop Linux security model pretty much.
True. I still suppose up to date Linux is better than outdated Android
Ubuntu Touch is not even that up to date, really. It only recently rebased to 20.04 from 16.04 and 20.04 will go EOL next year, while there's still no promises on how they plan on transitioning to the next LTS release (I get that they're a team of volunteers while Google is a massive corporation, but working on what was essentially abandonware to begin with was likely a disservice, as other mobile Linux distros can follow the upstream a lot more closely than Ubports does).
True. Crazy, 24.04 is soon out.
Mainline Kernel support is coming to modern phones. That would make porting a bit easier.
But the question may be why you would even want that, as phones have nice ecosystems. While my Laptop breaks all the time, my GrapheneOS never does.
I have heard that 20.04 will be supported until 2027.
They’re still adding features in the latest update.
Also in their blog they said they’re planning to upgrade to Ubuntu 24.04 base OS when that comes out.
Only if its support period somehow got extended, normal LTS support period is 5 years.
Must have missed that then. That's reassuring, in that case.