For those unfamiliar, GrapheneOS is a privacy and security enhanced custom ROM endorsed by Snowden. Despite these big names, plenty of people give it backlash
Even @TheAnonymouseJoker@lemmy.ml gives it backlash despite being a moderator of Lemmy’s biggest privacy community. A quote here: “grapheneOS trolls are downvoting every single post and comment of mine, and committing vote manipulation on Lemmy. They are using 5-6 accounts.” That was in response to downvotes on a comment posted in the c/WorldNews community, which is entirely unrelated to technology.
One of the reasons is that GrapheneOS can only be installed on Google Pixels due to security compatibility, which makes complete sense considering Android should be most compatible with Google’s own devices. GrapheneOS even lists the exact reasons they chose Pixels, and encourage people to step up and manufacture a different supported device.
One year ago, Louis Rossmann posted this video outlining his reasons for deleting GrapheneOS. Mainly, he had multiple bad experiences with Daniel Micay (the founder and main developer of GrapheneOS) which put his distrust in the GrapheneOS project. Since then, he has stepped down and will no longer be actively contributing to the project.
So, I am here to learn why exactly people still do not like GrapheneOS.
Security through obscurity is not security. There are special considerations that have to be taken on a mobile device. Mobile OSes, while unhardened normally, are still designed to protect against attack vectors that aren’t considered by normal linux. Linux can be hardened, but is very open by default. It also offers no out of the default sandboxing of apps from each other. It isn’t immutable, unless postmarketOS is, which is a large security threat when considering device integrity. Full disk encryption isn’t enabled by default (unless changed in postmarketOS). Root login is enabled by default (a huge attack vector). Linux isn’t secure by default, but more private than any proprietary OS like Windows, iOS/MacOS, ChromeOS, and Android. But Linux because of its open default makes it vulnerable to spying 3rd party by apps installed by the user. It is also vulnerable to attacks from a network.
I recommend a deblobbed Android ROM like DivestOS (my personal fav and more deblobbed of proprietary blobs than any other ROM) or GrapheneOS. See a good comparison between ROMs here: https://eylenburg.github.io/android_comparison.htm
For linux hardening, check out Kicksecure for Debian distromorphing, Secureblue for Fedora Atomic (immutable) rebasing, and Brace by DevistOS’s developer for general security hardening of Fedora/RHEL, Debian/Ubuntu, Arch Linux, and OpenSUSE Tumbleweed.
yup.
I don’t use applications that need sandboxing. I would enjoy if OpenBSD’s pledge and unveil were ported to Linux at some point though.
How does immutability improve security beyond standard unix file modes?
I used to do FDE, but now I prefer just encrypting the files I actually need encrypted. FDE doesn’t protect you from an attacker that can get access to your phone while it is booted.
What huge attack vector? It’s just as secure as any account if it’s given a good password. I’d argue sudo/doas is a lot less secure when authenticating to root, since if an attacker knows your user password, they now also have root access.
I will use my already deblobbed Linux distribution, but thanks ;)
Did you go to any of my links about Linux hardening? Do you implement any hardening yourself? Do you harden kernel flags or replace malloc with hardenned_malloc?
If PostmarketOS is just ARM linux with minimal changes than it isn’t secure enough for a mobile device. All apps should be sandboxes regardless of whether you can trust the code or developer. Each app expands the attack surface of your device.
Linux kernel also has proprietary blobs for firmware and device support. That is the difference between Linux normal or libre kernels.
No. Why would I need to do this compared to a standard Linux desktop PC? Does having a WWAN radio somehow open me up to some massive amount of exploits compared to another mobile device, say a linux laptop?
I don’t think my hardware (pinephone) needs any blobs (If any, the GPU? Panfrost exists so probably not). It may need proprietary firmware, but firmware doesn’t touch the kernel and is loaded onto the auxilliary device’s CPU, so it’s not as big of a security compromise (excluding CPU firmware). I already replaced the modem firmware with an open source version, so I think I’m fine there.
Point still stands. postmarketOS isn’t hardenned. Default desktop linux isn’t hardened. Malware could easily infect your device and exfiltrate data, escalate privileges, modify the kernel, etc. Each of the things I have mentioned (hardened_malloc, immutable OS, hardened kernel, hardened firewall, removal of identifiers, full disk encryption, locking of root login [not the same as invoking root], MAC hardening through SELinux or/and AppArmor, service minimization for reduced attack surface, package manager hardening, secure boot, sandboxing of applications, etc) should be implemented for both Desktop or Mobile Linux to have “good” security. Security is preventative. All of these things come together to create a system better equipped to protect against know and unknown threats, which especially true for mobile devices which are near-costantly in unknown environments. A vulnerable device is weak link in the chain of your security, which can be used to compromise your privacy. You may never be attacked or have your device exploited, but that doesn’t make it secure as a result.
I would love to see an actually secure mobile device that is rid of Google’s stench. Problem is postmarketOS isn’t secure, its just default linux on a phone. If it saw largescale adoption (which we all would like a good alternative to do) it would be easily exploited.
It says postmarketOS is based based on alpine Linux, which according to Whonix doesn’t meet their threat model and it’s odd to claim “Alpine Linux was designed with security in mind” when Alpine’s package doesn’t pass The Update Framework model. A vulnerable package manager can be used to compromise a system, read more package management on TUF’s website.
Extra reading: see Whonix comparison table to see what they look for when choosing a base OS that can be later hardened for security. Note that some things in the table are not security specific but important for anonymity (which Whonix modifies to Kicksecure to better protect). Whonix is a security focused operating. Here is a comparison of different memory allocators showing their features for preventing different types of exploitation. Memory based attacks consistently are reported to be one of the most common types of attacks.