Android
The new home of /r/Android on Lemmy and the Fediverse!
Android news, reviews, tips, and discussions about rooting, tutorials, and apps.
🔗Universal Link: !android@lemdro.id
💡Content Philosophy:
Content which benefits the community (news, rumours, and discussions) is generally allowed and is valued over content which benefits only the individual (technical questions, help buying/selling, rants, self-promotion, etc.) which will be removed if it's in violation of the rules.
Support, technical, or app related questions belong in: !askandroid@lemdro.id
For fresh communities, lemmy apps, and instance updates: !lemdroid@lemdro.id
📰Our communities below
Rules
-
Stay on topic: All posts should be related to the Android OS or ecosystem.
-
No support questions, recommendation requests, rants, or bug reports: Posts must benefit the community rather than the individual. Please post to !askandroid@lemdro.id.
-
Describe images/videos, no memes: Please include a text description when sharing images or videos. Post memes to !androidmemes@lemdro.id.
-
No self-promotion spam: Active community members can post their apps if they answer any questions in the comments. Please do not post links to your own website, YouTube, blog content, or communities.
-
No reposts or rehosted content: Share only the original source of an article, unless it's not available in English or requires logging in (like Twitter). Avoid reposting the same topic from other sources.
-
No editorializing titles: You can add the author or website's name if helpful, but keep article titles unchanged.
-
No piracy or unverified APKs: Do not share links or direct people to pirated content or unverified APKs, which may contain malicious code.
-
No unauthorized polls, bots, or giveaways: Do not create polls, use bots, or organize giveaways without first contacting mods for approval.
-
No offensive or low-effort content: Don't post offensive or unhelpful content. Keep it civil and friendly!
-
No affiliate links: Posting affiliate links is not allowed.
Quick Links
Our Communities
- !askandroid@lemdro.id
- !androidmemes@lemdro.id
- !techkit@lemdro.id
- !google@lemdro.id
- !nothing@lemdro.id
- !googlepixel@lemdro.id
- !xiaomi@lemdro.id
- !sony@lemdro.id
- !samsung@lemdro.id
- !galaxywatch@lemdro.id
- !oneplus@lemdro.id
- !motorola@lemdro.id
- !meta@lemdro.id
- !apple@lemdro.id
- !microsoft@lemdro.id
- !chatgpt@lemdro.id
- !bing@lemdro.id
- !reddit@lemdro.id
Lemmy App List
Chat and More
view the rest of the comments
Would you care to elaborate with specific examples?
Since the original user doesn't actually know the answer to the question asked, its because
Mobile Linux doesn't support any sort of verified boot like android does, leaving it open to evil maid attacks
Mobile Linux doesn't sandbox applications as well as android, leaving it open to spyware (Think Facebook intercepting Snapchat DMs, not old school steal your credit card spyware)
and I feel like there's a third major big thing but I can't recall it at the moment. Android's security model is genuinely one of the most secure out of any modern operating system. I'm all for Linux phones, but they need to prioritize parity with Android security before I daily drive one.
Yeah, I though of those two & it's just a thing that would get/will get developed if we get to daily drive Linux phones, imho.
Its not like it didn't take Android years to get those two aspects covered.
I mean if you want to get technical, KitKat (4.4 in 2013) introduced verified boot. So from Android 1 to 4.4, it took about 5 years. I believe some form of sandboxing has always existed in Android, but the earliest version I can find online was in Android 5.
I feel like with the backing of Google, they were able to implement such tight security in their mobile OS without much pushback. Mobile Linux in it current state is entirely hobbyists with very few daily drivers. Unless someone can release some stunning Linux mobile hardware that a lot more enthusiasts buy I don't think we will see any sort of major progression in mobile Linux for some time, as the current method most mobile Linux uses is replacing the bootloader on the phone with an open source implementation which takes a lot of man power to achieve, and it would take even more to make it secure.
I would absolutely love to be proven wrong about the time frame however. The sooner secure Linux phones hit the market, the better the world will be.
Didn't know/remember about KitKat verified boot, but the sandboxing thing was prob just to kernel & perhaps some system files, def not user or hardware such as cameras. Including between apps & phone contacts, etc.
And I totally agree about lack of Linux phones (as hardware), the phone market with its size & megacorp subsidies to preinstall spybloatware is a giant hurdle.
And the real reason for closed sauce drivers (as a practice, not as if they should open-sauce old hardware now - that's a security risk for unsuspecting folk & iot ... but we could def transition the practice).
Thank GOD. Application sandboxing makes my Android phone UNUSABLE as a daily driver.
Let the people who can't manage their own software vetting stay with Android and GIVE ME ACCESS TO MY FILE SYSTEM.
I'm not really sure what about the sandboxing makes it difficult to use. Most of the permissions are switches you can just toggle on or off. You can also root phones that run custom Roms (which are the only phones that are worth a damn IMHO) if you really want access to the entire fs.
You're more than welcome to use a less secure system, but most people would generally prefer a secure one.
There's no "mobile Linux". Linux supports Secure Boot just fine, and if a distro wants to sandbox applications that too is done by just configuring Linux to do so (after all, that's what Android does).
Find me a phone that supports secure boot (which is not the same as verified boot btw), and a distro that will run on that phone that properly sandboxes applications (Flatpak does not count, as there are still many security flaws and missing xdg-portals in its implementation.)
Why? That has nothing to do with the topic we're discussing. You can configure Linux as Android does it, or choose not to.
(Secure Boot is what enables "Verified boot" - which is just Android's name for a common sense secure boot loader implementation which is the norm in well protected IoT systems etc)
/ex Sony Mobile dev, nowadays IoT hw/fw ethical hacker
are you being serious with me right now? what about my question wasn't "on topic"? If the hardware and software don't exist, its not going to happen and you're making a hypothetical argument to a factual statement.
I would love some more open hardware. I think it is possible for it to happen as long as there is a market for it. The difficult part is getting a 5G chipset that isn't completely tied to a vendor kernel.
Linux does not suck on phones regarding security. Linux is what brings the security mechanisms faulty ascribed to as being "Android's". See previous posters claiming it was all "extensive modifications" by Android and not just Linux security mechanisms.
Feel free to get a Fairphone 4, sign your Ubuntu Touch image with keys supported by the chipset and off you go. The fact that no one is selling you that has no relevance whatsoever to whether "Linux" supports it.
Android boots in layers that are encrypted with different keys. The first key in the TPM enlocks the base OS up to the lock screen. From there a pin is entered and the rest of the system is decrypted.
If a compromise happened in the OS the phone would just fail to boot since the integrity of the system is validated by the TPM.
Yes, that's how a normal bootchain works in every system ever - like the IoT device running Linux I'm right now working with.
It doesn't though
Standard Linux doesn't check for tampering since that requires hardware and firmware support.
I'm sorry but you really have no idea what you're talking about. Several distros ship with SELinux and Secure Boot by default.
Linux doesn't have the same permission controls. SElinux profiles would need to be manually configured for each app which would take a lot of time.
Mobile linux also doesn't support measured boot which is what is used to protect the system in the case of theft. Before I consider mobile Linux it would be nice if there was a detailed security review of the entire system.
I think this will sort itself out quicker if you show me what "mobile linux" is.
A Linux distro made for mobile devices? Like Plasma mobile, or Ubuntu touch, or Sailfish os
Ubuntu Touch, Postmarket OS and others
You're talking about specific distros as if they're some specific variant of Linux. That's not how it works. Linux is Linux, and if you want to sign your Ubuntu Touch image please go ahead.
The mobile linux tends to leave root access enabled plus it doesn't sandbox apps in the same way as Android. If you visit a web page that manages to exploit your web browser all bets are off since lateral movement is trivial inside the OS.
Android on the other hand has strong sandboxing and permission control which means that a compromise in one place shouldn't be able to jump to other places. Android also restricts filesystem access so even if an app is compromised it is difficult to maintain persistence.
Phones has lots of sensors and are great for tracking people. I would rather that my phones OS be extremely secure so that I'm not the victim of spyware.
One thing Google seems to be able to do right is security. Android has a strong security architecture that is highly robust. You can straight up download malware or lose your phone and everything stays safe.
I'm not saying it would be impossible to create a OS that is as secure as Android. However, it would take some very serious work and would likely mean building something from scratch with APIs for permission requests.
Do you have examples where that isn't the case?
Linux phones tend to just be the desktop versions of desktops adapted for a smaller screen.
Android has well built ecosystem with strong privacy and security features not really found anywhere else. The entire system focuses on least privilege with strong security isolation so even if you do download something bad it will have a hard time doing real damage.
Errrrmmmm I think this is just an issue either with your choice of distro or your approach to security.
The Linux ecosystem has by far some of the greatest security technologies available for modern operating systems. Android is a Linux distribution after all.
Most of the issues with Linux on a phone so far is more the hardware and architecture to support and integrate the hardware.
Major mobile device manufacturers have secure enclaves, cryptographic co-processors, advanced face/depth cameras, fingerprint readers, etc. The system architecture needs to be tailored to the hardware and security architecture for the threat models mobile devices face that you want to mitigate.
iOS is Unix deep under the hood, Android is Linux deep under the hood. The issues here aren’t with the kernels, they’re with userspace, hardware selection, and perhaps the odd supporting driver, service, or interface.
Current Linux doesn't come close to Android. I wish it did but you still need root access and permission controls leave something to be desired. I think that is mostly fine for desktop but on mobile the stakes are much higher since spyware could have much more access.
I’m not trying to be rude but none of these points are true. I imagine you’re confusing a single Linux distribution and their architecture with being representative of Linux as a whole. You can indeed spin an unprivileged, immutable distribution with SELinux for MAC, hardened kernel, and so much more, which would blow Android et al out of the water.
Source?
I'm basing this all on the Android documentation along with my experience on desktop Linux. I would love if there was a Linux system that was as solid as Android but I haven't seen anything as of yet.
Build it. Gentoo, Arch, and any other minimalist distro where there’s less userspace fluff out of the box can easily be configured to be incredibly hardened.
Your looking for a desktop distribution that doesn’t really exist out of the box (perhaps Qubes). Android is a mobile OS for a reason and has a different architecture in userspace to accommodate for is threat model and use cases.
Just because desktop distros don’t typically lock down userspace out of the box doesn’t mean it’s not possible.
Edit: Here’s some examples:
Plague Kernel
Hardened Arch Linux
SELinux for MAC
Kernel lockdown
Immutable distro BlendOS
Bubblewrap sandboxing
Firejail sandbox leveraging hardened malloc
Hardened Alpine Linux
I don’t think there’s a distro that goes as hard as mobile except maybe some based on flatpaks rather than package repos of libs and bins. But you can piece your own together based on your requirements and personal threat model.
Android is Linux, and uses regular Linux security mechanisms.
That's not the case. Android is extensively modified in order to have sandboxed applications only and restrictive hardware permissions.
Run any executable on Linux. Likely by default it can access ~/Photos and the webcam. Android doesn't allow that
Flatpak?
And some level of immutability?
It doesn't seem like much of a step for Linux distros to cover the "gap" if/when we get any sort of viable mobile options for eg 1% of the market.
Flatpak has promise but the sandbox much weaker than Android. I wouldn't run anything untrusted with it as sandbox escapes are likely possible. Bubblewrap is highly portable at the cost of being less secure. Kernel level sandboxing such as SElinux and Namespaces are much more bulletproof since they leverage the kernel.
Honestly if you are building something from the ground up I would instead focus on virtualization since the Linux kernel isn't exactly free of security issues.
I've looked at a couple linux phones and those tend to be designed with hardware switches for antennas and cameras, which I would argue are more secure
A hardware switch for software accessing a directory?
"uses regular Linux security mechanisms" is true regardless of whether any distributions you use configure them the same way or not.
https://source.android.com/docs/security/features
Android also doesn't require root for basic functionality
Sort of
It does use SElinux but the user space software is all Android specific.