Comment by well_ackshually
6 hours ago
Fundamentally, not enough. Linux's default security mechanisms are simply too weak for something as potentially hostile as a mobile device. Firejail is a good start, but proper user isolation as Android does is the right solution (each app is a different user, and accessing their data/user data is only done through Providers, or IPC), and anything else is naively trusting and not enough, no matter how many layers of sandboxing and suid-ing you do. Doubly so when all of its apps are written in C++. Can't wait to deal with use-after-free on my mobile device.
In addition, its compatibility with android apps is also chains: why would I bother developing for sailfish (especially since it involves Qt / Qt Creator) when I can just develop an Android app, and say it'll run well enough (unless it needs play integrity, which is the same problem, or somehow falls behind in android/androidx compatibility)
> Linux's default security mechanisms are simply too weak for something as potentially hostile as a mobile device.
Honest question: why are mobile devices more hostile than laptops/desktops?
It is _the_ 2FA device. from SMS, to authenticators, to password managers, etc. It also has access to all of your personal information, your pictures, your contacts, your email. It actively receives notifications and messages from the outside world, from potentially any sender. It's connected through WiFi, GPS, 5G, bluetooth, UWB, every possible connection system imaginable. It can listen to your phone calls, read your text messages, interact on your behalf with pretty much everything in your life, and is a single facial recognition away from automating emptying your bank account. Not to mention the fact that mobile software does tend to want to at least survive a little bit when offline, so plenty of data is stored locally.
It's a key to your life. The perfect target for any attacker.
My Linux laptop is my 2FA device (email), it holds my passwords, and personal data like photos, contacts, email. It receives notifications and messages from outside world from potentially any sender. It connects through Wi-Fi, Bluetooth, Ethernet, 5G (built in WWAN). It even has cameras, microphones and I use it for my online banking and shopping. The only reason why smartphones "need" to be ultra secure is because everyone and their mother have one and the truth is most people can hardly tell a difference between their head and their butt.
You just described a computer. There is nothing in your list that is mobile specific.
They aren't, unless you want to run untrusted apps outside of a distribution.
Flatpak sandboxing is a thing however, and probably good enough in the meantime.
Flatpak sandboxing is not good and development is very slow.
1 reply →
Because regular users (non-techies) install all kinds of apps on their phones, from all kinds of sources/vendors, but not on their desktop. Most people use only a handful of applications on their desktop (browser, office suite, …) but they have dozens if not hundreds of different apps on their phone.
> Linux's default security mechanisms are simply too weak for something as potentially hostile as a mobile device.
Linux has SELinux as a default option which Android makes good use of, some forks more than others, and setup correctly it is better than user isolation. You could also recreate the protection user isolation provides through policy alone.