Hacker News new | ask | show | jobs
by nicce 1743 days ago
I have no idea how Linux phones are different, but if you compare Android to traditional Linux, app sandboxing is huge difference alone. Is anyone implementing it? How are app specific permissions handled? How full e2ee or secure boot is implemented? By default, you have to add alot in top of Linux kernel.
2 comments
goodpoint 1743 days ago
> app sandboxing is huge difference alone. Is anyone implementing it?

No, sandboxing exists in Linux and tools like firejail are built-in in Debian/Mobian.

> How are app specific permissions handled?

With fine grained security profiles.

Besides, this is all largely irrelevant when the average android TORCH app is a blob of closed source code that can do telemetries.

Contrasted to FOSS applications developed in the open, reviewed by package managers and users, built reproducibly.

> How full e2ee or secure boot is implemented?

It's there and it works. And secure boot is really unimportant for the attack vectors of most phones.

> By default, you have to add alot in top of Linux kernel.

Not at all, it's all supported by seccomp, cgroups and co.

link
m4rtink 1743 days ago
For one, apps in a Linux distro are generally built from source on distro infrastructure, often maintained by a separate person - the distro maintainer - from the original authors of the software. With the source code fully in the open like this, its much harder to slip in user hostile behavior, without anyone noticing and doing something about it.

In comparison on Android or iOS Autors directly upload unauditable binary blobs to an app store that then pushes app updates without almost any user control, often fully automatically. Sandboxing makes more sense in this context as a result.

link
nicce 1743 days ago
Unauditable binary blobs will come to Linux phones as well, if they hit the mainstream. It should exists on phones already if the want to say that they are privacy friendly.

There area already many closed source apps such as Spotify client or Slack. Nothing is stopping those apps to read your browser cookies if they want, in case they are installed as regular apps and not sandboxed.

link