Graphene OS Vs Linux OS
Librem 5 / Pinephone
Graphene OS or Linux OS
Graphene OS and Linux OS mobile phones are very different when it comes to privacy and security. Keep reading to review a facts based comparison and decide for yourself — David
We also DeGoogle Pixel Phones with Graphene OS and express post Australia Wide and to NZ UK EU CA.
Linux OS
Linux phones [phones that run a Linux OS] such as the Librem 5 or Pinephone, are a major degradation from traditional mobile operating systems, such as Android or iOS. A few of the points in this article do apply to the Librem 5 specifically, but the majority applies to any Linux OS phone [unless specified otherwise].
The Facts
Linux phones lack any significant security model, and the points from this Linux article apply to Linux phones fully. There is not yet a single Linux phone with a sane security model. They do not have modern security features, such as full system MAC policies, verified boot, strong app sandboxing, modern exploit mitigations and so on, which modern Android phones already deploy.
Distributions like Pure OS are not particularly secure. They are mostly a re-skinned Debian OS and do not include substantial hardening. While AppArmor is enabled, the majority of processes still run unconfined, so that is mostly negligible. Pure OS changes a few security-relevant settings, but these are also mostly negligible:
Pure OS does not apply the exec-shield patch, so that sysctl doesn't even exist in the first place.
The purpose of disabling kexec is to prevent root from booting a malicious kernel, but root can do so many other things to modify the kernel, such as loading a kernel module.
Attempting to hide kernel symbols via
kptr_restrict
ignores the fact that they're clearly visible in theSystem.map
file on disk, among other sources.And finally, disabling source routing is already a Debian default.
Pure OS also uses linux-libre. This will prevent the user from loading any proprietary firmware updates, which just so happens to be almost all of them. The Librem 5 prevents the user from updating new firmware even with an alternative kernel, which forces the user to use outdated and insecure firmware with known vulnerabilities. The hardware itself lacks many modern security features too, such as proper verified boot, a hardware-backed keystore (some PGP smartcard is not equivalent) and more. Although one way to fix the issues in software would be to install a more sane OS like Android or its derivatives, such as GrapheneOS, if support for the hardware was added. Keep in mind though that it would still lack important hardware and firmware security features like verified boot, so it still isn't close to a normal Android device. These devices are also not open hardware/firmware unlike what they try to imply. The majority of the hardware/firmware is still proprietary.
Hardware Kill Switches
Hardware kill switches are nothing but marketing frills. The microphone kill switch is useless since audio can still be gotten via the sensors (such as the gyroscope or accelerometer). While the Librem 5 does have a "lockdown mode" that disables the sensors, it also requires flipping all of the other switches, including the network switches, which effectively turns your device into a brick just to prevent audio recording. The network kill switch has two primary threat models: preventing cell tower triangulation, or preventing data exfiltration after the device has been compromised. The switch is useless in either of these threat models:
To prevent cell tower triangulation, you can simply enable airplane mode and it is just as effective.
The network kill switch is useless for preventing data exfiltration since the attacker can just wait until you toggle the switch on again to exfiltrate data. If you need to temporarily disable network access, you can use airplane mode. Airplane mode can be disabled via a software vulnerability, but if an attacker has those capabilities already, then they can also simply sit and record any sensitive data and eventually upload it once you re-enable the hardware network kill switch, making it no more effective than airplane mode.
The camera kill switch can be useful as a small usability improvement, but it is really no better than some tape.
Modem Isolation
Modem Isolation isn't anything special. For example, Qualcomm SoCs have isolated the modem via an IOMMU for years, among others. The unorthodox way in which the Librem 5 attempts to isolate the modem is via the Linux kernel USB stack, which is not a strong barrier, as shown in the Linux article.
There is also a lot of misinformation as to how the modem being on a separate chip means it's isolated — this is completely untrue. Just look at how, for example, FireWire can be abused for DMA while being completely separate from the rest of the hardware. Whether or not the modem is on a separate chip is irrelevant to if it's isolated.
Graphene OS - Additional Hardening
Graphene OS improves upon AOSP [Standard Android] security with significant hardening:
Hardened WebView: Vanadium WebView requires 64-bit processes on the WebView process and disables legacy 32-bit processes. It uses hardened compiler options such as -fwrapv and -fstack-protector-strong, which can help protect against stack buffer overflows. APIs such as the battery status API are disabled for privacy reasons. All system apps on GrapheneOS use the Vanadium WebView which means that apps which use WebView will also benefit from Vanadium's hardening. The Vanadium patch set is a lot more comprehensive than Lineage OS's Chromium patch set which is derived from it.
Hardened Kernel: Graphene OS kernel includes some hardening from the linux-hardened project and the Kernel Self Protection Project (KSPP). Lineage OS uses the same kernel as regular Android with some minor modifications.
Hardened Memory Allocator: Graphene OS uses the hardened malloc subproject as its memory allocator. This focuses on hardening against memory heap corruption. Lineage OS uses the default AOSP Scudo Malloc, which is generally less effective. Hardened Malloc has uncovered vulnerabilities in AOSP which have been fixed by Graphene OS such as CVE-2021-0703.
Secure Exec Spawning: Graphene OS spawns fresh processes as opposed to using the Zygote model used by AOSP and Lineage OS. The Zygote model weakens Address Space Layout Randomization (ASLR) and is considered less secure. Creating fresh processes is safer but will have some performance penalty when launching a new application. These penalties are not really noticeable unless you have an old device with slow storage such as the Pixel 3a/3a XL as it has eMMC.
Please note that these are just a few examples and are not an extensive list of Graphene OS's privacy and security hardening. For a more complete list, please read our Understanding Graphene OS page.