I can’t talk for others I’m personally interested in Linux phones (I have 2, PinePhone and PinePhone Pro) because I do not want to rely on Android because it’s lead, maintained and basically in practice owned by Google.
I would also much prefer to have “just” Linux because I know it better and because IMHO we reached a point, already few years ago, where “mobile” does not mean much anymore. “just” a computer with a battery is enough due to the power available.
IMHO the SteamDeck is the existence proof of that.
While lots of this is problem of desktops in general, but:
Linux applications can access your entire home folder, which likely contains most of your data. It can also access e.g. state of other applications, which can be bad.
While flatpak somewhat mitigates the issues, it is half-baked: permissions are granted directly when you install the app, and user has to manually revoke the permission - Needing e.g. FlatSeal for this is insane as well. With Android/iOS, the user only grants permission when needed, which reduces lots of attack surfaces.
Doesn’t too many apps want your home folder access by default? If you think about it, it is a huge security issue - you basically have to trust the app to keep your secrets intact.
Mic access can be very problematic, esp when it would be enabled by default if app requests it. Although I don’t know to which extent this would be abused.
The “know it better” is, I think, a big argument, that’s imo often a bit overlooked. Android does not have that much “tinkers” as “proper” Linux has. For the average Gnome DE @ Ubuntu user, Android forks are fine. But if you’re the kind of person, who optimizes their Arch system with cool scripts from Github, you won’t get the same experience on LineageOS. I know Termux is a thing but that feels more like a workaround.
Edit: Had to reword the comment, because people thought I was talking about malware and supply chain attacks.
Edit2 to clarify my point: I think big downside of Android is that if you want to tinker with it, you basically have to be an android developer. With “proper” Linux the barrier to entry is smaller and the learning experience is more granular. Hence why we think “we know ‘proper’ Linux better”.
Android does not have that much “hackers” as “proper” Linux has
It’s hard for Android to have hackers precisely because Google and manufacturers are trying their best to prevent that. They do not allow rooting, they blocks features on rooted devices, etc. So they do their absolute best to keep on exercising control despite collaborating on open source software.
… so why are eg flatpak apps less secure than Android ones?
And Play & Apple stores are full of unchecked scam apps. They basically are solving this by securing the os more. Yet apps (even Instagram) can still take pics without your action. I assume they listed in on you too.
The app (& SDK) argument I think has more to do with user- and dev-base. Something that Microsoft failed at in the mobile market. So basically we need a quality/seamless way of running Android apps on Linux.
And since we can run Win games on Linux very nicely I think this wouldn’t be that much of an issue … Tho minimal industry support (eg banking apps) is still needed.
I worded my comment badly. I was not talking about supply chain attacks, rather the ability to tinker on “proper” Linux which you don’t get on Android.
we need a quality/seamless way of running Android apps on Linux
Like Waydroid? There was a thread recently on that and it seemed (even though not necessarily a representative sample) most people used it for… games, not “actual” applications. They were NOT used for banking apps also (at least I don’t remember anybody mentioning that) because I bet most people just go on their bank website for that.
The issue is that the banking app is often the only way to get 2 factor authentication. The other way is to use SMS but that can be hijacked by social engineering attacks so it cannot be considered secure.
I can’t talk for others I’m personally interested in Linux phones (I have 2, PinePhone and PinePhone Pro) because I do not want to rely on Android because it’s lead, maintained and basically in practice owned by Google.
I would also much prefer to have “just” Linux because I know it better and because IMHO we reached a point, already few years ago, where “mobile” does not mean much anymore. “just” a computer with a battery is enough due to the power available.
IMHO the SteamDeck is the existence proof of that.
Can you please clarify?
While lots of this is problem of desktops in general, but:
The “know it better” is, I think, a big argument, that’s imo often a bit overlooked. Android does not have that much “tinkers” as “proper” Linux has. For the average Gnome DE @ Ubuntu user, Android forks are fine. But if you’re the kind of person, who optimizes their Arch system with cool scripts from Github, you won’t get the same experience on LineageOS. I know Termux is a thing but that feels more like a workaround.
Edit: Had to reword the comment, because people thought I was talking about malware and supply chain attacks.
Edit2 to clarify my point: I think big downside of Android is that if you want to tinker with it, you basically have to be an android developer. With “proper” Linux the barrier to entry is smaller and the learning experience is more granular. Hence why we think “we know ‘proper’ Linux better”.
It’s hard for Android to have hackers precisely because Google and manufacturers are trying their best to prevent that. They do not allow rooting, they blocks features on rooted devices, etc. So they do their absolute best to keep on exercising control despite collaborating on open source software.
… so why are eg flatpak apps less secure than Android ones?
And Play & Apple stores are full of unchecked scam apps. They basically are solving this by securing the os more. Yet apps (even Instagram) can still take pics without your action. I assume they listed in on you too.
The app (& SDK) argument I think has more to do with user- and dev-base. Something that Microsoft failed at in the mobile market. So basically we need a quality/seamless way of running Android apps on Linux.
And since we can run Win games on Linux very nicely I think this wouldn’t be that much of an issue … Tho minimal industry support (eg banking apps) is still needed.
I worded my comment badly. I was not talking about supply chain attacks, rather the ability to tinker on “proper” Linux which you don’t get on Android.
Android is a semi-immutable (heavily modified and basically owned by Google) distro that runs app in sandboxes.
What is the difference?
Like Waydroid? There was a thread recently on that and it seemed (even though not necessarily a representative sample) most people used it for… games, not “actual” applications. They were NOT used for banking apps also (at least I don’t remember anybody mentioning that) because I bet most people just go on their bank website for that.
… people miss Android … to play Android games? Omfg.
The issue is that the banking app is often the only way to get 2 factor authentication. The other way is to use SMS but that can be hijacked by social engineering attacks so it cannot be considered secure.
Can you please share an example? I’d be curious how that would work, especially if it works while understanding how it works.