This is awesome and I've been waiting for something like this to come along for a long time. It's crazy how easy it is to get Linux on an ARM based Chromebook, but nearly impossible to get it on a phone.
Android is a security nightmare and most of us are aware of that at this point. On top of that, Android has been moving functionality off the device and into their services for years making their AOSP offering weaker and weaker. Keep up the good work!
Edit: At some point it'd be nice to use a GuixSD or NixOS configuration file as your "one custom package" instead of an Alpine package. Any Linux on bare metal though would be welcome of course.
No, real security nightmares are reserved for things like WannaCry and all of the compromised Linux based IoT devices. You know, things that actually do real world damage at massive scale. As for the state of Android security, unfortunately the analysis and numbers don't really back up your baseless claims.
OK, there are millions of Android users and most users put their personal information on their phone. I think any breach here would be considered gravely significant.
Non-Google branded phones get updates far later than their Nexus/Pixel counterparts if at all. Google and carriers drop devices from updates eventually (2ish years) so if you continue to use your device after that, you're playing with fire.
That's just covering the delivery mechanism, not the inability to set a encryption password separate from your pin, or the vauge permissions groups, or the fact that all apps can see your global clipboard, etc. If users can't get the newest version of their OS software, then you kind of fail at security 101. Any bug fix only fixes a small subset of your users. At least Windows XP device users knew how long they'd get security updates and had a clear upgrade path afterward.
Linux IoT suffers a lot of the the same problems. No one updates embedded devices.
You can draw the "nightmare" semantic line wherever you want, of course. IMHO it's not even remotely secure unless you only and always buy the newest Pixel phone directly from Google. Then we can talk about modern Android security issues.
There are over 2 Billion Android devices that access the Google Play Store each month alone - and I'm not even factoring in all of the Android based devices that don't even have Google Play Services like China. Where are all of these nightmares? When you have the #1 OS in the world, by a large margin, every nefarious organization is targeting you. And how much damage have they inflicted on all of those devices compared to the damage inflicted by Windows and Linux IoT devices?
Incidentally, Apple just released 40 security updates recently. 21% of iOS devices aren't even using iOS 10. Is there going to be a security nightmare for them too?
Android is a security nightmare and most of us are aware of that at this point. On top of that, Android has been moving functionality off the device and into their services for years making their AOSP offering weaker and weaker. Keep up the good work!
Edit: At some point it'd be nice to use a GuixSD or NixOS configuration file as your "one custom package" instead of an Alpine package. Any Linux on bare metal though would be welcome of course.