The article seems to concentrate on the lack of security of the software (which is arguably true) and the hardware (that I can't really opine on in a reasonable manner) - but I think before security, usability would be much more important.
There is still no real Linux (or any kind of FOSS) mobile-oriented userapplication scene. As long as a mobile Linux distro is a hacked together desktop distro, I think this should be improved.
At this time it's a pain to use these phones. Hacking them (in the sense of evil hackers with baklava over their head) is even bigger pain (unusual things usually panic the kernel often) - and the reward is very small (as due to the pain very few people use them in a serious manner)
> Linux phones lack any significant security model [...]. They do not have modern security features, such as full system MAC policies, verified boot, strong app sandboxing, modern exploit mitigations and so on, which modern Android phones already deploy.
Fair enough, not untrue. But same goes for most modern Linux server/desktop distros.
The point being the threat model, where Linux users are generally expected to understand what they are doing. Whereas with Android and iOS there is a (mildly curated) ecosystem of millions of apps pushed onto users. The apps are an obvious attack vector for all kinds of privacy invasion and worse mischief, that need to be mitigated by sandboxes, privilege management, signed images, etc.
Not saying a Linux phone doesn't need those protections in depth, but come on; Librem / Pine are in their infancy, give them a break. If I get a Linux phone to call people, make photos and run Firefox — I'm happy! Much rather have developers invest time in hardware support, battery life, etc. upstreaming contributions into the kernel, than waste their time going re-doing Android.
Moreover, it's a sad security blog. I always think it's sad when security professionals limit themself to talking/writing/teaching about security, pointing out problems.
The happier security blogs are those that then go on contributing/demonstrating solutions to security problems. Why not start from what can I, as a security professional do to fix some of these problems?
> what can I, as a security professional do to fix some of these problems?
Informing companies about the flaws in their products is one of the major things a security professional van do to fix some of these problems.
Alternatively, they could get hired by Purism, convince the CEO to put major investments into an OS overhaul and work closely with several teams of programmers to secure the software. Should be doable with minor mind control powers and a couple years of runtime.
The hardware is out there and can't be altered. The software is out there and is the result of decades of hard work. Many of the fixes are out there already, but the company writing the software hasn't looked for them or didn't care to include them.
What exactly do you expect one single security-aware customer to do about this? Best you can do with a blog is warn about the security risks of practically any Linux phone so that people who care about security know the risks and snakeoil involved, and probably just buy an iPhone or Samsung if they really care about not getting hacked.
> Informing companies about the flaws in their products is one of the major things a security professional van do to fix some of these problems.
Yes, but it is a common misconception that "informing others" is at the core of their contribution. I think is mostly rooted in what earlier generations of security professionals were doing, ie. researching and reporting.
There are merits to knowing the unknowns, but if this happens in a vacuum, it merely causes FUD and stasis, not solutions. (Warranted FUD, but nevertheless fear, uncertainty and doubt.)
In many cases (especially with more modern security professionals) the ones finding the problems have the skills, means, time and resolve to do something about it as well. I therefore invite those to get into the trenches and do the tough work of contributing fixes and improvements, balancing their pet peeves against other aspects, features, etc.
You don't need to convince the Purism CEO of anything, it's all open source. If you feel an overhaul is needed, give it a go. I'm sure they'll consider it if it's an improvement, and if not, have their customers decide.
> What exactly do you expect one single security-aware customer to do about this?
We're talking about a hobbyist device. Battery issues. Tinkering. Enthusiasts. Not some mass market bling trusted upon by millions.
A single security-aware customer of Pine/Purism hardware is likely to be a tinkerer too. On her/his own, she/he can't fix everything — you need a community. But single customer can't expect their Linux phone vendor to fix everything either. This isn't Apple or Google.
If a single customer writes a critique on software design, people shrug. But for some reason, it the critique is not about esthetics, performance or ease of use but about securitah, there is often this kind of entitlement that their critique should be taken seriously, instantly.
Sometimes, the "security expert" wouldn't know how to fix the problem they found. But often they do have the skills, but somehow are afraid to get their hands dirty. I think that's sad.
There is still no real Linux (or any kind of FOSS) mobile-oriented userapplication scene. As long as a mobile Linux distro is a hacked together desktop distro, I think this should be improved.
At this time it's a pain to use these phones. Hacking them (in the sense of evil hackers with baklava over their head) is even bigger pain (unusual things usually panic the kernel often) - and the reward is very small (as due to the pain very few people use them in a serious manner)