what would be the best OS for telephone that can be compatible to Qubes hygiene ?
1 Like
The only os that will look like Qubes OS is Graphene OS although it works differently and can be really painful to use if you compartmentalize it like Qubes OS.
I wrote an intro to Graphene OS because it’s hard to grasp what it does and does not.
This topic might be closed because it is unrelated to Qubes OS.
4 Likes
@solene : thank you for your answer,
what do you think of pine64 phones and cosmo communicator ?
1 Like
I only trust Graphene and it’s only compatible with Google pixel phones
2 Likes
As someone who daily drives mobian on the pinephone pro I can confidently tell you it is not possible with the current hardware to have a sufficiently secure setup. The pinephone pro does not have enough ram to properly isolate the outwardly facing components (cellular, wifi/bt, etc.). There are devices which may or may not come into existence sooner or later like the liberux nexx which would have sufficient hardware requirements to run a compartmentalized OS but 4gb of slow ram is just not good enough. It is an open source and auditable platform for the most part but any one critical vulnerability in system level drivers would lead to a full system takeover and that is unacceptable from a security standpoint. Pair this with the fact that very few if any people are actually paid to develop pinephone pro or linux mobile generally and you get a comparatively unreliable system. This said I think my phone is great and a significant step up from the iphone at a much lower price. Most importantly it is actually MINE in that it is not a locked down planned-obsolescence piece of future e-waste.
2 Likes
Double or nothing.
2 Likes
After switching to Qubes for my laptop/desktop needs, I started thinking that a lot of the security guarantees it offers might be moot when a monolithic OS is used on mobile. After reading Solene’s article on GrapheneOS and exploring other features of GrapheneOS, I think I’ve found something that gets close to a Qubes workflow:
- Separate profiles create the extra isolation to mimic AppVMs
- Owner profile is dom0. Only used for managing profiles (and optionally installing apps)
- Private spaces used as the Vault of profiles, primarily used for the password manager since it shares the clipboard with the parent profile. Clipboard direction can be toggled in settings (bi-directional, only-in, only-out or none). Network access to apps in Private Space can be disabled to mimic an offline VM.
- Inter-VM clipboard and file transfer can be obtained by installing the Inter Profile Sharing app. This app exploits a known bug in GrapheneOS’s networking to allow sharing of the clipboard and files via localhost between different profiles.
Unfortunately the security boundary is not as strong as Qubes given a kernel level exploit in one profile could compromise the entire phone and thus all profiles, but it’s the closest I’ve found to a Qubes workflow on mobile. Backing it up also seems to be more of a PITA than Qubes since you need to back up each individual profile.
There are other upsides however, like the profiles having individual PINS/passwords protecting them which Qubes doesn’t have (afaik).
Feel free to correct me if I am wrong anywhere here.
2 Likes
I think you used a very good word here: “mimic”
Yes, separate profiles only “mimic” AppVMs, they are not the same. The security of a sandbox is far less than that of a VM.
Again, it only mimics dom0. It is neither completely offline nor provide security and isolation like dom0.
Disabling internet access for individual apps does not even come close to a truly offline VM.
Unfortunately most people on the GrapheneOS forum live under the illusion that GrapheneOS is equal to, or even superior in security to, Qubes OS.
That said, there is no other OS available for mobile devices that comes anywhere close to GrapheneOS in terms of security.
But mobile devices are fundamentally not designed for high security. Anyone truly serious about security and privacy should abandon mobile devices entirely.
Since that isn’t practical for most people right now, GrapheneOS remains the best, and really the only, viable choice.
2 Likes
I generally agree with the other participants in this topic regarding GrapheneOS as a recommendation, but it is not necessarily compatible with the Qubes OS workflow because everyone has different use cases and threat models.
3 Likes
And after a year of daily use, I drastically reduced compartmentalisation because it’s too unusable otherwise, in my case.
1 Like
I have actually read the opposite - that mobile devices are more secure. Maybe not as secure as QubesOS but certainly more secure than monolithic operating systems.
GrapheneOS remains the best, and really the only, viable choice.
I think in most threat models iPhone is just as good as GrapheneOS. I mean Israel even went as far as banning Android phones altogether for the IDF in favour of iPhones, so I think in 99% of cases iPhone is also a viable choice.
2 Likes
IDF move doesn’t mean iPhones are magically “just as good” as something like GrapheneOS (or more), especially if we’re talking serious security/privacy. It’s more pragmatic, Apple forces updates longer, locks down the ecosystem harder, and makes it tougher for casual hackers. But when it comes to nation-state level stuff, iPhones have been getting absolutely hammered by zero-click exploits. And funnily enough, a lot of those come from Israeli companies.
Take Pegasus from NSO Group (Israeli firm), they’ve hit iPhones over and over.
Other Israeli spyware outfits like QuaDream or Paragon have pulled similar stunts, exploiting iOS flaws for remote, zero-click malwares. High-value targets often use iPhones because they’re “secure,” which ironically makes them juicier for these tools. iOS has taken a beating precisely because of that perception.
Pretty much all the big zero-click malware are mobile-only. Phones are always online, always reachable via cellular/SMS/iMessage etc, with baseband chips
running shady closed firmware that’s ripe for remote exploits. On the other hand, no one’s ringing your laptop’s “phone number” to pwn it silently.
At the end of the day, mobiles (even iPhones) are convenience machines first, always connected, always carried, always exposing more surface. That’s why zero-clicks thrive there.
There are a few of Edward Snowden’s tweets worth mentioning here:
https://x.com/Snowden/status/1175424613909766144?s=20
But as long as your phone is turned on, even with “location permissions” disabled, the radios in the phone that connect it to all the nice things you like are screaming into the air, reporting your presence to nearby cell towers, which then create records that are kept forever.
https://x.com/Snowden/status/1175430722733129729?s=20
If I were configuring a smartphone today, I’d use @DanielMicay’s @GrapheneOS as the base operating system. I’d desolder the microphones and keep the radios (cellular, wifi, and bluetooth) turned off when I didn’t need them. I would route traffic through the @torproject network.
1 Like