I originally posted this in the GrapheneOS Discussion Forum, but for obvious reasons I think it might be useful to get a perspective about this from this community as well. Be aware I’m not a Qubes user, so please excuse (but definitely correct!) anything I might have gotten wrong. I hope this will not be understood as an attempt to generate hate; my intention is only to learn about the benefits of two great options. I’m curious about what you have to say!
Much has been said about the increased security that mobile OS like Android and iOS offer over desktop OS. They are designed from the ground up for a hostile environment, which makes them much better suited for the reality we’re facing now. I’ll refrain from repeating what others have already expressed better than I could here; for example in this video by THO.
Now, mobile OS are more secure than desktop ones, and GrapheneOS is the most secure mobile OS, so Graphene wins, case closed? Not quite, at least not obviously so. Of course, the security of a system depends partly on how it is used. A user knowledgeable enough about these systems and their threat model might be able to design a relatively secure overall concept even when using relatively insecure tools to do so. But this is always true and doesn’t say much about which OS should actually be used. In my opinion, the only real challenger for GrapheneOS to the crown of most secure OS, seems to be Qubes OS.
First, I think it makes sense to say that for many people, Qubes OS is simply not suited. GrapheneOS provides the absolutely luxurious option of using something that’s as easy as Stock Android, and even very inexperienced users can switch relatively easily. Qubes OS doesn’t have that option, especially if you use it in the way it needs to be for its security to really shine – by heavily compartmentalizing. For most, I’d recommend GrapheneOS in a heartbeat because it’s extremely unlikely they will a) actually use Qubes and b) use it in a way that even has the potential of beating GrapheneOS. However, the question of which provides better security for a user who utilizes the OS in a way making use of its potential (within realistic bounds), remains valid. Or, if the strengths and weaknesses of the two are different enough to make such an “overall” security assessment nonsensical: Which OS has which advantages, what are its go-to use cases?
Something that seems obvious to me, is that GOS will generally be way more secure than a Qubes VM. If you use Qubes with one VM in which you always do everything, I doubt your security will be that much improved over whichever OS you use inside that VM, which will be less secure than GOS. Qubes strength lies in its use of compartmentalization between different VMs with different levels of trust, that can be erased and created on demand. This means that even though it might be easier to break into a VM on Qubes, that will not necessarily get you far. To truly compromise the system, there needs to be a way for the attacker to infect other VMs, or even the Xen hypervisor itself. Doing so will be much more difficult.
However, GrapheneOS provides options for compartmentalization itself: User profiles. They are a useful tool in general, but can also be utilized at least somewhat similar to how Qubes uses its VMs. With different profiles with different level of sensitivity or different application scopes, the attack surface can be decreased for each while giving an attacker more hurdles to overcome. This can also be extremely useful when there’s a threat of physical attackers grabbing your phone, as not-running profiles will be encrypted. Installing apps into the owner profile also enables quick creation of a fresh user profile with (for example) nothing more than Tor Browser installed additionally, that can easily be deleted again after use.
I elaborated on my thoughts quite a bit, but please don’t confuse this with giving an answer. I hope I was able to identify some general themes or maybe provide some base for complete beginners, but evaluating and comparing the exact level of security is far beyond what I can do on my own. For example, would it generally be more difficult for an attacker to a) on GOS break into a user profile, infect it and spread to other profiles or b) on Qubes break into an untrusted VM, infect it, and spread to other more trusted VMs? I have no idea, and I’m not even sure there’s a definite answer – how do you even objectively measure difficulty?
To be fully transparent, I think most of the time, Qubes just isn’t an alternative to GrapheneOS, and that’s okay. What they focus on achieving is quite different, even though both have security as one of their main goals. Still, I think this question is interesting to ponder and provides great grounds to learn about what makes both of them secure, which in turn increases knowledge of security in general. So, for security, science, or maybe just for fun:
Which is the most secure, Qubes OS or GrapheneOS?