Replicant

Jacob Bahn wrote:

Is the Replicant code secure?

No, it is not. No complex software like smartphone's operating systems are secure. In addition, Replicant's main goal is not security. It tries to be secure, but it makes security concessions in the name of freedom: we use unmaintained devices with unmaintained versions of android, kernel, browsers and other software components; or convenience: we support mobile broadband (but not modems with main memory access), Javascript etc. It also has very few developers and no security audits.

This situation will improve a bit with the next Replicant 6 release (with security patches and probably newer versions of webview, new browser etc.) and a_lot with Replicant 9, that will have very up-to-date software and more upstream kernel, mesa etc. than most (all?) other Android distributions.

Even the source code of Replicant is free, how sure can we be that it does not contain features that compromise security and privacy?

Some features are inherently bad for privacy, like mobile broadband. But Replicant makes a big effort to remove as much user data leaks as possible, and not to use proprietary services.

Would it not be easy and desirable for g**gle to add some features which help them monitor and collect data from users of only the free parts of the OS?

Google already gets a lot of user data (for example with their services and Google Apps that most devices use). I don't think that they, as a company, would want to risk a lot trying to hide spyware in their libre source code.

Andrés