Project

General

Profile

Replicant vs GrapheneOS security

Added by 9be42f24d3 cfcedda835 about 1 month ago

So i'm pretty torn about this. I know the main focus of replicant is freedom. It will not include any proprietary blobs. You can change any aspect of the code, and remain in control of the device. Uses modems that have known good hardware isolation etc. But the fact is, updates are lacking (i know there will be updates released soon). There are wide open security vulnerabilities in the current releases. If a security vulnerability is exploited there will be a big chance the attacker can get in the entire phone, which could also exist in currently used (free) firmware and drivers.

Now i'm looking at GrapheneOS and it has a whole different approach. It has proprietary blobs (firmware and drivers), but it isolates all these with IOMMU groups. This way if the wifi or baseband gets compromised, the attacker has little chance to get into the main OS. It get regular updates. Has support for newer devices that support these isolating capabilities. It hardens the kernel and other aspects of the OS. And the biggest argument for GrapheneOS is that Edward Snowden supports it. If someone knows how powerful backdoors and spying can be, it is him. Why would he support an OS and phone that has backdoors, security and/or privacy issues, when these are very important issues for him?

So, yes, you lose freedom with GrapheneOS. But what about practical security? Is the current release of GrapheneOS on a supported phone more secure than the current replicant release that's running on a supported phone? I'm having a hard time answering this question.

Some sources for this information about GrapheneOS:
https://old.reddit.com/r/GrapheneOS/comments/cjjyd4/graphene_os/evdv0h8/
https://old.reddit.com/r/GrapheneOS/comments/cnk7uf/security_on_pixel_devices_are_great_arguably/ewbanij/
https://mobile.twitter.com/DanielMicay/status/1158869170429333504
https://mobile.twitter.com/Snowden/status/1175419013402374145