Where things stand
First time Replicant user here. I was aware of the project but only just got my teeth into it.
As I understand things presently, when it comes to security we have the following contenders:
Allegedly using phones with baseband/modem isolation (but as was seen in Replicant's Samsung backdoor discovery, who really knows)
High focus on security within the release itself, sandboxing apps etc
Aggressively up to date security patches of Both Android, Kernel, Manufacturer etc
Using non-free software (firmware) for the most part, which (and please anyone correct me if I'm wrong here) combined with the questionable modem isolation, essentially leaves the front door open, so regardless of how secure the inside is, if the front door is open, it's a problem from the get-go.
No interest in supporting 'legacy' hardware
Largely based on Graphene OS patches
Patches the mainline kernel even on vendor unsupported devices.
Keeps Android Up to date.
Still using non-free firmware but purging and keeping a lot of it to a minimum.
Entire purpose of the project seems largely about keeping legacy hardware alive
Outstanding work done on modem isolation , well above the call of duty. 'Front Door' as shut as its able to be within current knowledge
Free firmware where applicable, perfect, Excellent!
Keeping 'legacy' hardware well and truly alive
Massively out of date Android version, Kernel, Security patches and so on.
Obviously what we are all here for is our interest in points 1 and 2 of Replicant. Far be it for us mere mortals to whine and complain about part 4 when the amount of work that has been done by the Replicant devs is extensive and the results are beyond fantastic, and most of us have done nothing other than install the rom.
But the question does arise..
If we are using Replicant in its current release (6.004) (which as far as I can tell other than minor releases is unlikely to be updated to 11 for a fair about of time.) We are looking at 4 years out of date security patches, Android release, kernel and so on.
Lets take a hypothetical. Lets assume that the phone is being used for the following purposes only. Calls, SMS, and a xmpp Client. Web facing apps browser, email etc all removed. Not using wifi, not using bluetooth only using 3g Data.
How secure is the device? What threats are we open to? Do the heart-warming, soul elevating advantages of free software and an as closed as possible front door outweigh the consistent message that "up to date is critical, look at all these vulnerabilities" and so on.
Again, please correct me if I'm wrong about any of this and looking forward to hearing from anyone.
RE: Where things stand - Added by Andrew - 2 months ago
Spent not small amount of time thinking about it too.
Decided to back to Replicant due to FSF and privacy issues, having security on mobile phone is lost myth so far, even if somebody will use latest iPhone or Google Android.
Only foundation and freedom provided by Replicant can allow to come close to secure device in future. Right now most likely you are doing it wisely to not use any web browsers apps depending on webview etc. Most likely your setup is good for security too, Did not remember if MMS were working if yes, then will disable them and app installtion from external sources (you can enable when you really need it).
Only wondering if for normal calls or SMS, you could use 3G and app like Signal, so mobile operator will not see everything.
(I am not saying Signal is nice FSF application, it is GNU AGPLv3, there were some remarks to way how communication is estabilished like as i remember well you cannot use different servers than Signal ones, but authors tried to defend it in not bad technical arguments too).
But with security I will live if something is urgent and secure then do not put it on the phone or any internet app, the moment you do it, treat it like public known information.