The “know it better” is, I think, a big argument, that’s imo often a bit overlooked. Android does not have that much “tinkers” as “proper” Linux has. For the average Gnome DE @ Ubuntu user, Android forks are fine. But if you’re the kind of person, who optimizes their Arch system with cool scripts from Github, you won’t get the same experience on LineageOS. I know Termux is a thing but that feels more like a workaround.
Edit: Had to reword the comment, because people thought I was talking about malware and supply chain attacks.
Edit2 to clarify my point: I think big downside of Android is that if you want to tinker with it, you basically have to be an android developer. With “proper” Linux the barrier to entry is smaller and the learning experience is more granular. Hence why we think “we know ‘proper’ Linux better”.
Android does not have that much “hackers” as “proper” Linux has
It’s hard for Android to have hackers precisely because Google and manufacturers are trying their best to prevent that. They do not allow rooting, they blocks features on rooted devices, etc. So they do their absolute best to keep on exercising control despite collaborating on open source software.
… so why are eg flatpak apps less secure than Android ones?
And Play & Apple stores are full of unchecked scam apps. They basically are solving this by securing the os more. Yet apps (even Instagram) can still take pics without your action. I assume they listed in on you too.
The app (& SDK) argument I think has more to do with user- and dev-base. Something that Microsoft failed at in the mobile market. So basically we need a quality/seamless way of running Android apps on Linux.
And since we can run Win games on Linux very nicely I think this wouldn’t be that much of an issue … Tho minimal industry support (eg banking apps) is still needed.
we need a quality/seamless way of running Android apps on Linux
Like Waydroid? There was a thread recently on that and it seemed (even though not necessarily a representative sample) most people used it for… games, not “actual” applications. They were NOT used for banking apps also (at least I don’t remember anybody mentioning that) because I bet most people just go on their bank website for that.
The issue is that the banking app is often the only way to get 2 factor authentication. The other way is to use SMS but that can be hijacked by social engineering attacks so it cannot be considered secure.
It’s nothing sophisticated. You just steal someone’s phone number by calling their phone service provider pretending to be them. I don’t know how serious this threat is but for this reason SMS is not considered secure in the “security circles”.
I would consider that VERY sophisticated. One needs to basically conduct identity fraud, so have enough information to port your SIM via your phone company. I imagine that if you do not call your phone company with your existing number they have a few extra steps to allow anything to happen.
Anyway, beyond that, which as you shared (thanks for taking the time to put those links) is indeed not infeasible (but still requires targeted work and skills) this is only 1 step out of 2 for authentication against a bank. One still needs to know the bank and the login/password pair the Website requires.
Even once that’s done, I believe most banks do not allow large transfers, e.g. above 10K EUR, without another verification. Typically transfers have a daily and weekly limit that can be modified temporarily.
So… IMHO it’s sophisticated (in the sense that a “script kiddie” or scammer without technical skills can’t do it) and has limited economical value.
I will remember it (again, thanks for pointing it out) but I won’t lose sleep over it.
PS: I’m wondering what’s the consumer law on this actually because arguably some steps, e.g. no limit transfer or SIM porting would be on failure on the side of companies, not consumer. I wouldn’t be shocked if companies had insurance for that and might have to pay back whatever amount would be stolen. Obviously this would be regulation dependent.
I honestly did not give much thought to the difficulty of pulling such attack off. With “not sophisticated” I just meant that it’s not complex to grasp. “You just have to pretend to be a different person”. I guess yeah that is pretty difficult.
Yeah I mean it’s often said that any second factor is better than just password so it’s probably not a big deal. My issue is mostly that it’s an attack vector that could easily be eliminated. For example if banks allowed third party 2FA apps. I think I’ve read somewhere, that some banks even only allow hardware keys for business accounts which is honestly absurd.
My hope is actually that standard compliant (that’s the important bit) hardware keys and passkey, e.g. WebAuthn, get more broadly accepted. This way open source and hope hardware solutions, e.g NitroKey, would allow anybody on any OS supporting those standards (which does include Linux without proprietary blobs AFAICT) to work.
I worded my comment badly. I was not talking about supply chain attacks, rather the ability to tinker on “proper” Linux which you don’t get on Android.
The difference between Android and “proper” Linux? You said it:
Android is a semi-immutable (heavily modified and basically owned by Google) distro that runs app in sandboxes.
That is not what “tinkerers” want. They want access to the system. I have not tried it but can you even run an android app from the command line? I guess you can somehow but that just brings me to my other point. You kinda have to be an Android dev to tinker with Android, while on “proper” Linux the learning experience is more granular.
edit: indeed running Android apps from CLI is not very tinker-friendly:
Sorry, I couldn’t follow/I don’t think I understood you.
Why wound you want or need to run anything via CLI?
Most Linux users never use anything CLI (similar MacOS & Windows). Why would Linux phone users? And what does that have to do with android app devs?
The difference between Android and “proper” Linux? You said it:
But (what I said is that) all of that you can get in various Linux distros too - what I was saying that the basic difference for devs is Google/Android SDK.
You want to automate something with a script or want to create some workaround for something.
But (what I said is that) all of that you can get in various Linux distros too
Sure, but these distros aren’t the go-to choice of tinkerers. As I said for the normal Ubuntu user LineageOS is completely fine. “Proper” Linux phone’s target audience are Arch, Gentoo, Void,… users.
the basic difference for devs is Google/Android SDK
For devs sure but “tinkerers” aren’t always devs. They can just start as someone who just “pokes” into their system and eventually dives deeper, or stays forever at the “fix a thing here and there” level. In my opinion you don’t get this granular spectrum of skill. You either are an Android developer (be it Android app or Android system developer) or Android user. Maybe that isn’t true but the original topic was “why Linux phones when AOSP forks exist” and I think “tinkerers” might think this way about Android.
I think all of those (Arch, Gentoo, Void) have unofficial or forked immutable versions. But I’m wondering why the immutable distros aren’t for “tinkerers”?
But I get it, and agree, current Linux phones arent for non-“tinkerers”, but isn’t that just how all things start in foss world/early unstable non-foss software projects? Surely that wouldn’t be the long-term goal.
Like Linux RISC-V desktops/laptops, but that is just the beginning.
Maybe that isn’t true but the original topic was “why Linux phones when AOSP forks exist” and I think “tinkerers” might think this way about Android.
Oh, definitely, but that is just the first/current stage.
My added comment is that, besides the tinkerers, AOSP is still in danger of Google (bcs it is by Google) - they are closing/trying to close down there open-sauciness of it (I know, the licences, but megacorp), delaying publishing the sauce code, and in the near future, I’m sure is it, making decisions that would be increasingly hard for AOSP to be used benevolently (they arent at the moment so hard on this bcs driver availability locks down what Android you can install on your phone).
The phone market and society would benefit long-term of Google wouldn’t have a monopoly in so many key areas.
The “know it better” is, I think, a big argument, that’s imo often a bit overlooked. Android does not have that much “tinkers” as “proper” Linux has. For the average Gnome DE @ Ubuntu user, Android forks are fine. But if you’re the kind of person, who optimizes their Arch system with cool scripts from Github, you won’t get the same experience on LineageOS. I know Termux is a thing but that feels more like a workaround.
Edit: Had to reword the comment, because people thought I was talking about malware and supply chain attacks.
Edit2 to clarify my point: I think big downside of Android is that if you want to tinker with it, you basically have to be an android developer. With “proper” Linux the barrier to entry is smaller and the learning experience is more granular. Hence why we think “we know ‘proper’ Linux better”.
It’s hard for Android to have hackers precisely because Google and manufacturers are trying their best to prevent that. They do not allow rooting, they blocks features on rooted devices, etc. So they do their absolute best to keep on exercising control despite collaborating on open source software.
… so why are eg flatpak apps less secure than Android ones?
And Play & Apple stores are full of unchecked scam apps. They basically are solving this by securing the os more. Yet apps (even Instagram) can still take pics without your action. I assume they listed in on you too.
The app (& SDK) argument I think has more to do with user- and dev-base. Something that Microsoft failed at in the mobile market. So basically we need a quality/seamless way of running Android apps on Linux.
And since we can run Win games on Linux very nicely I think this wouldn’t be that much of an issue … Tho minimal industry support (eg banking apps) is still needed.
Like Waydroid? There was a thread recently on that and it seemed (even though not necessarily a representative sample) most people used it for… games, not “actual” applications. They were NOT used for banking apps also (at least I don’t remember anybody mentioning that) because I bet most people just go on their bank website for that.
The issue is that the banking app is often the only way to get 2 factor authentication. The other way is to use SMS but that can be hijacked by social engineering attacks so it cannot be considered secure.
Can you please share an example? I’d be curious how that would work, especially if it works while understanding how it works.
It’s nothing sophisticated. You just steal someone’s phone number by calling their phone service provider pretending to be them. I don’t know how serious this threat is but for this reason SMS is not considered secure in the “security circles”.
https://www.howtogeek.com/358352/criminals-can-steal-your-phone-number-heres-how-to-stop-them/
https://www.fcc.gov/consumers/guides/cell-phone-fraud
I would consider that VERY sophisticated. One needs to basically conduct identity fraud, so have enough information to port your SIM via your phone company. I imagine that if you do not call your phone company with your existing number they have a few extra steps to allow anything to happen.
Anyway, beyond that, which as you shared (thanks for taking the time to put those links) is indeed not infeasible (but still requires targeted work and skills) this is only 1 step out of 2 for authentication against a bank. One still needs to know the bank and the login/password pair the Website requires.
Even once that’s done, I believe most banks do not allow large transfers, e.g. above 10K EUR, without another verification. Typically transfers have a daily and weekly limit that can be modified temporarily.
So… IMHO it’s sophisticated (in the sense that a “script kiddie” or scammer without technical skills can’t do it) and has limited economical value.
I will remember it (again, thanks for pointing it out) but I won’t lose sleep over it.
PS: I’m wondering what’s the consumer law on this actually because arguably some steps, e.g. no limit transfer or SIM porting would be on failure on the side of companies, not consumer. I wouldn’t be shocked if companies had insurance for that and might have to pay back whatever amount would be stolen. Obviously this would be regulation dependent.
I honestly did not give much thought to the difficulty of pulling such attack off. With “not sophisticated” I just meant that it’s not complex to grasp. “You just have to pretend to be a different person”. I guess yeah that is pretty difficult.
Yeah I mean it’s often said that any second factor is better than just password so it’s probably not a big deal. My issue is mostly that it’s an attack vector that could easily be eliminated. For example if banks allowed third party 2FA apps. I think I’ve read somewhere, that some banks even only allow hardware keys for business accounts which is honestly absurd.
My hope is actually that standard compliant (that’s the important bit) hardware keys and passkey, e.g. WebAuthn, get more broadly accepted. This way open source and hope hardware solutions, e.g NitroKey, would allow anybody on any OS supporting those standards (which does include Linux without proprietary blobs AFAICT) to work.
… people miss Android … to play Android games? Omfg.
I worded my comment badly. I was not talking about supply chain attacks, rather the ability to tinker on “proper” Linux which you don’t get on Android.
Android is a semi-immutable (heavily modified and basically owned by Google) distro that runs app in sandboxes.
What is the difference?
The difference between Android and “proper” Linux? You said it:
That is not what “tinkerers” want. They want access to the system. I have not tried it but can you even run an android app from the command line? I guess you can somehow but that just brings me to my other point. You kinda have to be an Android dev to tinker with Android, while on “proper” Linux the learning experience is more granular.
edit: indeed running Android apps from CLI is not very tinker-friendly:
https://stackoverflow.com/questions/6613889/how-to-start-an-android-application-from-the-command-line
Sorry, I couldn’t follow/I don’t think I understood you.
Why wound you want or need to run anything via CLI?
Most Linux users never use anything CLI (similar MacOS & Windows). Why would Linux phone users? And what does that have to do with android app devs?
But (what I said is that) all of that you can get in various Linux distros too - what I was saying that the basic difference for devs is Google/Android SDK.
Indeed but I’m not talking about “most users”.
You want to automate something with a script or want to create some workaround for something.
Sure, but these distros aren’t the go-to choice of tinkerers. As I said for the normal Ubuntu user LineageOS is completely fine. “Proper” Linux phone’s target audience are Arch, Gentoo, Void,… users.
For devs sure but “tinkerers” aren’t always devs. They can just start as someone who just “pokes” into their system and eventually dives deeper, or stays forever at the “fix a thing here and there” level. In my opinion you don’t get this granular spectrum of skill. You either are an Android developer (be it Android app or Android system developer) or Android user. Maybe that isn’t true but the original topic was “why Linux phones when AOSP forks exist” and I think “tinkerers” might think this way about Android.
I think all of those (Arch, Gentoo, Void) have unofficial or forked immutable versions. But I’m wondering why the immutable distros aren’t for “tinkerers”?
But I get it, and agree, current Linux phones arent for non-“tinkerers”, but isn’t that just how all things start in foss world/early unstable non-foss software projects? Surely that wouldn’t be the long-term goal.
Like Linux RISC-V desktops/laptops, but that is just the beginning.
Oh, definitely, but that is just the first/current stage.
My added comment is that, besides the tinkerers, AOSP is still in danger of Google (bcs it is by Google) - they are closing/trying to close down there open-sauciness of it (I know, the licences, but megacorp), delaying publishing the sauce code, and in the near future, I’m sure is it, making decisions that would be increasingly hard for AOSP to be used benevolently (they arent at the moment so hard on this bcs driver availability locks down what Android you can install on your phone).
The phone market and society would benefit long-term of Google wouldn’t have a monopoly in so many key areas.