user has full access to all information which that user has access to, including all files, keystrokes and so on. The exception is when [https://en.wikipedia.org/wiki/Mandatory_access_control mandatory access control (MAC)] is in use and successfully confines that application.
* A compromised application is unlikely to gain root.
Occasionally there are exploits that allow applications to gain root, but as time passes more of these vulnerabilities are being fixed.
On the Linux desktop the process of Preventing [[Malware]] from [[Root#Prevent_Malware_from_Sniffing_the_Root_Password|Sniffing the Root Password]] is cumbersome and unpopular. Therefore any compromised application on the Linux desktop could lead to root compromise. This in turn might compromise the bootloader, kernel, or even hardware. It is difficult to detect [[Malware]], remove a [https://en.wikipedia.org/wiki/Rootkit rootkit] and [[Malware#Valid_Compromise_Indicators_versus_Invalid_Compromise_Indicators|indicators of compromise are rare]].
* The iPhone/Android approach provides strong protection against malware, meaning those platforms are impacted much less than Windows or Linux desktops.
* iPhone and many Android vendors purposefully add a lot of spyware; one example is [https://en.wikipedia.org/wiki/Carrier_IQ Carrier IQ]. The GNU Project states: "[https://www.gnu.org/proprietary/malware-apple.html Apple's Operating Systems Are Malware]" and "[https://www.gnu.org/proprietary/malware-google.html Google's Software is Malware]". In addition, many [https://en.wikipedia.org/wiki/Freemium freemium] applications spy on their users. Despite this downside, the security model of popular mobile operating systems affords better protection when attempting to prevent any malicious and unapproved party from establishing a foothold in their ecosystem.
* Some Android vendors [https://googleprojectzero.blogspot.com/2020/02/mitigations-are-attack-surface-too.html introduce mitigations that introduce attack surface].
{| class="wikitable" style="background-color: #fff;text-align: center"
!
! Most iPhone / Android devices Most iPhone / Android phones that are sold by mobile carriers or manufacturers have locked bootloaders. These phones are often packaged with spyware installed by default, which cannot be removed. There may be rare exceptions to this rule, hence "most" and not "all". These exceptions are not the point which shall be made in this comparison. See the "Libre Android" column for what is theoretically possible.
! "Libre Android"
There is no "Libre Android" at time of writing. It's only a concept to illustrate a point. There is no "perfect" Android distribution. GrapheneOS has verified boot but [https://archive.li/2sYur root access is refused in default builds]. Replicant allows root access, but no references were found that Replicant makes use of verified boot yet. It's not relevant to pick any specific Android distribution for the sake of making the point "iPhone and Android Level Security for Linux Desktop Distributions" no specific Android distribution was chosen for this compassion. A "perfect" Android distribution checking all "green yes" is possible in theory. It doesn't exist due to policy decisions. (GrapheneOS vs root in default builds vs device selection / features.) There are no technical reasons for non-existence. See also this [[Mobile_Operating_System_Comparison|Overview of Mobile Projects, that focus on either/and/or security, privacy, anonymity, source-available, Freedom Software.]].
! Linux Desktop Distributions
! {{project_name_short}} Development Goals
|-
! Upgrades do not require vendor
| {{No}}
| {{Yes}}
| {{Yes}}
| {{Yes}}
|-
! User freedom to replace operating system
| {{No}}
| {{Yes}}
| {{Yes}}
| {{Yes}}
|-
! Administrator capabilities (root) not refused
| {{No}}
| {{Yes}}
| {{Yes}}
| {{Yes}}
|-
! Custom operating system (bootloader unlock) not refused
| {{No}}
| {{Yes}}
| {{Yes}}
| {{Yes}}
|-
! Software changes (rooting or bootloader unlock) might cause trouble with or void device warranty
| {{No}}
https://www.howtogeek.com/240417/does-rooting-or-unlocking-void-your-android-phones-warranty/
| {{No}}
| {{Yes}}
| {{Yes}}
|-
! No user freedom restrictions
| {{No}}
| {{Yes}}
| {{Yes}}
| {{Yes}}
|-
! No spyware included in operating system
| {{No}}
| {{Yes}}
| {{Yes}}
| {{Yes}}
|-
! No culture of freemium applications that spy on users in appstores
| {{No}}
| {{Yes}}
| {{Yes}}
| {{Yes}}
|-
! Culture of [[Freedom Software]] in appstores
| {{No}}
| {{Yes}}
| {{Yes}}
| {{Yes}}
|-
! Freedom Software
| {{No}} Comes with a lot proprietary software installed by default.
| {{Yes}}
| {{Yes}}
| {{Yes}}
|-
! Compromised application cannot access data of other applications
| {{Yes}}
| {{Yes}}
| {{No}}
| {{Yes}}
|-
! [[Malware_and_Firmware_Trojans#Malware|Malware]] on a compromised system cannot easily gain root
| {{Yes}}
| {{Yes}}
| {{No}}
| {{Yes}}
|-
! Reasonable resistance against system wide rootkit
| {{Yes}} Through verified boot.
| {{Yes}}
| {{No}}
| {{Yes}}
|-
! [[Verified_Boot#Hash_Check_all_Files_at_Boot|Verified Boot]]
| {{Yes}}
| {{Yes}}
| {{No}}
| {{Yes}}
|-
! [https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598 Hardened Kernel]
| {{Yes}}
| {{Yes}}
| some
| {{Yes}}
|-
! [https://github.com/roddhjav/apparmor.d Full System MAC Policy]
| {{Yes}}
| {{Yes}}
| {{No}}
| {{Yes}}
|-
! Internal storage can reasonably easily be removed and mounted elsewhere for the purpose of data recovery or hunting malware / rootkits.
| {{No}}
This is a hardware limitation. Internal storage is a chip and soldered. Removal is an operation which most repair shops are incapable of performing. Even if removed, it's not easy to find a device which can read the device without booting from it. Perhaps it could be booted from in another device, but that would be beside the point. If the operating system is unbootable due to software issues, it will also be unbootable elsewhere. If malware analysis is the goal, then no code from the suspected infected storage device should ever be executed.For 4.0+ devices there is a solution called "adb backup". Note: This only works for apps that do not disallow backup! Apps that disallow backup are simply ignored when creating a backup using this way.Information from https://stackoverflow.com/questions/29442630/copy-full-disk-image-from-android-to-computer does not work for non-rooted / non-rootable devices. Taking a non-rooted Android device with GrapheneOS, contributed by a user.
$ adb devices List of devices attached xxxxxxxxxxx device $ adb root adbd cannot run as root in production builds $ adb shell walleye:/ $ ls ls: ./init.zygote64_32.rc: Permission denied ls: ./init.rc: Permission denied ls: ./init.usb.rc: Permission denied ls: ./ueventd.rc: Permission denied ls: ./init.zygote32.rc: Permission denied ls: ./init: Permission denied ls: ./cache: Permission denied ls: ./init.environ.rc: Permission denied ls: ./persist: Permission denied ls: ./postinstall: Permission denied ls: ./init.usb.configfs.rc: Permission denied ls: ./metadata: Permission denied acct apex bin bugreports charger config d data debug_ramdisk default.prop dev dsp etc firmware lost+found mnt odm oem proc product product_services res sbin sdcard storage sys system vendor 1|walleye:/ $ sudo ls /system/bin/sh: sudo: inaccessible or not found 127|walleye:/ $ su /system/bin/sh: su: inaccessible or not found 127|walleye:/ $
walleye:/dev/block $ ls -lah total 0 drwxr-xr-x 6 root root 2.4K 1970-07-03 11:40 . drwxr-xr-x 18 root root 3.9K 2020-05-26 15:41 .. lrwxrwxrwx 1 root root 37 1970-07-03 11:40 bootdevice -> /dev/block/platform/soc/1da4000.ufshc drwxr-xr-x 2 root root 1.6K 1970-07-03 11:40 by-name brw------- 1 root root 252, 0 1970-07-03 11:40 dm-0 brw------- 1 root root 252, 1 1970-07-03 11:40 dm-1 brw------- 1 root root 7, 0 1970-07-03 11:40 loop0 brw------- 1 root root 7, 8 1970-07-03 11:40 loop1 brw------- 1 root root 7, 80 1970-07-03 11:40 loop10 brw------- 1 root root 7, 88 1970-07-03 11:40 loop11 brw------- 1 root root 7, 96 1970-07-03 11:40 loop12 brw------- 1 root root 7, 104 1970-07-03 11:40 loop13 brw------- 1 root root 7, 112 1970-07-03 11:40 loop14 brw------- 1 root root 7, 120 1970-07-03 11:40 loop15 brw------- 1 root root 7, 16 1970-07-03 11:40 loop2 brw------- 1 root root 7, 24 1970-07-03 11:40 loop3 brw------- 1 root root 7, 32 1970-07-03 11:40 loop4 brw------- 1 root root 7, 40 1970-07-03 11:40 loop5 brw------- 1 root root 7, 48 1970-07-03 11:40 loop6 brw------- 1 root root 7, 56 1970-07-03 11:40 loop7 brw------- 1 root root 7, 64 1970-07-03 11:40 loop8 brw------- 1 root root 7, 72 1970-07-03 11:40 loop9 drwxr-xr-x 2 root root 80 1970-07-03 11:40 mapper drwxr-xr-x 3 root root 60 1970-07-03 11:40 platform brw------- 1 root root 1, 0 1970-07-03 11:40 ram0 brw------- 1 root root 1, 1 1970-07-03 11:40 ram1 brw------- 1 root root 1, 10 1970-07-03 11:40 ram10 brw------- 1 root root 1, 11 1970-07-03 11:40 ram11 brw------- 1 root root 1, 12 1970-07-03 11:40 ram12 brw------- 1 root root 1, 13 1970-07-03 11:40 ram13 brw------- 1 root root 1, 14 1970-07-03 11:40 ram14 brw------- 1 root root 1, 15 1970-07-03 11:40 ram15 brw------- 1 root root 1, 2 1970-07-03 11:40 ram2 brw------- 1 root root 1, 3 1970-07-03 11:40 ram3 brw------- 1 root root 1, 4 1970-07-03 11:40 ram4 brw------- 1 root root 1, 5 1970-07-03 11:40 ram5 brw------- 1 root root 1, 6 1970-07-03 11:40 ram6 brw------- 1 root root 1, 7 1970-07-03 11:40 ram7 brw------- 1 root root 1, 8 1970-07-03 11:40 ram8 brw------- 1 root root 1, 9 1970-07-03 11:40 ram9 brw------- 1 root root 8, 0 1970-07-03 11:40 sda brw------- 1 root root 8, 1 1970-07-03 11:40 sda1 brw------- 1 root root 8, 10 1970-07-03 11:40 sda10 brw------- 1 root root 8, 11 1970-07-03 11:40 sda11 brw------- 1 root root 8, 12 1970-07-03 11:40 sda12 brw------- 1 root root 8, 13 1970-07-03 11:40 sda13 brw------- 1 root root 8, 14 1970-07-03 11:40 sda14 brw------- 1 root root 8, 15 1970-07-03 11:40 sda15 brw------- 1 root root 259, 0 1970-07-03 11:40 sda16 brw------- 1 root root 259, 1 1970-07-03 11:40 sda17 brw------- 1 root root 259, 2 1970-07-03 11:40 sda18 brw------- 1 root root 259, 3 1970-07-03 11:40 sda19 brw------- 1 root root 8, 2 1970-07-03 11:40 sda2 brw------- 1 root root 259, 4 1970-07-03 11:40 sda20 brw------- 1 root root 259, 5 1970-07-03 11:40 sda21 brw------- 1 root root 259, 6 1970-07-03 11:40 sda22 brw------- 1 root root 259, 7 1970-07-03 11:40 sda23 brw------- 1 root root 259, 8 1970-07-03 11:40 sda24 brw------- 1 root root 259, 9 1970-07-03 11:40 sda25 brw------- 1 root root 259, 10 1970-07-03 11:40 sda26 brw------- 1 root root 259, 11 1970-07-03 11:40 sda27 brw------- 1 root root 259, 12 1970-07-03 11:40 sda28 brw------- 1 root root 259, 13 1970-07-03 11:40 sda29 brw------- 1 root root 8, 3 1970-07-03 11:40 sda3 brw------- 1 root root 259, 14 1970-07-03 11:40 sda30 brw------- 1 root root 259, 15 1970-07-03 11:40 sda31 brw------- 1 root root 259, 16 1970-07-03 11:40 sda32 brw------- 1 root root 259, 17 1970-07-03 11:40 sda33 brw------- 1 root root 259, 18 1970-07-03 11:40 sda34 brw------- 1 root root 259, 19 1970-07-03 11:40 sda35 brw------- 1 root root 259, 20 1970-07-03 11:40 sda36 brw------- 1 root root 259, 21 1970-07-03 11:40 sda37 brw------- 1 root root 259, 22 1970-07-03 11:40 sda38 brw------- 1 root root 259, 23 1970-07-03 11:40 sda39 brw------- 1 root root 8, 4 1970-07-03 11:40 sda4 brw------- 1 root root 259, 24 1970-07-03 11:40 sda40 brw------- 1 root root 259, 25 1970-07-03 11:40 sda41 brw------- 1 root root 259, 26 1970-07-03 11:40 sda42 brw------- 1 root root 259, 27 1970-07-03 11:40 sda43 brw------- 1 root root 259, 28 1970-07-03 11:40 sda44 brw------- 1 root root 259, 29 1970-07-03 11:40 sda45 brw------- 1 root root 8, 5 1970-07-03 11:40 sda5 brw------- 1 root root 8, 6 1970-07-03 11:40 sda6 brw------- 1 root root 8, 7 1970-07-03 11:40 sda7 brw------- 1 root root 8, 8 1970-07-03 11:40 sda8 brw------- 1 root root 8, 9 1970-07-03 11:40 sda9 brw------- 1 root root 8, 16 1970-07-03 11:40 sdb brw------- 1 root root 8, 17 1970-07-03 11:40 sdb1 brw------- 1 root root 8, 32 1970-07-03 11:40 sdc brw------- 1 root root 8, 33 1970-07-03 11:40 sdc1 brw------- 1 root root 8, 48 1970-07-03 11:40 sdd brw------- 1 root root 8, 49 2020-05-26 15:41 sdd1 brw------- 1 root root 8, 58 1970-07-03 11:40 sdd10 brw------- 1 root root 8, 59 1970-07-03 11:40 sdd11 brw------- 1 root root 8, 60 1970-07-03 11:40 sdd12 brw------- 1 root root 8, 61 1970-07-03 11:40 sdd13 brw------- 1 root root 8, 62 1970-07-03 11:40 sdd14 brw------- 1 root root 8, 63 2020-05-26 15:42 sdd15 brw------- 1 root root 259, 30 2020-05-26 15:41 sdd16 brw------- 1 root root 259, 31 2020-05-26 15:41 sdd17 brw------- 1 root root 259, 32 1970-07-03 11:40 sdd18 brw------- 1 root root 8, 50 1970-07-03 11:40 sdd2 brw------- 1 root root 8, 51 1970-07-03 11:40 sdd3 brw-rw---- 1 system system 8, 52 2020-05-26 15:48 sdd4 brw------- 1 root root 8, 53 1970-07-03 11:40 sdd5 brw------- 1 root root 8, 54 1970-07-03 11:40 sdd6 brw------- 1 root root 8, 55 1970-07-03 11:40 sdd7 brw------- 1 root root 8, 56 1970-07-03 11:40 sdd8 brw------- 1 root root 8, 57 1970-07-03 11:40 sdd9 brw------- 1 root root 8, 64 1970-07-03 11:40 sde brw------- 1 root root 8, 65 1970-07-03 11:40 sde1 brw------- 1 root root 8, 66 1970-07-03 11:40 sde2 brw------- 1 root root 8, 67 1970-07-03 11:40 sde3 brw------- 1 root root 8, 68 1970-07-03 11:40 sde4 brw------- 1 root root 8, 69 1970-07-03 11:40 sde5 brw------- 1 root root 8, 80 1970-07-03 11:40 sdf brw------- 1 root root 8, 81 1970-07-03 11:40 sdf1 brw------- 1 root root 8, 82 1970-07-03 11:40 sdf2 brw------- 1 root root 8, 83 1970-07-03 11:40 sdf3 brw------- 1 root root 8, 84 1970-07-03 11:40 sdf4 brw------- 1 root root 8, 85 1970-07-03 11:40 sdf5 drwx------ 2 root root 40 1970-07-03 11:40 vold brw------- 1 root root 253, 0 2020-05-26 15:41 zram0
$ adb shell walleye:/ $ mount /dev/root on / type ext4 (ro,seclabel,nodev,relatime) tmpfs on /dev type tmpfs (rw,seclabel,nosuid,relatime,size=1851548k,nr_inodes=462887,mode=755) devpts on /dev/pts type devpts (rw,seclabel,nosuid,noexec,relatime,mode=600) proc on /proc type proc (rw,nosuid,nodev,noexec,relatime,gid=3009,hidepid=2) sysfs on /sys type sysfs (rw,seclabel,nosuid,nodev,noexec,relatime) selinuxfs on /sys/fs/selinux type selinuxfs (rw,relatime) tmpfs on /mnt type tmpfs (rw,seclabel,nosuid,nodev,noexec,relatime,size=1851548k,nr_inodes=462887,mode=755,gid=1000) tmpfs on /apex type tmpfs (rw,seclabel,nosuid,nodev,noexec,relatime,size=1851548k,nr_inodes=462887,mode=755) /dev/block/sdd3 on /persist type ext4 (rw,seclabel,nosuid,nodev,noatime,data=ordered) /dev/block/dm-1 on /vendor type ext4 (ro,seclabel,relatime) none on /dev/cpuctl type cgroup (rw,nosuid,nodev,noexec,relatime,cpu) none on /acct type cgroup (rw,nosuid,nodev,noexec,relatime,cpuacct) none on /dev/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset,noprefix,release_agent=/sbin/cpuset_release_agent) none on /dev/stune type cgroup (rw,nosuid,nodev,noexec,relatime,schedtune) /dev/root on /apex/com.android.tzdata@290000000 type ext4 (ro,seclabel,relatime) /dev/root on /apex/com.android.tzdata type ext4 (ro,seclabel,relatime) /dev/root on /apex/com.android.runtime@1 type ext4 (ro,seclabel,relatime) /dev/root on /apex/com.android.runtime type ext4 (ro,seclabel,relatime) debugfs on /sys/kernel/debug type debugfs (rw,seclabel,relatime) none on /config type configfs (rw,nosuid,nodev,noexec,relatime) tracefs on /sys/kernel/debug/tracing type tracefs (rw,seclabel,relatime) /dev/block/sde4 on /metadata type ext4 (rw,sync,seclabel,nosuid,nodev,noatime,discard,data=ordered) /dev/block/sda28 on /firmware type vfat (ro,context=u:object_r:firmware_file:s0,relatime,uid=1000,gid=1000,fmask=0337,dmask=0227,codepage=437,iocharset=iso8859-1,shortname=lower,errors=remount-ro) tmpfs on /storage type tmpfs (rw,seclabel,nosuid,nodev,noexec,relatime,size=1851548k,nr_inodes=462887,mode=755,gid=1000) /dev/block/sda45 on /data type ext4 (rw,seclabel,nosuid,nodev,noatime,noauto_da_alloc,resgid=1065,errors=panic,stripe=4096,data=ordered) /dev/root on /apex/com.android.conscrypt@290000000 type ext4 (ro,seclabel,nodev,relatime) /dev/root on /apex/com.android.conscrypt type ext4 (ro,seclabel,nodev,relatime) /dev/root on /apex/com.android.media@290000000 type ext4 (ro,seclabel,nodev,relatime) /dev/root on /apex/com.android.media type ext4 (ro,seclabel,nodev,relatime) /dev/root on /apex/com.android.media.swcodec@290000000 type ext4 (ro,seclabel,nodev,relatime) /dev/root on /apex/com.android.media.swcodec type ext4 (ro,seclabel,nodev,relatime) /dev/root on /apex/com.android.resolv@290000000 type ext4 (ro,seclabel,nodev,relatime) /dev/root on /apex/com.android.resolv type ext4 (ro,seclabel,nodev,relatime) adb on /dev/usb-ffs/adb type functionfs (rw,relatime) mtp on /dev/usb-ffs/mtp type functionfs (rw,relatime) ptp on /dev/usb-ffs/ptp type functionfs (rw,relatime) /data/media on /mnt/runtime/default/emulated type sdcardfs (rw,nosuid,nodev,noexec,noatime,fsuid=1023,fsgid=1023,gid=1015,multiuser,mask=6,derive_gid,default_normal) /data/media on /storage/emulated type sdcardfs (rw,nosuid,nodev,noexec,noatime,fsuid=1023,fsgid=1023,gid=1015,multiuser,mask=6,derive_gid,default_normal) /data/media on /mnt/runtime/read/emulated type sdcardfs (rw,nosuid,nodev,noexec,noatime,fsuid=1023,fsgid=1023,gid=9997,multiuser,mask=23,derive_gid,default_normal) /data/media on /mnt/runtime/write/emulated type sdcardfs (rw,nosuid,nodev,noexec,noatime,fsuid=1023,fsgid=1023,gid=9997,multiuser,mask=7,derive_gid,default_normal) /data/media on /mnt/runtime/full/emulated type sdcardfs (rw,nosuid,nodev,noexec,noatime,fsuid=1023,fsgid=1023,gid=9997,multiuser,mask=7,derive_gid,default_normal) pstore on /sys/fs/pstore type pstore (rw,seclabel,relatime)| {{No}} Same issue as Most iPhone / Android devices since inheriting the same hardware limitations. | {{Yes}} Computer (non-mobile) hardware is much more flexible. Storage devices can be removed from a computer, then added to another computer as a secondary disk. When booting from an installation assumed to be uncompromised (by [the same] malware), a search for malware can be performed on the other disk without executing any code, reducing risk of infection for the booted disk. This kind of procedure can be performed reasonably easily by most repair shops, and even non-technical people can do this without the need for soldering. | {{Yes}} Same as Linux Desktop Distributions. |- ! Internal storage can reasonably easily be decrypted once transferred to a different device if password is known. | {{No}} The masterkey is not stored on the internal storage. [https://source.android.com/security/encryption/full-disk#storing_the_encrypted_key It is stored in hardware.] which is even harder to extract.
cryptsetup-reencrypt).android:allowBackup
Whether to allow the application to participate in the backup and restore infrastructure. If this attribute is set to false, no backup or restore of the application will ever be performed, even by a full-system backup that would otherwise cause all application data to be saved via adb. The default value of this attribute is true.| {{Yes}} | {{Yes}} | {{Yes}} |- ! No culture of users can ask device (code) for permission and device (code) will decide. | {{No}} | {{Yes}} | {{Yes}} If credentials can be provided (full disk encryption password if used), (super) root will have full access. | {{Yes}} |- ! No culture of applications refusing to run if device is rooted | {{No}} https://android.stackexchange.com/questions/29359/how-to-prevent-applications-from-discovering-my-phone-as-being-rooted | {{Yes}} | {{Yes}} | {{Yes}} |- ! Prevention of targeted malicious upgrades. As in singling out specific users. Shipping malicious upgrades to select users only. | {{No}} Most android phones have a feature which allows to login on google play web/desktop version using the same e-mail address which is used on the phone. Usually the same gmail address. When clicking install for an app using the google play web/desktop version, the user will be prompter (in case of having registred multiple devices) on which device the app should be installed. After pressing install, the app will be installed on the phone. This [https://www.youtube.com/watch?v=HljSquJ7yCo video] demonstrates this. It is therefore established that the google website can result in remote app installation on the phone. It follows that a coerced or compromised google play website could do the same. Since the gmail based web login can be linked to the same gmail address on the phone, pushing targeted malicious upgrades is esspecially easy. Even if a phone was always fully torified (all traffic routed over Tor) the gmail identifier could still be used. While Tor can anonymize the connection, it does not (and should not) attempt to modify anything inside the traffic (the gmail identifier). | ? Probably same as Linux Desktop Distributions. | ? Linux distributions usually do not require an e-mail based login to receive upgrades. Users can still be singled out by IP addresses unless users opt-in for using something such as apt-transport-tor which is not the default. | {{Yes}} All upgrades are downloaded over Tor. There is no way for the server to ship legit upgrade packages to most users while singling out specific users for targeted attacks. |} Quote [https://www.theregister.co.uk/2020/03/06/1_billion_vulnerable_android_devices_which/ More than a billion hopelessly vulnerable Android gizmos in the wild that no longer receive security updates – research]. The operating system of these devices: * Do not receive security upgrades from the vendor. * Third parties (such as users or the modding community) cannot provide (security) upgrades either due to locked bootloaders, which cannot be unlocked due to vendor decision and due to unavailability of a security bug which could unlock the bootloader. * Even if bootloaders can be unlocked there might not be an adequate operating system upgrades available from third parties, such as the modding community. Either due to unpopularity of the devices among modding developers and/or due to technical challenges. Ability to upgrade (security fixes) devices; replace operating system; bootloader freedom vs bootloader non-freedom: * iPhones and some Android devices have locked boot loaders that cannot be unlocked. This restricts user freedom and makes replacing the operating system impossible without a verified boot bypass exploit. In case the vendor deprecated security support for the device, the only choices users realistically have is to keep using an insecure device, or to buy a device which still has security support. Similarly, locked bootloaders also prevent gaining administrator (root) access. * Some Android devices do allow unlocking the bootloader but not with custom verified boot keys, causing a decrease in security. * Some Android devices (such as the Nexus or Pixel devices) support full verified boot with custom keys that can be used with alternative operating systems. {{project_name_short}} will not implement these kinds of user freedom restrictions since it is not required nor desirable. The capability to replace the operating system or gain administrator access will remain fully supported. Many popular device operating systems utilize security technologies which restrict user freedoms. In contrast, {{project_name_short}} aims to utilize the same security concepts for the goal of empowering the user and increasing protection from malware. It is theoretically possible to provide some of the same iPhone / Android security concepts on the Linux Desktop too. Steps have already been made to apply mobile device security concepts to desktop Linux such as [https://github.com/{{project_name_short}}/security-misc security-misc] and [https://github.com/roddhjav/apparmor.d apparmor.d]. Security technologies like hardened kernels or verified boot used by popular mobile operating systems could also be ported to Linux desktops. Community contributions are gladly welcomed! Here is a list of potential security enhancements for {{project_name_short}}: * [https://forums.whonix.org/t/multiple-boot-modes-for-better-security-persistent-root-persistent-noroot-live-root-live-noroot/7708 multiple boot modes for better security: persistent user | live user | persistent admin | persistent superadmin | persistent recovery mode] * [https://forums.whonix.org/t/disable-suid-binaries/7706 Disable SUID Binaries] * [https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707 (re-)mount home (and other?) with noexec (and nosuid (among other useful mount options)) for better security] * [https://forums.whonix.org/t/allow-loading-signed-kernel-modules-by-default-disallow-kernel-module-loading-by-default/7880 enforce kernel module software signature verification] * [[Dev/VirusForget|deactivate malware after reboot from non-root compromise]] * [https://forums.whonix.org/t/walled-garden-firewall-whitelisting-application-whitelisting-sudo-lockdown-superuser-mode-protected-mode/5725 walled garden, firewall whitelisting, application whitelisting, sudo lockdown, superuser mode, protected mode] * [https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598 Hardened Kernel] * [[Verified_Boot#Hash_Check_all_Files_at_Boot|Verified Boot]] * [https://forums.whonix.org/t/signify-openbsd/7842/5 signify signed releases] * Post-Quantum Cryptography ([[PQCrypto]]) [https://forums.whonix.org/t/use-codecrypt-to-sign-whonix-releases/7844/2 resistant signing of releases] * [https://forums.whonix.org/t/untrusted-root-does-it-make-sense-to-try-to-improve-security-by-restricting-root/7998 Untrusted Root User]