pull down to refresh

Phones are much safer (or can be) than a laptop...
How do you come to this conclusion?
Sandboxing. With laptop qubes accomplishes this. With iOS or android, sandboxed apps is default. Yes you have to worry about apps getting permission to things like mic, camera, wifi etc etc in a malicious way, but the information between apps is sandboxed.
reply
21 sats \ 0 replies \ @ek 15 Mar
Thanks for the links, I will look into it when I have time.
reply
This is quite a short answer and you could explain these details for hours. Smartphones and their OSes are often designed with better security models than a desktop computer. Most of this comes down to a lot of societal factors, such as:
  • mobile operating systems like iOS and Android coming out decades after desktops so they naturally build a better foundation with the knowledge people have today.
  • mobile devices being more of a target due to their portability, prevalence, and the data people store in them being more sensitive therefore there is more effort to protect them.
  • mobile device security is far more scrutinized than desktops.
In a technical description, you'll expect a proper smartphone operating system to have an actual application security model, proper app sandboxing with permission controls, use of memory-safe languages for apps, exploit mitigations, verified boot and a lot of security principles (like least-privilege, assume-compromise, secure-by-default and defence-in-depth) adopted. A mobile OS gets criticized as being "locked down" and "restrictive" but that's also why they are extremely safe.
Mobile hardware (on a good OEM) is also better, they are always receiving complete firmware security updates and driver support until the device's support timeline ends. Sadly on Desktops you need to rely on the OEM doing a barely-decent job and if you are building your own you'd need to check every hardware device you build with has firmware updates / is supported. Firmware attacks are a big deal on desktops.
Where a desktop shares a security feature, the mobile device does it far better. One example is the secure boot in a desktop is not really comparable. x86 Secure Boot does not verify all firmware, does not have downgrade protection, does not have an unbroken chain of trust from the hardware and verifies far less of the OS than a proper Android verified boot device does. TPMs are also nothing compared to the dedicated secure elements used in a Pixel or similar either, and TPMs are rarely used for much by default regardless, while you'll see them used in Android and iOS for multiple things.
Desktop operating systems are flawed since they lack the security practices or a complete implementation of them. For example, a ton of Windows' best security features are opt-in so they don't get used, apps are not sandboxed and are over-privileged, often made in unsafe languages, most users' main accounts are also the administrator by default (and is the source of most Windows security issues), and much more. Windows wants to go adminless and move to Rust (great!) and also add sandboxing for Win32 apps (currently opt-in, not great!) but there's still a long way to go. Windows laptops with a half-done attempt at real secure boot instead of BS are Secured Core certified, but only an attempt doesn't really amount to anything.
MacOS on an ARM Mac does a great job in some of these things but there's room for improvement. Linux-based operating systems do this the worst as oftentimes they completely don't do some of the things listed or do it very badly. Linux works on Android because they barely use any of the same software a desktop distribution does, they also have an enforced SELinux policy among other additional work to secure it that the desktop operating systems do not. ChromeOS does the best of all of these for the same reasons as Android but of course being a desktop OS it doesn't do everything perfectly, but MacOS prevails with hardware.
This response isn't putting things like privacy-invasive telemetry of the OSes into account but obviously if you want to completely avoid it on a desktop your options are practically miniscule and you should accept some. I also avoided mentioning what GrapheneOS does better than Android here for neutrality but of course we improve on what Android does by a lot. When upstream gets a Desktop Mode there will hopefully be a future where someone could use a GrapheneOS device as a desktop and with VMs to run Linux or Windows apps thanks to hardware accelerated VM support in the newer PIxels.
I have no say in the discussion about using a GrapheneOS device as cold storage by @expatriotic and to be honest I haven't read it when writing this reply.