Looking for a functional and secure smartphone that runs only free software? Be patient!


Motivation

On many occasions, I have seen myself and other free software enthusiasts being asked which smartphones and mobile operating systems they can recommend to users who are looking for a free (owner-controlled) and secure smartphone that respects their freedom and privacy.

I would like to share some of my thoughts about this complex topic. However, please be warned, that it might be disappointing for those who might expect to get clear recommendations in the conclusion.

I have written an article on this topic back in spring 2018, but many things have changed since then. Therefore, I decided to conduct a major revision of said article here.

General freedom and security concerns

Before I’ll dive into specific operating systems and devices I would like to discuss some general issues with today’s mobile devices first.

Firmware vulnerabilities

If you run closed-source firmware (this is required to operate most smartphones today) you are the mercy of the vendor to provide you with updates. If you look at the Android Security bulletin, almost every month severe critical vulnerabilities in these firmwares need to be patched.

Unfortunately, many vendors refuse to provide updated firmware if they consider the affected devices are EOL. This is even true for extreme cases such as the “Broadpwn” exploit (affects BCM43xx wifi chipsets found on more than a billion of devices). This makes these devices de-facto eletronic waste and further worsens the environmental issues that pose a severe threat to our planet already today.

Bootloader freedom

Before an operating system can be booted, the hardware has to be initialized. This is usually done by one (or more) bootloaders. As far as I know, there are no modern smartphones (yet) that come preinstalled with a free bootloader or where the proprietary bootloader can be replaced. Few exceptions may be some (quite dated) devices such as the Nokia N900. Also, some partially successful attempts to install the free uboot bootloader on older devices such as the Samsung Galaxy S3 have been reported.

Hardware-backed security requires closed-source firmware

Modern SoCs come with a TEE (Trusted Execution Environment) as part of their chip design. These separate systems promise to securely process/store credentials such as fingerprints or (parts of) device encryption keys. I am not aware of any such subsystem that would be open source. Thus, the proper operation of such subsystems is near-impossible to audit for mere mortals (although the main developer of GrapheneOS claimed to have successfully done this in the past [1]).

Apart from trust and verifiability, using TEEs to store disk encryption keys usually comes at the price of not having separate PINs/passwords for the lockscreen and disk encryption key (like on newer Android devices). Therefore, you have to enter your most valuable credentials in “train conditions”. This is highly problematic since these credentials allow attackers to gain full access to the storage of your device once they get hold of it - even if it was at rest (completely powered off).

Modem isolation

Many modern SoCs do not have a clear separation between the baseband processor (that runs the non-free radio firmware) and the SoC. This means, that you actually have to trust the firmware of the baseband firmware vendor.

There is at least one known case of a backdoor built into the layer above that was detected on older Samsung devices and mitigated by Replicant developers [2].

Other partitions with non-free binaries and data

Some people may think that by re-flashing a ROM or factory image they return their device its “original state”. However, almost all modern smartphones contain a bunch of partitions that remain untouched during flashing. For instance, here is a listing of partition names and corresponding flash partitions from a Nexus 5:

DDR ->   /dev/block/mmcblk0p24
aboot   ->   /dev/block/mmcblk0p6
abootb  ->   /dev/block/mmcblk0p11
boot    ->   /dev/block/mmcblk0p19
cache   ->   /dev/block/mmcblk0p27
crypto  ->   /dev/block/mmcblk0p26
fsc ->   /dev/block/mmcblk0p22
fsg ->   /dev/block/mmcblk0p21
grow    ->   /dev/block/mmcblk0p29
imgdata ->   /dev/block/mmcblk0p17
laf ->   /dev/block/mmcblk0p18
metadata    ->   /dev/block/mmcblk0p14
misc    ->   /dev/block/mmcblk0p15
modem   ->   /dev/block/mmcblk0p1
modemst1    ->   /dev/block/mmcblk0p12
modemst2    ->   /dev/block/mmcblk0p13
pad ->   /dev/block/mmcblk0p7
persist ->   /dev/block/mmcblk0p16
recovery    ->   /dev/block/mmcblk0p20
rpm ->   /dev/block/mmcblk0p3
rpmb    ->   /dev/block/mmcblk0p10
sbl1    ->   /dev/block/mmcblk0p2
sbl1b   ->   /dev/block/mmcblk0p8
sdi ->   /dev/block/mmcblk0p5
ssd ->   /dev/block/mmcblk0p23
system  ->   /dev/block/mmcblk0p25
tz  ->   /dev/block/mmcblk0p4
tzb ->   /dev/block/mmcblk0p9
userdata    ->   /dev/block/mmcblk0p28

It is hard to find documentation on what the purpose of these partitions is and, depending on the device, there are many different partitions. Also, for partitions that usually don’t change I haven’t seen any lists of hashes from OEMs. Therefore, if you buy a used phone you have to be aware that there is (1) no official way to reset these partitions to their factory state and (2) it’s hard to tell if any of these partitions have been modified. Most of these partitions can be modified if you have root access, therefore, if you ever executed something with root rights it could have tampered with one of those.

Inclusion Criteria and Covered Aspects

In the next section, I want to briefly discusses pros and cons of a few (partially) free mobile operating systems (skipping completely proprietary systems like iOS or Windows Phone). Both Android and non-Android-based systems will be discussed. However, near-dead projects like B2G/FirefoxOS will not be covered. Also, I excluded systems that require to pay license fees and extend free platforms by closed-source components (such as SailfishOS).

In the following, I’d like to focus on the following aspects:

  • choice and availability of supported devices
  • functionality
  • security hardening
  • verified boot with owner-supplied keys and free bootloader possible?
  • Modem isolation
  • inclusion of the non-free Google Apps
  • support period (both OS and firmware) and ease of updates
  • necessity for non-free components running with root privileges
  • availability of “first hand” factory images from the vendor
  • necessity to run non-free software on your computer in order to flash factory images

Android-based Operating Systems

Stock Android

This is the binary Android distribution from Google and comes pre-installed on Google Pixel devices (and Google Nexus devices).

  • Only available for quite pricey Pixel devices (available for older Nexus devices as well, but even the latest ones are EOL since January 2019)
  • Fully functional
  • Standard Android Security (not hardened), no root privileges for the user
  • Verified boot with locked closed-source bootloaders, owner-supplied keys not supported
  • Modem and SoC glued together on all supported devices (no proper modem isolation, if at all)
  • Google Apps and Services are pre-installed and not removable
  • Short support period (3 years from beginning of sales for each model), but clearly communicated; covers firmware updates as well (Google gets them from the firmware vendors and publishes them); Updates delivered once per month and easy to install
  • All supported devices require vast amounts of closed-source firmware
  • Factory images available directly from Google
  • No non-free software required on your computer in order to flash the system to a device

Vendor-modified Android

This is the Android distribution you will find on typical phones manufactured by OEMs like Samsung, HTC, LG, Sony, Huawei etc. These Android distributions are based on Stock Android but customized by the OEM and in case of “branded” devices also by the network operator.

  • Ultimate choice of devices in all price ranges
  • Fully functional
  • Standard Android Security (not hardened), no root privileges for the user (but can be easily obtained on many devices thanks to unpatched security holes)
  • Verified boot with locked closed-source bootloaders; security varies among bootloaders (many have severe issues so it is possible to unlock the bootloader without wiping user data, rendering this feature completely useless); I am not aware of any devices that allow to use owner-supplied keys
  • Modem and SoC glued together on most devices
  • Google Apps and Services are pre-installed and not removable.
  • Often very short and unclear support periods (depending on the vendor) and no formal EOL declaration (highly dependant on the OEM); often irregular, delayed or incomplete updates (e. g. do not include updated firmware, sometimes no updates at all: additional customizations by network operators often lead to further delay of updates; situation got slightly better for newer devices due to Google’s Trello project
  • I am not aware of any devices that do not require closed-source firmware (a few devices require “only a few megabytes” of non-free firmware, others require often around 100-200 MB)
  • Usually no factory images available from the vendor (depends on the vendor, but most of them do not provide them to end-users)
  • Flashing factory images (if available) usually requires non-free software by the OEM that in turn only runs only on non-free operating Systems such as Windows or OS X.

Android One

Meanwhile, several vendors also offer devices with “Android One” that promises to deliver a stock Android experience on non-Pixel devices coming from third-party vendors. These devices are mostly free from customizations (but may contain pre-installed apps).

  • Fair choice of devices, many are quite affordable
  • Standard Android Security (not hardened), no root privileges for the user
  • Verified boot with locked closed-source bootloaders, owner-supplied keys not supported
  • Modem and SoC glued together on all supported devices I know about (no proper modem isolation, if at all)
  • Google Apps and Services are pre-installed and not removable
  • Short support period (3 years from beginning of sales for each model) and usually hard to find for a specific device; Android updates and some firmware updates from Google (Google gets firmware updates for certain platforms from the vendors and publishes them each month); updates are easy to apply
  • I am not aware of any devices that do not require closed-source firmware (a few devices require “only a few megabytes” of firmware, others require often around 100-200 MB)
  • Factory images offered only by some vendors
  • Flashing factory images (if available) usually requires non-free software by the OEM that in turn only runs only on non-free operating Systems such as Windows or OS X.

Android Open Source Project (AOSP)

The source distribution of Stock Android

  • In theory, most devices that run vendor-modified Android or Android One should be able to run it — in practice, it is only feasible to use AOSP on Pixel and Nexus devices from Google as well as very few other devices (e.g. some devices from Sony’s “Open Devices Program”)
  • Fully functional for Google Nexus and Pixel devices (unfortunately not so for devices from vendors like Sony where functionality is often reported to be broken)
  • Verified boot with locked closed-source bootloaders and user-supplied keys (complicated to set up and very poorly documented, only possible on Pixel devices and two outdated Nexus devices)
  • Standard Android Security (not hardened), no root privileges for the user (option to build userdebug variant that allows for root but weakens security even worse)
  • Google Apps and Services are not included
  • Support period and updates are the same as for stock Android for Google devices; updates for other devices vary and often lack firmware updates; no binary builds available — has to be self-compiled by the user (very cumbersome, official instructions highly incomplete and error-prone — sometimes even require yet undocumented procedures due to changes in the build system)
  • All supported devices require vast amounts of closed-source firmware
  • No non-free software required on your computer in order to flash the system to a device

GrapheneOS

Security-oriented AOSP variant, recently relaunched as community project by the former CTO of CopperheadOS

  • Very limited device support (only Google Pixel devices supported at the moment)
  • Fully functional
  • Tightly hardened for security (includes kernel patches, a hardened browser and much more)
  • Verified boot with locked closed-source bootloaders and vendor-supplied keys; user-supplied keys are supported (complicated to set up but well-documented, requires recompilation)
  • Modem and SoC glued together on all supported devices (no proper modem isolation, if at all)
  • Google Apps and Services are not included
  • Support period and updates are the same as for stock Android; if you trust the project you can use the binary builds from their update site, making updates as easy as on stock Android
  • All supported devices require vast amounts of closed-source firmware
  • No non-free software required on your computer in order to flash the system to a device

Fairphone Open

Fairphone is an OEM that tries to build ethical and long-lasting devices. They have a great, vendor-friendly and forgiving “fanboy-style” community addicted to the honorable idea of the venture. With “Fairphone Open”, they also offer an AOSP-based system as alternative to their normal Vendor-modified Android distribution.

  • Only supported on the Fairphone 2
  • Fully functional (but releases sometimes introduce regressions)
  • Standard Android Security (not hardened), no root privileges for the user
  • Verified boot not supported; using Fairphone Open requires unlocked bootloader, bootloader itself is closed-source
  • Modem and SoC glued together on all supported devices (no proper modem isolation, if at all)
  • Google Apps and Services are not included
  • Support period and updates used to be regular but are lacking behind meanwhile; seems like the OEM does not receive firmware updates from the SoC vendor either, as firmware is from April 2018 and not updated anymore; installing updates is easy for end-users
  • around 180 MB of closed-source firmware required
  • No non-free software required on your computer in order to flash the system to a device

LineageOS

A custom Android distribution based on AOSP but with heavy modifications. Developed by a large community of volunteers. LineageOS also backports security patches to Android versions that are not supported by Google anymore (but only for a limited time)

  • broad device support, many devices that were EOL’d by their original vendors years ago are still supported
  • mostly functional (functional support varies strongly among devices)
  • includes some “privacy enhancements”, however, overall lower security than on standard Android due to userdebug builds
  • no verified boot supported (can be done manually for some Nexus/Pixel devices but quite hard and not documented at all)
  • Modem isolation varies among devices but typically non-existent
  • Google Apps and Services are not included by default
  • Support period and updates highly vary between devices; updates are frequent (even daily) but often delayed due to long review processes; updates often do not cover firmware and EOL periods are not announced beforehand (e .g.: I have one device from 2012 that still receives LineageOS updates, yet, its flawed firmware didn’t receive updates since 2014); updates are easy to apply for end-users
  • I am not aware of any devices that do not require closed-source firmware (a few devices require “only a few megabytes” of non-free firmware, others require often around 100-200 MB)
  • Usually, no non-free software required on your computer in order to flash the system to a device (there are exceptions though)

OmniROM

A custom Android distribution based on AOSP with moderate modifications. Developed by a community of volunteers. Similar to Lineage OS with respect to the discussed properties

  • limited device support (about half as good as in LineageOS)
  • mostly functional (functional support varies strongly among devices)
  • not hardened for security but slightly more secure than LineageOS due to “eng” builds by default
  • no verified boot supported (can be done manually for some Nexus/Pixel devices but quite hard and not documented at all)
  • Modem isolation varies among devices but typically non-existent
  • Google Apps and Services are not included by default
  • Support period and updates comparable to LineageOS in theory, however, many devices are EOL’d much sooner as only the most recent Android branch receives updates
  • I am not aware of any devices that do not require closed-source firmware (a few devices require “only a few megabytes” of non-free firmware, others require often around 100-200 MB)
  • Usually, no non-free software required on your computer in order to flash the system to a device (there are exceptions though)

Replicant

A custom Android distribution based on LineageOS 13. Developed by a tiny number of developers but strongly backed by many friendly and helpful free software enthusiasts. Progressing slowly due to lack of active developers.

  • only few very old devices are supported; the newest ones were popular six to seven years ago and can be easily obtained second-hand (well, rather third-hand or worse I suppose)
  • significantly degraded functionality; Features such as GPS, Bluetooth, GPU acceleration and Wifi are not available on any of the supported devices as no free drivers for them are available (wifi, bluetooth and gps can be used with the help of external devices via USB-OTG)
  • not hardened for security, provides insecure userdebug-builds with full root access
  • None of the supported devices support verified boot (all require an unlocked bootloader); Even with a locked bootloader, many of the supported devices have severe security issues (e.g. storage is directly accessible via the insecure odin protocol)
  • all devices have good signs of proper modem isolation (the project defined this aspect as important device evaluation criteria)
  • Google Apps and Services are not included
  • Irregular updates, security patches are often heavily delayed; firmware updates are irrelevant; if available, updates can be easily installed by end-users
  • All supported devices run completely without closed-source firmware on the main processor; non-free firmware that runs on auxiliary baseband processors is required for cellular connectivity (present in the flash of the devices already, not shipped as part of the distribution)
  • Factory-style images available but incomplete (they rely on closed-source bootloaders and firmware already present on the devices)
  • no non-free software required on your computer in order to flash the system to a device

UBPorts

Shortly after Canonical announced to discontinue their effort to port Ubuntu and its Unity desktop to their mobile OS named Ubuntu Phone, a community of volunteers emerged and created UBPorts to continue the project. The project uses only the lower layers of Android and builts a completely different UI on top (same approach as FirefoxOS has tried earlier).

  • supports around 13 devices, most of them rather dated (but a bit newer than those supported by Replicant)
  • slightly degraded functionality, most stuff seems to work
  • not hardened for security but probably still better than Android since many of its components known for never-ending security nightmares (such as the media framework) are not included
  • None of the supported devices supports verified boot (all require an unlocked bootloader)
  • Modem and SoC glued together on all supported devices (no proper modem isolation, if at all)
  • Google Apps and Services are not included (and not even supported)
  • Updates are frequent and continuously provided, but firmware updates are lacking; easy to install for end-users
  • I am not aware of any devices that do not require closed-source firmware (a few devices require less non-free firmware than others)
  • No non-free software required on your computer in order to flash the system to a device

Truly alternative, non-Android Operating Systems

There are at least three operating systems being developed that are true alternatives to Android because they are not based on Android. This is very promising, as these systems do not suffer from many of Android’s horrible design decisions and UNIX principle violations.

postmarketOS

A classic Linux distribution initially targeted at legacy smartphones that are considered obsolete by its vendors. Developed by volunteeers. Based on Alpine Linux (very lightweight). Tries to focus on devices with mainline Linux support instead of running badly outdated stock Android kernels.

  • nice and clear architectural design
  • classic distro packages instead of app store, daily updates
  • not really useable yet, under heavy development (but meanwhile a few devices have already limited support for calls and text messages)
  • emerging “support” for a large number of devices
  • choice between several UIs (most promising to me: Plasma Mobile), however, none of them seems Production-ready yet
  • verified boot with locked closed-source bootloaders and user-supplied keys theoretically possible (only on Nexus/Pixel devices) but not implemented yet.
  • all software available in the regular Alpine Linux repositories is available on postmarketOS as well.
  • free from systemd

Maemo Leste

Maemo Leste is another classic Linux distro for smartphones. It is based on Devuan GNU/Linux, targets also devices with Linux mainline support and works best on devices with keyboards.

  • supports only very old but still expensive devices such as the Nokia N900
  • already quite useable, mostly limited due to the low specs of the outdated hardware it supports
  • supports huge amounts of software because it is based on Devuan GNU/Linux which itself is based on Debian GNU/Linux (however, most of the available software was not designed for the tiny screens of the devices supported by Maemo Leste)
  • free from systemd

pureOS

Another “classic” Linux distribution, obviously targeted at “Librem” devices by Purism. Afaik based on a mix between Debian stable and Debian testing.

  • Convergence approach
  • Under heavy development (no real existing phone on which it can run)
  • Uses a homebrew app store named “PureOS Store”
  • No information about planned support period available yet
  • I haven’t read anything concrete about security features such as verified boot yet
  • based on GNOME, requires systemd

Promising devices announced for 2019

I know at least of three vendors that are trying to build devices that would offer great support for running non-Android mobile operating systems on them.

Librem 5

Back in mid-2018, a US-based company named Purism launched a crowdfunding campaign in order to manufacture a mobile device that would run their pureOS system. Meanwhile they shipped a few devkits, but the project is heavily delayed by several months. Here are some quick facts:

  • rather expensive (around 600 US dollars)
  • medium to high-end specs, fairly up-to-date i.MX 8 chipset
  • tries to use only libre-friendly hardware with good Linux mainline support (Vivante GPU, Atheros Wifi etc.)
  • isolated modem, implemented as add-on card (but not clear if it is also properly separated on the bus via IOMMU or similar isolation techniques)

It must be said that there are many critical voices towards Purism out there. Personally, I really appreciate that they stepped up to make the Librem 5. However, I wish their marketing would be more honest and - given the delay of their Librem 5 project - they would invest all of their energy in this thing instead of developing questionable stuff such as the Librem.One service platform. Sure, they want to deliver a product with a good usability, but I think that building the device itself is hard enough and should be accomplished first before spending resources on yet another app store or service platform.

Pinephone

Shortly before FOSDEM 2019, the chinese company named Pine64 (known for their SbCs and entry-level ARM laptops) announced to build a cheap low-end mobile phone. Their CEO showed off an impressive devkit at the booth and attracted a lot of developers. Meanwhile, the postmarketOS folks seem to have made great progress towards running their system on the devkit already.

  • rather expensive (around 150 US dollars)
  • well-known, mainlined Allwinner-SoC
  • isolated modem (but not sure yet)
  • uses Mali GPU (free driver for mainline is making good progress over the last months)
  • freedom-friendlieness of wifi (Realtek chip on devkit) and bluetooth devices unclear

Necunos

A company named “Necunos Solutions” from Finland aims to build a no-compromises freedom-friendly mobile device. Their philisophy seems to be perfectly aligned with other die-hard FOSS enthusiasts like those driving the Replicant project. They made a pre-order campaign for a device named Necunos NC1 that promises to deliver a hardened device for journalists and activists.

  • extremely pricey (> 1000 US dollars)
  • medium-level specs, based on rather old i.MX 6 chipset
  • no modem at all (yes - seriously!)
  • promise to make no compromises in terms of freedom-friendlieness

They recently posted an update regarding delivery delays of their device due to one of their partners backing down from providing them with the source code of some component (they didn’t name the component). Yet they hope to ship the device in summer 2019 to the people who pre-ordered them. Regarding the OS, they take a similar approach as Pine64, trying to convince one of the free projects (such as Replicant, postmarketOS or Maemo Leste) to support their device instead of reinventing the wheel.

Conclusion and recommendations

Given the current situation, providing clear recommendations is hard as it highly depends on a number of factors:

  • your willingness to run non-free software (esp. firmware)
  • your trust in particular SoC vendors
  • your threat perceptions (e.g. do you see more threats from local or from remote attackers?)
  • your willingness to wait (2019 could be the breakthrough of truly free Linux phones!)

My general recommendation is to find a temporary solution for now and to wait for one of the promising devices to become available instead of “inwasting” money in a recent Android device. Vote with your wallet and stop buying new Android devices full of non-free firmware that threatens your freedom and leads to an utterly low expected lifetime!

So, what could be your options for the meantime (in random order)?

  • get a used device supported by Replicant (Samsung Galaxy S2, Galaxy S3 or Galaxy Note 1), live with the degraded functionality and the devices’ trivial local exploitability. If you can, support development towards newer LineageOS versions to get OS-level security updates with less delays in the future.
  • get a used Pixel device and either build AOSP yourself every month for it or give GrapheneOS a try and donate money to the developer. You will be adequately secured from local and OS-level remote attacks by regular thieves etc. and you will get OS and firmware updates every month. However, you have to fully trust the SoC platform and its (non-isolated) baseband firmware. Hopefully, a real alternative will become available soon so you will not have to pollute the environment by switching to newer devices once your device runs out of support.
  • get one of the devices that is supported best by either postmarketOS, Maemo Leste or UBPorts and try to live with the limitations.
  • Recycle an old device and support postmarketOS and other free software projects to help growing a free alternative to Android.

I am really thrilled to see if 2019 will be finally the year of security and freedom on smartphones and other mobiles devices!

References

Comments

(Comment features are provided by external parties and are not monitored by me.)

Join the discussion on Mastadon (external resource)