Is Android security in Sailfish OS obsolete?
I would be grateful if any real experts in Android security would comment on what I have written here. I know a little about all this, but I freely admit that my knowledge is rather superficial and I am more than willing to be corrected if I have got any of this wrong.
TL;DR: An important security protocol that is available on native Android 4.4.4 is not available under Alien Dalvik. This means that services that depend on using Android apps may not work on Alien Dalvik + SFOS, even though they do work on mainstream Android installations of the corresponding version. Android apps that work now on SFOS may stop working without warning if the services that they depend on drop support for older security protocols. I started looking into why I could not see pictures or videos that other people sent me when using the Android Wire messenger app on SFOS, when I could see the media in the app when using it on Android. I also observed that profile pictures/avatar images and previews of shared web links are also unavailable on SFOS. Someone else posted about the same problem on TJC here: https://together.jolla.com/question/...e-no-pictures/ This GitHub issue https://github.com/wireapp/wire-android/issues/518 suggests that the problem happens when Google Play Services are not available: * The Android Wire app tries to use GCM (Google Cloud Messaging) to retrieve shared media such as pictures, video and previews of web pages. This fails if Google Play Services are not available. * The Wire app then falls back on a WebSocket protocol to try to retrieve the media * The service provided by Wire requires a handshake using TLS v1.2 for the WebSocket protocol to work * Under Android 4.4.4, TLS v1.2 is provided by Google Play Services, so the handshake fails on any Android 4.4 platform where Google Play Services is not available, including Alien Dalvik. * Wire are not prepared to support TLS of a lower version than 1.2 on their service: that would be an unacceptable weakening of their security. I have experimented a bit with Riot.im, and have found that with the Android Riot.im app on the matrix.org instance, images can be exchanged successfully. In principle, I could switch to this service, and try to persuade everyone that I currently communicate with on Wire to follow me to a Matrix-based service. I do not see this as a solution though: the administrators of matrix.org (or other Matrix instances) could drop support for older versions of TLS and I would then be in the same situation as I am now with Wire. Some Android apps clearly do support TLS v1.2, for example pointing Android Firefox on SFOS to https://www.howsmyssl.com/ shows that TLS v1.2 is supported. This is presumably because the Android build of Firefox includes its own TLS library, and doesn’t rely on Google Play Services to provide it. However, it is not reasonable to expect every Android app to do this, if Google Play Services on Android 4.4.4 provides the latest version of TLS. Is there any possibility that support for TLS v1.2 in Alien Dalvik on SFOS could be somehow be provided? Maybe in miroG, or by some kind of pass-through to SFOS itself? If this is doesn’t happen, support for Android apps in SFOS that require access to secure services will gradually degrade as service providers drop support for older versions of TLS. I suspect that Wire is not the only app affected by this. Porting security patches from Android 4.4.x to Alien Dalvik won’t make any difference to this issue. One commenter on the TJC thread linked to above does see media load in the Wire app, and has speculated that this is because they have installed the NextCloud app and synchronise Wire media with their NextCloud storage. This is unconfirmed so far, but if it is true then it suggests that it is possible to provide support for TLS v1.2 without having to get into the internals of Alien Dalvik. The lack of support for up-to-date security protocols in Alien Dalvik (as compared to SFOS itself) has also been noted on TJC here: https://together.jolla.com/question/...ersations-app/ As I said at the start, I would be grateful for any comments on this from anyone with real expertise in this area. |
Re: Is Android security in Sailfish OS obsolete?
Quote:
Anything that depends on Google Services cannot be secure by any lenght of imagination, the whole bloody pile exists there just for the purpose of taking your control away and massaging you into nice munchable bites of data for the G-machine...! :( I suggest that you do the sensible thing and lose android, which means both the real thing and anything that is capable of running those applications... |
Re: Is Android security in Sailfish OS obsolete?
Quote:
If Wire absolutely required GCM and there was no fallback, then you are right, and I would have already dropped Wire ;) |
Re: Is Android security in Sailfish OS obsolete?
Quote:
As it is, SailfishOS is being presented with an Android layer so "you don't have to miss your favorite apps." Right now, I couldn't do without. I have only 1 phone with me, running SailfishX. My network, family included, communicates through Whatsapp. I want to take a glimpse at my bank account occasionally, and I like to play Wordfeud. Losing the Android layer would force me towards an Android phone and I don't like that idea. I think pacman's question raises some sorrows for Jolla/SailfishOS for the usefulness of the Android layer in the future. And already now, some apps won't install even though the minimum requirement of Android 4.4 seems to have been met in SailfishOS. I hope we can get and keep proper compatibility. |
Re: Is Android security in Sailfish OS obsolete?
No no, @rob_kow; I am not purposefully bashing AD here, of course it is the lesser evil when compared to a fullblown android. (but you still should not poison your installation with gapps...)
What I am condemning is the whole idea of "apps", you are better off without. You know, abstinence makes you saintful, right? :D:D |
Re: Is Android security in Sailfish OS obsolete?
Quote:
With regards to Matrix have you seen there is a native Matrix client in openrepos here? I haven't used it myself yet, but thought it might be of help to you. |
Re: Is Android security in Sailfish OS obsolete?
Quote:
As for Matriski, it is a text-only client. |
All times are GMT. The time now is 06:50. |
vBulletin® Version 3.8.8