security question

PaulK paulk at paulk.fr
Thu Sep 8 08:59:46 UTC 2011 

Le jeudi 08 septembre 2011 à 09:16 +1000, Mark Gobbin a écrit :
> hi im just wondering, how is the security of this phone? 

Hi. The Replicant project currently supports 3 mobile phones: 
* HTC Dream
* HTC Magic
* Nexus One

All these have a Qualcomm SOC (System On a Chip), which is bad on the
freedom and security side because of how the hardware is done. You can
read more about this issue on this page:
http://trac.osuosl.org/trac/replicant/wiki/NexusSTechnicalOverview
(which explains what's the issue with Qualcomm SOC and why the nexus s
doesn't have these issues)

> i hear there are trojan or spyware apps on android now. But then i'm
> thinking, maybe regardless of operating system it may depend on what
> apps I install or grant privileges to?

Well, indeed, there can be trojans on the applications you install, just
as it's possible on a PC. If you chose to use non-free applications on
your replicant-running phone, then you have no idea about what it really
does, and it can indeed potentially be a trojan, or have any other
malicious (anti-)feature. So if the system you use on your phone is 100%
free (as Replicant), it will only depend on the apps you install on the
top of it (unless there is a trojan in the Android free code, but it's
very unlikely since a lot of people have read it).

> is it possible to install android apps or will the apps be totally
> different?

If your question is "are android apps compatible with replicant", the
question is of course yes. Replicant is based on CyanogenMod which is
based on the Android Open Source Project (AOSP) code. Replicant just
removes the non-free bits from CyanogenMod and replaces these with free
code (when it's possible), so the applications are fully compatible. 

So if you install a non-free app that has malicious features, then your
device will be compromised, even if you run replicant. 
Anyway, we have a free-software repository client (an alternative to the
market with only free software) that comes pre-installed on Replicant
and that is called FDroid. You can find more infos about it on
http://fdroid.org/ and browse the available apps.
Just like the whole system, it's unlikely that a free app will have
malicious features because everyone is welcome to study the code of the
app, so if such malicious code was in a free app, someone would have
seen it. 

> im thinking of using this for the reasons of privacy and security
> basically

This is the reason why Replicant exists: to provide (android-derivated)
software that the user has control over: free software. One consequence
of this is that system won't cause privacy issues (but the hardware
itself can, see the rationale). 

-- 
Paul Kocialkowski 
* Site web	: <http://www.paulk.fr/>
* Blog		: <http://blog.paulk.fr>

More information about the Replicant mailing list