Detailed comparison of a L5 vs degoogled phone

Maybe I have missed it, or can’t find it, but has anyone here done a comparison of an L5 vs a degoogled phone, such as ones that Rob Braxman offers? For both security, and privacy features for each? What concerns are still present on a degoogled phone, etc. Obviously the manual switches on the Purism phone are a big plus, but for newbies like me, what else don’t I get with a simply degoogled phone?

I ask as I am looking into a degoogled phone to hold me over until the next L5 (fir?) begins production in the next year or three, although I haven’t ruled out Evergreen completely yet if and when they begin to ship regularly in under 2-3 weeks. When I bring the L5 up to friends, the inevitable question of “so like a degoogled phone with manual switches” comes up and I’d like to answer with a bit more info.

We can all start building a list. I’ll go first:

1. A degoogled Android will eventually fall off the development channel and receive no more updates to software or security. An L5 will get development and updates for as long as the hardware is still alive.

2. Androids with removable batteries are few and far between, so the phone will either be abandoned, or will have to be sent somewhere to get unglued, cracked open, and refurbished. The L5 owner can just purchase a new battery and pop it in.

Based on my understanding of the phone, this is what I know. If I’ve said something that’s wrong, please let me know.

1. As cell modems go out of support after about 2 years, one can in theory buy a new one and replace the modem on the Librem 5 when that happens instead of buying a new phone. (I believe the driver for the librem 5 is not open source, but I could be wrong)

2. Apps by default in the linux echosystem shouldn’t track you at all. This is due to the code being open source (one could remove the tracking stuff if they have the skills, and someone would), and also the community takes a dim view on tracking.

3. It comes with a stock store of privacy respecting apps. Where stock degoogled phones don’t come with any app store (you need to download one). Brax’s phones get a pre installed store(I forget what it’s called), but it is basically the google store with obfuscated information sent too google. So in theory your data still gets sent to google with that, but it’s extremely difficult for google to tie it to you.

4. From a security perspective, the linux phone is a bit worse. This is due to:

   • Not as hardened against attack as android. (mainly doesn’t make much use of selinux)
   • Bootloader can’t be locked (mostly this is a if someone steals your phone modifies it and then gives it back to you they may be able to insert some form of malware)

5. Due to being almost completely different software wise from the major cell phones, it should be unaffected by virtually all normal cellphone exploits. One would need to write an exploit specifically for this phone. The only thing that it shares with android (to my knowledge) is the linux kernel, and even if that has an exploit, the underlying boot/software stack will be so different that the attempt to install malware will likely fail.

6. Due to it having it’s cell modem not sharing the memory with the OS, it should be more resistant to attacks against the cell modem trying to get at the OS. A lot of government level attackers are suspected to use this to gain access to people’s cell phones.

A couple of points, @Steve…

Note that /e/ comes with a pre-installed, curated app store, which collects available unpaid apps from various (supposedly secure) sources, and adds a privacy score to each one, listing any anti-features it might have. Many people, myself included, do install the F-Droid repo anyway.

Some applications in the Linux ecosystem can and do track you, e.g. Chromium. Of course, the user has control over what gets installed on the device.

More comparison:

Android is very capable as a phone, but is limited in functionality and freedom, even degoogled, compared to the L5, which is in essence a full desktop computer (with added mobile communications functionality)…and root.

For a newbie like me my Pixel 5 with Graphene is okay till my L5 becomes a daily driver.

How secure is the Librem 5 compared to an Android phone?

How does mobile Linux have any chance against Android and iOS when other OSes failed?

How innovative is the Librem 5?

Let me add a few details to explain this. Each Android and Android Open Source Project (AOSP) version supports 3 long-term service (LTS) kernels. For example, Android/AOSP 11 was released on Sep. 8, 2020 and it is able to run on the 4.14, 4.19, and 5.4 kernels. It will be supported by Google until Jan. 2024 or for 3.3 years.

Most of the time the kernel is not upgraded when upgrading the Android/AOSP operating system because the makers of the mobile System-on-a-Chip (SoC) like Qualcomm, MediaTek, UNISOC and Samsung don’t bother releasing drivers for newer kernels. For example, the Snapdragon 855 only has drivers for the Android kernel 4.14, so a Snapdragon 855 device can only be upgraded from Android 9 -> 10 -> 11, but the upcoming Android 12 will only support the kernels 4.19, 5.4 and 5.10, so there is no way to officially upgrade the device after that, and Google will stop offering security updates on Jan 2024 for Android 11, and Qualcomm will probably stop offering firmware updates for the Snapdragon 855 in late 2021, 3 years after it introduced the chip.

Many Android devices never get an Android upgrade, so they are effectively limited to 3.3 years of support, which translates to 2.7 years of support if they are introduced on average of 6 months after Google released that version of Android. If you buy a Pixel, OnePlus, Android One device or a Samsung Galaxy S/Z, you are going to get two years of Android upgrades and 3 years of security updates. With Galaxy S/Z you are probably going to get 3.5 years of security updates, but if you want anything longer, you will have to buy one of the Android Enterprise Rugged phones which claim to offer 5 years of security updates.

The other route is to install on your own an AOSP-derivative. You might get very lucky and buy something like the LG G2 from 2013, that is able to be upgraded to LineageOS 18.1 (AOSP 11), but many phones have little things that don’t work correctly when installing an AOSP-derivative. As long as the manufacturer keeps offering Android upgrades for a model, it is usually possible for the community to figure out how to get LineageOS to upgrade as well, but after that it becomes a crap shoot. If you buy a Pixel or OnePlus, your chances are higher that you will be able to keep upgrading, but there are no guarantees.

Now, let’s compare that to the Librem 5. NXP says that it will sell the i.MX 8M Quad till Jan 2033, so we can probably count on firmware updates till the mid-2030s. All the hardware in the Librem 5 uses open source drivers, so the community can effectively maintain the drivers as long as there is public interest in using the hardware. Purism is working toward getting all the hardware supported in mainline Linux, so that means that it will be possible to easily upgrade to the latest kernel in the future, even if Purism disappears in the future. Likewise, Purism is working to get all its code changes upsteamed to wlroots, GTK, GNOME and the GNOME apps, so future versions of Phosh should be compatible with minimal work. Even if Purism disappears, Purism has been working hard to get its software (libhandy, libadwaita, Calls, Chats and fractil-next) incorporated into GNOME, so the community will be be able to maintain it, and the other parts (phoc, phosh, squeekboard, feedbackd, etc.) are small enough, that there is a good chance that volunteers at Mobian, postmarketOS, etc. will be able to maintain it.

With a replaceable WiFi/BT and cellular modem, I think it highly likely that the L5 will still be a functional phone 10 years from now. Look at how long people kept using the N900 from 2009, and it didn’t have many of the advantages of the L5.

All the drivers in the L5 are open source, but the firmware is not. Firmware is usually stored in the Linux file system in /lib/firmware/ and passed to the components during boot, but in the L5, the proprietary firmware is stored in other locations, like an SPI Flash chip. From a comment by @nicole.faerber a couple years ago, I gather that Purism had to pay Redpine Signals to alter its firmware so the RS9116 could load from a different location to meet the RYF requirements. Faerber also made a comment that there the possibility of using free/open firmware for the microcontroller for the smartcard reader.

ARM, Qualcomm and Samsung claim that their System Memory Management Unit (SMMU) should stop access of memory between the CPU and WiFi/BT, but this article points out that it can be exploited.

It’s worth noting that the cellular modem in the L5 uses USB 2.0 and I2S and the WiFi/BT uses SDIO 2.0, which are communication protocols which don’t allow direct memory access (DMA), so that kind of attack isn’t possible. Despite what madaidan and Daniel Micay may claim, the L5 is safer than Android phones in this regard. However, the USB-C port on the L5 uses USB 3.0, which does allow DMA, so maybe a USB device could be designed to attack the Librem 5 that way, but honestly, I doubt that anyone is going to take that much time trying to figure out how to exploit the i.MX 8M, when there are far better targets like Snapdragon, Helios/Dimensity and Exynos that have millions of phone users.

Android and iOS have better kernel hardening, better sandboxing of apps, and verified boot to prevent modification of the boot files, but they are also have the Google Play Store and Apple Store with millions of apps that they don’t know if they can trust. (By the way, for people who want better app sandboxing and verified boot, you might want to wait for the Ubuntu Touch port to the L5, but who knows when that will come.)

With the L5, you keep out a lot of the bad actors simply by installing apps from the PureOS Store and Debian main. You would have to design a FOSS app that can get past the Debian and Purism developers, which would take some obfuscation on your part to hide what you are doing in the code, and you would have to make any network traffic that you generate look like it is harmless, because there is a good chance that someone might get curious and look at it.

The areas where I think people will notice a difference between the L5 and a degoogled phone is in the cameras, power management and the available apps. The i.MX 8M doesn’t have an image signal processor and hardware video encoding and NXP says that the i.MX 8M Quad can only encode video in software at a maximum of 1080p at 30fps. I’m guessing that it will be a while before we have suspend to RAM and the BM818 and RS9116 will be able wake up the system when getting a phone call. Getting support for the OpenPGP card in all the apps will also take a while. Finally, it will take a while to get apps that can match the functionality for Android/iOS apps. I don’t expect to see a FOSS voice assistant AI to replace Google Assistant or Samsung Bixby any time soon.

Interesting report on the scale of Android OS-level data collecting: https://techxplore.com/news/2021-10-reveals-scale-data-sharing-android-mobile.html

Interesting … and sad?

Prof. Doug Leith, chair of computer systems at the School of Computer Science and Statistics in Trinity College Dublin, said: "I think we have completely missed the massive and ongoing data collection by our phones, for which there is no opt out.

Speak for yourself, mate. We did not miss the massive data collection and there is an opt out. He even mentions one opt out (/e/ OS) and the Librem 5 is another.

So, the De-Googled Pixel 4a running LineageOS 18.1 that I ordered from Rob Braxman for less than a Librem 5 I received in a week and it’s hardware is probably 2 years newer than the Librem 5 and comes pre-installed with FLOSS apps that work including the Aurora Store app that allows anonymous use of the at least 80% of the free Google Play apps (Waze) that don’t require Google services.

LineageOS patches are downloaded and installed several times per week.

If I had ordered a Librem 5 I would be waiting 3+ years for old generation hardware at which time I could just buy another De-Googled phone with the latest hardware.

That said, my first choice was a Librem 5 USA but ACTIONS > than words!

LineageOS… #ItJustWorks

Nothing to compare the Librem 5 with a degoogled devices. L5 it just a Pure Linux-GNU Phone with zero android dependencies, obsolescence.

An important thing to add to the list is that the Librem 5 does not have a locked boot loader, and does not lock the phone owner out of root access. The Librem 5 does not have knox, which is designed to either prevent you from gaining root access to the device, or to impair the device if the you do somehow gain root access. These locking features are also tied to proprietary software tools that create and maintain these locks. These locks are also supported by proprietary boot sector information and proprietary firmware. So the proprietary firmware and proprietary programming tools work together to lock you out of your own device. The Librem 5 has the opposite. The phone owner has full access to the device that they own.

Just to clarify, my De-Googled Pixel 4a running LineageOS 18.1 has an unlocked boot loader. See the following for details:

How To Unlock Bootloader on Pixel 4a 5G & Enter Fastboot Mode

Could you theoretically have access to create and install new boot images for a new operating system, or to install a TWRP or Grub-like operating system selector tool?

Your case is very rare in the world of smart phones. But still, usually, there is one or more hidden attributes (hardware or software) that prevent anyone except for the device manufacturer from creating new boot images. Even TWRP only copies and moves the manufacturer’s boot images. If you erase the boot image and don’t have a backup one or can’t find one on-line, typically, the phone will never boot again.

So, I have not personally De-Googled a phone but I don’t think it is as rare as you think, since from what I understand from what I read, unlocking the boot loader is a requirement to De-Googling a phone and although LineageOS is one of the more popular FOSS mobile operating systems based upon the Android Open Source Project (AOSP) distro, LineageOS 18.1, itself, supports DOZENS of devices. See the following:
LineageOS 18 / 18.1: Download Link, Supported Devices and Features.

Interesting discussion so thanks to OP. With the delays in getting my L5 (Ordered Sept 2018) my blackberry’s were dying so I needed to find an alternative. I went with a Pixel 4a and installed graphene OS on it earlier this year.

Some of the input provided by others on this thread I think were missing the point. The key word being De-googled OS. basically disabling Google Play Services and other features that Google uses to intrude upon your privacy.

I must say, I’ve been really happy with my Pixel 4a w/ GrapheneOS. since it is de-googled, it does make it more difficult to use if for some things that I need. For instance, using Lyft when I travel, or paying someone who prefers to use venmo, etc. I actually keep an old android around with nothing else running on it (personal accounts, emails, etc.) to cover some of these needs.

These are some of the things that gets at the heart of this thread in my opinion. Life today is getting to the point where if you don’t have an App on your phone that is Android or iOS than you seem to become marginalized in society. Personnally, I’m ok with that, because there are many ways you can work around that with a basic web browser.

For me the real benefit of the L5 over Android (I’m hoping since I still don’t have my L5) is what other posters have stated. It basically is a computer in your hand. So, I can (hopefully) be able to set it up to work around most of the pigeon holes companies force you into with Apps. apps that can intrude into your privacy without you knowing.

The argument for longevity of L5 and its OS not forcing obsolescence is something I’m keeping my fingers crossed on. But, as a Librem 15v4 owner, I know how easily or quickly the older hardware can get taxed. Not by the OS, but the increasingly complex desktop software that runs on it. My fan can run crazy as the CPU is maxing out.

In my mind this isn’t a reason to jump onto planned obsolescence with Android. It’s just something to be aware of.

I’m proud of supporting the work Purism is doing with the L5 as an early supporter. Yeah, I would have really liked to get my phone by now, but I know this is just how these chips fall. I am thankful that Purism has paved new paths with their work on L5 which will boomerang around the industry into new startups and innovations.

I’m a firm believer that the way society is heading you can’t survive with just one phone or laptop, etc. You need devices that serve specific needs based on your own situation. A device as your daily driver. Another device for when you travel internationally and are forced to give up your password by unscrupulous border agents, etc.

So, I do think there are some benefits for having several devices in your portfolio. If you can afford it.

The main reason in my opinion is, that your device should never called something with evil in name. De-Googled has also “Google” in its name. Ground good things never define themselves over bad things like Light is not called “de-darked”. It is already a problem that you need to remove something that it becomes less evil.

And compared to smartphones, the L5 makes 2 things completely different and completely good:

1. It evolve a smartphone to a true pocket computer, where the users can do, what ever they have in mind and where people can even change some hardware components.
2. The hardware itself is (nearly) open source. That open the doors for further innovations in future.

Also don’t forget all the little things like replaceable batteries. Nothing new, but better then new waste designs.

More reporting on the aforementioned study: https://www.theregister.com/2021/10/13/android_os_vendor_variants_transmit/

Kudos to /e/OS again.

[Edit: Apparently the researchers tested LineageOS with GApps installed, so naturally that skews the value of their findings on Lineage the OS.]

Except when you can’t. See many banking/financial services, Uber(?), instant messengers (Clubhouse?), etc. Sorry I can’t give more examples, as I am both marginalized and avoid those too. With time, it’s getting worse, and soon you’ll find yourself excluded too, unless we manage to reverse the trend. I think the Librem 5 is part of this.

I’d be vary curious to hear more about this, and understand it better. Since before the modern smartphones were a thing, I’ve held jobs where having a smartphone is a liability, and are strictly forbidden in the workplace.

Though I expect the rest of my career will be the same, but I do wonder about my kids, and how to best prepare them for the world. I’ll be honest that hearing about banking apps being a major problem for not being on the phone is the most confusing to me. Why would one want to access their bank from their smartphone? I think this should be a separate topic though or private messages.