from the comments https://gist.github.com/anonymous/9f789aabd7e8681dec0cf5781aecf664
In short, expert claims that (1) iOS is more secure than Android (Google phones) (2) is more secure than Android (other vendors) (3) is more secure than various desktop OSes.
(1) due to Apple investing more in security (better security features, Apple not being primarily a spy company, more/longer OS updates, stronger curation of store; latter two linked to single-vendor control of software and hardware). (2) due to more/longer OS updates, less crapware. (3) due to tighter default sandboxing, program access.
Security-first desktop OS projects like Qubes get a brief mention in comments, but focus nearly universally on what journalists (ie, everyday people) can get stuff done with. I didn't see a mention of ChromeOS, but tendency seems to be that if secure, your own device far preferable to cloud, which would make ChromeOS very suspect.
Like I wrote https://identi.ca/mlinksva/comment/xV1K3Ym_THaiTB852Pw5kw the other day: "It's very easy to accept locked down devices as a mitigation; coming up with better is one of the most significant challenges for software freedom. Heck, maybe the most. As I've commented various times over the last years, though usually in context of people thinking locked devices a good way to mitigate outright device theft."
It's sad that the mobile OS with obviously better (but radically imperfect, speaking of which, nobody is claiming iOS is secure in any absolute sense, only better relative to Android) software freedom is basically Windows II (BTW I can imagine Windows I eventually being about as semi-open as Android if Microsoft continues to release components under free licenses, and Google moves functionality into proprietary blobs or the cloud)...and if we take software freedom to mean control over one's computing, a relatively insecure device is highly questionable, as if the device is compromised, someone else has control over your computing, and not a faceless corporation that wants to sell your eyeballs or force upgrades through obsolescence while you get some utility from a device, but criminals whose business is completely adversarial to your interests.
The situation seems pretty desperate to me. Free software hackers presumably make things better to the extent they do things like make builds reproducible and migrate to more secure languages, but for people (including hackers) to have access to systems that are relatively secure from malicious adversaries requires lots of integration.
Confirmation bias alert: safety and freedom (narrowly construed as four freedoms) are both going to require public regulation. Traditional software freedom advocates are going to have to really up their game or regulation will only mandate safety, and in part through anti-freedom.
Thanks for the links! I never have an iPhone, nor am much experienced with Android phones. With this in mind, I will say that journalists are targets of a specific kind. Threat models for them probably are different from those for others. Their social circles and contacts are vulnerable in physical space, for example. Even if a journalist has secure devices, s/he is threatened whenever people s/he cares are threatened. In this sense, it will be good to decouple what a journalist is doing (and the devices s/he is using) from the person s/he is. If I were a journalist, I would want my work phones and computers disposable and de-linked to my identity at all time. On the other hand, I don't know if this is workable in practice.
Christopher Allan Webber likes this.
Yes some people doing very sensitive work should take more extreme measures such as only using disposable and identiy de-linked devices, and journalists are probably over-represented among people with such requirements. But there there's an extra huge challenge with maintaining operational security, even with relatively secure devices. Most people will fail at that. But everyone should have a relatively secure device (inclusive of no device!) to begin with, journalists or not. Almost all of us are bad at security and need all the help we can get and are threatened, if not specifically, then by opportunistic criminals.
@mlinksva I certainly agree to your emphasis on the need of everyday persons, myself being one, for better computing/communication security. My view is that for journalists what at stake can be personal safety while for most of us it is probably about money and data loss. It is important and hard to communicate good practices to folk to prevent money and data loss, but I think for journalists in danger they will need another set of skills which may well be confusing and impractical for most people.