Linux phones such as the Librem 5 are a major degradation from Android/iOS. They lack any proper security model and
are ridiculously insecure. The comments from the Linux article apply to Linux phones fully
and there is not yet a single Linux phone with a sane security model. They do not have security features such as
full system MAC policies, verified boot, hardened kernels, app sandboxing etc. that modern Android phones do.
Distros like PureOS are not secure at all. They're mostly a reskinned Debian. They enable AppArmor but most
processes still run unconfined so it's mostly useless. They change a few security-relevant
settings but these are also mostly useless as they don't even apply the exec-shield patch so that sysctl
doesn't exist, disabling kexec is to prevent root from booting a malicious kernel but root can do so many other
things to modify the kernel such as loading a kernel module, hiding kernel symbols from /proc ignores
the fact that they're clearly visible in System.map and finally, disabling source routing is already a Debian
default. PureOS also uses linux-libre which prevents you
from loading any firmware updates and the Librem 5 prevents you from even flashing
new firmware manually which leaves you with insecure firmware with known vulnerabilities.
The hardware lacks many modern security features like verified boot, hardware backed keystore and more.
These devices are also not open hardware/firmware unlike what they try to claim. The majority of the
hardware/firmware is still proprietary.
Hardware kill switches are nothing but marketing frills.
The microphone kill switch is useless since audio can still be gotten via the sensors (such as the gyroscope).
The network kill switch is useless since the attacker will just wait until you turn them back on again to exfiltrate
data. If you need to disable network access, you can use airplane mode.
The camera kill switch is no better than some tape.
Modem isolation isn't anything special. Qualcomm SoCs have isolated the modem via an IOMMU for years. The way the Librem 5 isolates
the modem is via the Linux kernel USB stack which is not a strong barrier as shown in the Linux
article.
There is also a lot of misinformation about how the modem being on a separate chip means it's isolated. This is
completely untrue. Just look at how FireWire for example can be used for DMA yet it's completely separate from
the rest of the hardware. Whether the modem is on a separate chip or not is irrelevant to if it's isolated.