Much has been said about the increased security that mobile OS like Android and iOS offer over desktop OS. They are designed from the ground up for a hostile environment, which makes them much better suited for the reality we're facing now. I'll refrain from repeating what others have already expressed better than I could here; for example in this video by THO.

Now, mobile OS are more secure than desktop ones, and GrapheneOS is the most secure mobile OS, so Graphene wins, case closed? Not quite, at least not obviously so. Of course, the security of a system depends partly on how it is used. A user knowledgeable enough about these systems and their threat model might be able to design a relatively secure overall concept even when using relatively insecure tools to do so. But this is always true and doesn't say much about which OS should actually be used. In my opinion, the only real challenger for GrapheneOS to the crown of most secure OS, seems to be Qubes OS.

First, I think it makes sense to say that for many people, Qubes OS is simply not suited. GrapheneOS provides the absolutely luxurious option of using something that's as easy as Stock Android, and even very inexperienced users can switch relatively easily. Qubes OS doesn't have that option, especially if you use it in the way it needs to be for its security to really shine – by heavily compartmentalizing. For most, I'd recommend GrapheneOS in a heartbeat because it's extremely unlikely they will a) actually use Qubes and b) use it in a way that even has the potential of beating GrapheneOS. However, the question of which provides better security for a user who utilizes the OS in a way making use of its potential (within realistic bounds), remains valid. Or, if the strengths and weaknesses of the two are different enough to make such an "overall" security assessment nonsensical: Which OS has which advantages, what are its go-to use cases?

Something that seems obvious to me, is that GOS will generally be way more secure than a Qubes VM. If you use Qubes with one VM in which you always do everything, I doubt your security will be that much improved over whichever OS you use inside that VM, which will be less secure than GOS. Qubes strength lies in its use of compartmentalization between different VMs with different levels of trust, that can be erased and created on demand. This means that even though it might be easier to break into a VM on Qubes, that will not necessarily get you far. To truly compromise the system, there needs to be a way for the attacker to infect other VMs, or even the Xen hypervisor itself. Doing so will be much more difficult.

However, GrapheneOS provides options for compartmentalization itself: User profiles. They are a useful tool in general, but can also be utilized at least somewhat similar to how Qubes uses its VMs. With different profiles with different level of sensitivity or different application scopes, the attack surface can be decreased for each while giving an attacker more hurdles to overcome. This can also be extremely useful when there's a threat of physical attackers grabbing your phone, as not-running profiles will be encrypted. Installing apps into the owner profile also enables quick creation of a fresh user profile with (for example) nothing more than Tor Browser installed additionally, that can easily be deleted again after use.

I elaborated on my thoughts quite a bit, but please don't confuse this with giving an answer. I hope I was able to identify some general themes or maybe provide some base for complete beginners, but evaluating and comparing the exact level of security is far beyond what I can do on my own. For example, would it generally be more difficult for an attacker to a) on GOS break into a user profile, infect it and spread to other profiles or b) on Qubes break into an untrusted VM, infect it, and spread to other more trusted VMs? I have no idea, and I'm not even sure there's a definite answer – how do you even objectively measure difficulty?

To be fully transparent, I think most of the time, Qubes just isn't an alternative to GrapheneOS, and that's okay. What they focus on achieving is quite different, even though both have security as one of their main goals. Still, I think this question is interesting to ponder and provides great grounds to learn about what makes both of them secure, which in turn increases knowledge of security in general. So, for security, science, or maybe just for fun:

Which is the most secure, Qubes OS or GrapheneOS?

    GrapheneOS, no question -- security starting with hardware, Qubes is just software, and theoretically compromised hardware leads to compromise at the SW level. The only real scenario for Qubes is if you need to be running x64 applications/hardware (e.g. for processing power). From a basic security perspective, I don't think it's close. Sure you can do backflips with Qubes to maximize your security posture, but you're not talking about anything approaching "usability" and you still have to basically trust your hardware. Just my $.02.

    • [deleted]

    • Post #3

    iustitia This topic has been discussed numerous times already. Please use the forum's Search feature to read said discussions.

        [deleted] I'm aware it was touched upon, but I haven't found any well-founded evaluations that actually answer the question of which should be considered more secure. It mostly goes "Qubes best for desktop, GOS best for mobile" followed by an opinion not supported by arguments, especially not factoring in the scope that's needed.

        However, I stand to be corrected on this, and I'm sorry if I created this topic needlessly. If someone could point me to an existing answer, I'd be grateful:)

          When it comes to the topic of "MOST" secure, x64 systems just don't really enter into the equation for most threat models. There's no x64 platform that gives you the hardware-based security you get running GOS on a Pixel. The discussion pretty much ends there unless you have a specific threat model or use case that warrants debate, and I don't think there are many.

            Albatross That's interesting, and I definitely see your point. Do you think there's anything that Qubes does better, excluding cases of "I just have to use a desktop"? Are there important security or privacy features not currently available for GrapheneOS, for which Qubes or any x64 platform might be worth using?

                Qubes isn't really even an OS as the average user thinks of an OS, it's a building block for running other OSes/applications in an isolated environment. With that in mind, I would say, no, it doesn't inherently have security or privacy benefits, it all depends what you put on top of it, and how you do it.

                iustitia Qubes is good at isolating with the type 1 Xen hypervisor. It's far more secure than most desktop operating systems if used correctly.

                However, GrapheneOS has security benefits that cannot be replicated on Qubes. Features like full verified boot, bootloader locking, separate encryption keys per user profile, etc makes GrapheneOS superior. Qubes has none of those features and the virtual machines are not encrypted with separate keys either, which is important in case of a physical adversary.

                It is also worth noting that Qubes is very inefficient and uses a lot of power. It is also not user friendly, unlike GrapheneOS which is easy to use an even improves battery life compared to the stock OS.

                It's difficult to compare two different operating systems designed for very different uses.

                  • [deleted]

                  • Post #9

                  Please note: The Off topic tag should be used instead of General for highly off-topic threads like this.

                  6 days later

                  In my opinion, Qubes OS does have several critical drawbacks:

                  Outdated Hardware: Many of the Qubes-certified hardware and community-favored models, such as the Lenovo X230, have reached their end-of-life and cannot receive security updates from their vendors. relying on hardware that's a decade old raises security concerns.

                  Lack of Secure Boot Support: Qubes OS does not provide out-of-the-box support for secure boot, and users often have to resort to solutions like HEADS, which may not be compatible with newer hardware.

                  Absence of Newer Security Technologies: Qubes OS lacks support for or equivalents of newer security technologies like hardware-enforced stack protection and System Guard (though Trenchboot partially addresses this, it lacks SMM protection).

                  Comparatively, I believe that Qubes OS may excel in terms of compartmentalization when compared to Graphene.
                  However, it's worth noting that Windows has made significant improvements over the years, offering various isolation methods such as virtual machines, Windows Sandbox, and Win32 AppContainer isolation to sandbox Win32 applications.

                    Upstate1618 it's worth noting that Windows has made significant improvements over the years

                    I have to wonder why you don't think this is negated by all the telemetry collected and the increasing lack of user control with every new version of Windows. Or maybe you do. Hopefully you do.

                        router99
                        Yeah you're right. Apart from that Windows requires Microsoft account at first launch; Windows defender uploads unencrypted files to cloud; Microsoft edge and office also send telemetry data etc. But they are all configurable and my point is security not privacy.

                          Well you don't have to create a MS Account to login. You can skip that if already researched or printed out a webpage (s) but have to be ready to go first to bypass that ( don't remember, but I don't on my Win11 Pro new laptop ).
                          The telemetry in Windows 10,11 is bad. You can lock down and harden Windows 11 Pro very good now with 22H2 however it's a PITA, Win10 and Home versions are much, much harder to do. Again really need to a fresh clean install from the start with Win11 Pro as you will have driver issues and have to work around those to implement these hardened things. I don't know for sure, but I know Intel 12th Gen and higher and AMD 7th Gen quality for the Secure boot and all the other high end lock down methods deployed, there are actually quite a lot after a fair bit of reading and staying up all damn night for 2 nights troubleshooting !! ( Even after all this, this laptop will have Debian 12 on it 98% sure, but until then, on backup one now that had Win10 that kept getting too many BSOD's, Debian 12 - no problems ).
                          First and foremost, for Windows Security for Anyone you need to setup a limited account ( Local User ), I did right away, or almost IIRC.

                          https://github.com/proviq/AccountManagement Local User and Group Management is an alternative for the built-in lusrmgr snap-in, making the advanced User and Group Management available to all Windows editions.

                          Need to try to enable all the Core Isolation ones for sure and use Edit group policy a bit.

                          https://github.com/beerisgood/Windows11_Hardening

                          https://www.qubes-os.org/hcl/
                          There are very, very, very few laptops that work with Qubes OS. Problem is, to get your laptop to be certified, you need to send two laptops in to them and they work on it for up to a year and fully harden it and then it is certified and ready to go. This is a list of laptops and hardware that people have made work, and what versions and what issues they have. Others can try to make a bootable USB, I like YUMI, but with the new 4.2.0-rc4 (r101323). I should make Rufus or other stand alone one as that isn't really the best way to do it for such a finicky OS. Still with people trying them out, there are still almost none that work. That's why if I won the big lottery, I'd throw them many multiple groups of laptops from different price points with and without video cards (AMD, Intel) and submit them to them (plus funds for more qualified people, same for GrapheneOS). That way people can update to 32GB of ram or 64GB of RAM, but not laptops with that LPDDR crap. Hell I bought 64GB for this laptop even though have 32 GB ( Prime Days, not installed yet ) I'm typing on it now and just doing Prime Days research and some other things almost ran out of 32GB, that's with no VM's running, I couldn't imagine running something like Qubes OS being as it could be on an older laptop.
                          If you read enough in the forums or even the troubleshooting the Hardware compatibility list (HCL) you really do need to know your way around Linux, no way around that. But if it's your second PC and you know it will work with Qubes OS it will make you learn Linux very quickly.

                          Unless someone is a very good ( sandbox ) Linux virtual machine and android virtual machine hacker then there is no way to truly answer that question. Not just a run of the mill. I've been watching a lot of YT videos on this stuff over the last 10 months, A LOT (175-200 hours). Have been watching them for over 20 years.
                          You can search the Hardware compatibility list (HCL) list wiki for laptops, desktops and motherboards; i5-12, 17-12 ( 12th Gen Intel ) for instance and not find many. There was an Asus ROG Zephyrus G14 (GA402RJ) Ryzen 9 6900HS AMD Integrated Graphics (Rembrandt) & RX 6700S that was on the list that was new in early 2022 for $1,500 at Best Buy I think. They had a clearance at $1,100 a little over a month ago but a few open box's around $750 but I had car problems. Now that could of been upgraded to 64GB of RAM IIRC and been a very nice computer. Wanted a 14" for my 2nd laptop too, still do. As of right now only 2 i7 13th Gen have Intel integrated graphics.

                          It all depends on how much time/energy you're willing to put in... On Windows - a lot, on Linux - a lot, on MacOS - some, on GOS - minimal.

                          Almost any OS can be made reasonably secure/private but the effort that goes into it can be a deal breaker

                          Actually, your right. GOS, is locked down very, very well from the start. Lack of sleep last 7 days. Windows takes a ton of time to lock down, a ton of time. To be honest, the more I think about it, they should N O T even offer the Home version and only have the PRO version with some of the hardened things already enabled. That would force some of the driver & software companies to follow suite. Or eventually, you would have to give them like 3 to 9 months though to get their code in order as I don't think it would be too easy for the smaller ones and or open-source free ones. You almost need a small IDS - EDR type system on your Windows PC too or a pfSense, OPNsense type firewall box for your home network, not bad idea in general for all devices but especially for Windows environments. Plan on doing sometime in the future here, probably get a dual lan Mini PC on Black Friday.
                          Linux is better out of the box, but still isn't bullet proof right away. More I think about it, GOS probably is the most locked down, has newest security updates for Android. Qubes OS if you look at the Hardware compatibility list (HCL) many of those are running on an old kernel and no way to know for sure if updating causes a problem, assume it does not, but haven't read tons and tons of their forums yet. Have some eBay laptops saved that work with it, but Not even close to a priority right now. If get a great deal on one (probably no HD or power supply type, so super cheap). I would just check maybe once to make sure motherboard work and it is ok, assuming get one with option to return, but that's it. I wouldn't have time to install & mess with until next year probably, as I know Qubes OS could take like 6 to 10 + hours trying to troubleshoot or reinstall and set it up again a better way (?). Sorry for previous post, don't know why that one github Local User thing is sooo Huge.