Well, this does raise some valid points and the communities around these phone OS could probably do a bit more to not raise wrong expectations. There is a lot of people who apparently think these PhoneOS are somehow magically more secure, but that is at best just a result of being so obscure that no one has bothered looking for exploits ;)

The problem however that I have is that such articles indirectly promote the idea (as found in the Android / iOS ecosystems) that you can establish a “zero trust” zone on your operating system (via a sandbox etc.) and then put up an app-store with free 3rd party access.

This kind of security model was the big idea in the early 2000 when Android was first developed, and Ubuntu Touch for example also tries to emulate it. But I think by 2020 it is safe to say that it has utterly failed and can only be kept somewhat working with massive security teams and constant updates.

I think the only reason these companies stick with it, is that the resulting app-stores are massively profitable, despite being quite obvious malware distribution channels on an equally massive scale.

The alternative model, one that I call “chain of trust”, is what can be found on Fdroid or most Linux distributions. There is no default way for 3rd parties to get direct access to the repository/system and (unless the user specifically uses something like ppa, AUR, appimage, snap, flatpack) all software is first tested and compiled by several people unrelated to the original developers.

While far from perfect, this is the much more resource efficient and flexible security model, that solves a social problem (malware) with a social response, instead of following the fallacy of trying to find a technical solution.

Already saw this shitty text on Lemmy.