meta data for this page



Mobian Android[1] IOS
Peer/community reviewed software Yes No No
All OS components built from source Yes No ?
All apps built from source Yes No ?
Closed firmware blobs ? Many ?
Reproducible builds Mostly No ?
Secure boot ? ? ?
Usbguard TODO No ?

[1] Stock Android with Google Apps


Security updates

Currently provided as package updates in Debian Testing

Always-On VPN

VPN functionality will be added to Gnome-Control-Center in the future, but for now you can configure this via nmcli. This guide will explain how to import an OpenVPN connection, and then configure other connections to require it as a “secondary”.

1. Add OpenVPN support for NetworkManager by running sudo apt install network-manager-openvpn.

2. Import your OpenVPN .ovpn file by running sudo nmcli connection import type openvpn file {yourovpnfile.ovpn}

3. Until this is integrated with gnome-keyring, you must store your username and password in the .nmconnection file (currently insecure due to lack of disk encryption, which is coming in the future as well). Edit your VPN config in /etc/NetworkManager/system-connections, where the file is {youropenvpnfilename}.nmconnection. Change the password-flags to 0. At the bottom of the [vpn] block, add username={your username}. Then, below the [vpn] block, add the following:

password={your vpn password}

4. Obtain the UUID of your VPN connection by running sudo nmcli con show {your vpn connection name}; the UUID is the second line.

5. In the same directory, you can now modify any connection, including your cellular one, to bring up and require the VPN connection by adding this to the end of the [connection] block: secondaries={UUID}; (dont forget the trailing semi-colon).

6. Restart NetworkManager with sudo systemctl restart NetworkManager for the changes to take effect.

Disk encryption


Secure boot


Daemon sandboxing

Implemented on some system daemons using unit files

Use `sudo systemd-analyze security` to check the current status

Application sandboxing

Provided optionally by firejail. Not enabled by default.


Protects from unauthorized USB devices being connected. Provided optionally by the usbguard package. Not enabled by default.

Reproducible builds