Over the past few months, I embarked on a rewarding digital journey to move away from US big tech and towards more European [EU], open source [FOSS], privacy-oriented [P], and decentralized [D] alternatives.
I'm sharing my experience here in case it can be useful to others, as well as to gather any additional thoughts or suggestions:
- Desktop OS: Microsoft Windows 11 --> OpenSUSE Tumbleweed + KDE [EU][FOSS]
- Web browser: Google Chrome --> Brave --> Vivaldi --> Mozilla Firefox + Strict privacy settings, uBlock Origin, Privacy Badger, Conset-O-Matic [FOSS][P]
- Email: Gmail --> Infomaniak Mail [EU][FOSS]
- Calendar: Google Calendar --> Infomaniak Calendar [EU][FOSS] + OneCalendar [EU]
- Files: Dropbox --> Infomaniak kDrive [EU][FOSS]
- Photos: Google Photos --> Infomaniak kDrive [EU][FOSS]
- Notes: Google Keep --> Notesnook [FOSS][P]
- Social Media:
- Facebook --> Nothing
- Twitter/X --> Mastodon (
mas.to) [EU][FOSS][D]
- Reddit --> Lemmy (
lemm.ee) [EU][FOSS][D]
- AI Chatbot: OpenAI ChatGPT --> Mistral AI Le Chat [EU]
- Videos: Youtube --> Unwatched [EU][FOSS][P]
- Podcasts: Apple Podcasts --> Spotify --> Pocket Casts [FOSS]
- Translate: Google Translate --> DeepL [EU]
- Maps: Google Maps --> Organic Maps [EU][FOSS][P]
- Weather: Apple Weather --> YR [EU]
- Online payments: PayPal --> Revolut [EU]
- Password manager: LastPass --> Mozilla Firefox --> Bitwarden [FOSS][P]
- Online shopping: Amazon --> Cdiscount [EU]
- Travel booking:
Booking.com --> Direct booking
And here's the list of things I couldn't let go of:
- Mobile OS: iOS | I have a business iPhone which is also my personal phone
- Messaging: WhatsApp | The network effect is too big here: family, friends, local businesses, etc
- Streaming services: Netflix, Amazon Prime Video, Disney+ | These come basically for free with my ISP and are too convenient for the moment (esp. w/ kids)
WhatsApp is the big one, that shit is a proven vulnerability. It was literally the vector for zero click access to Android devices in the Pegasus toolkit.
One way around it is to have a separate device for WhatsApp itself, then use WhatsApp4Web from F-Droid. It's basically a web wrapper for the browser version of WhatsApp, but it does run somewhat independently of the main WhatsApp device (unlike eg Threema where the website won't work unless the device has internet).
I realise this is not possible for iOS but may be useful for others: my neighbourhood chat is in WhatsApp so I keep it in a separate profile on CalyxOS. WhatsApp4Web sounds good though, so thanks!
It's only just about functional and clunky as fuck. But if you want to get rid of WhatsApp from your device but still need to talk to someone in it then it's a good shout.
They're using an iPhone so F-Droid is off the table. Is it also an attack vector on iOS?
Probably not. Back when the WhatsApp Pegasus vulnerability happened, there was a vector on iOS, but it was iMessages.
I don't know any first hand details, but my suspicion is that the way WhatsApp on Android worked was via Facebook system apps bundled with the phone by the manufacturer. Back in the day, Facebook itself used to be a system app on some phones (making it difficult to remove), but gradually they moved away from that to having the Facebook or WhatsApp apps be the same as the one on Google Play, but there would be a separate system app that would be much harder to remove. I suspect this system app used various exploits for further data mining by Facebook (perhaps even gaining microphone access so they can present ads based on what you say?) and that the Pegasus hack got into WhatsApp, then simply called the system app to use its established exploits. One other thing that maybe points to this: the Pegasus hack would only sometimes be effective on Android phones, and researchers couldn't pin down why. To me, that suggests some other app or configuration variation.
WhatsApp on iOS shouldn't have this vector, as Apple control both software and hardware on their phones, hence why the strategy was to go for Apple apps directly (as they had the direct access to system level permissions, like I'm alleging Facebook sometimes had on Android).
Like I say, the exact workings of the hack are my own assumptions, and I understand that the WhatsApp Pegasus entry vector has been patched, but ultimately I don't think Facebook/Meta or any of their apps are trustworthy and encourage people to remove them from their devices.