Flatpaks and Firefox Sandboxing and Security

Around 2020, there were chatters about how Flatpaks use faulty sandboxing and that Firefox is less secure than Google Chrome.

Three years later, how secure are Flatpaks? Let’s compare the extent of sandboxing and security of Flatpaks against an Android app on a Chromebook, which is sandboxed really well.

And how has Firefox improved when it comes to security parity with Google Chrome? Firefox has always been more private than Google Chrome with features like Containers (when is this coming to Chromium-based browsers)? Surely, Firefox security is to Chrome security as iOS security is to conventional Android security. Pretty neck and neck, correct?

Another Question about Flatpaks:

Suppose I want to download Microsoft Edge as a Flatpak. Microsoft does not mention Flatpak on their site: https://www.microsoft.com/en-us/edge/download

However, Flathub implies Microsoft has a hand in it: Microsoft Edge | Flathub

Why does it say “by Microsoft Corporation”? I see a lot of Flatpak apps have “by XYZ” and then say “NOTE: This wrapper is not verified by, affiliated with, or supported by XYZ”. What are some valid risks with the Flathub one? Are these Flatpak counterparts as safe, more risky, or more safe than their, say RPM and DEB counterparts, officially published by a developer?

I’ll answer what I’m reasonably confident in.

Flatpaks are not as good at sandboxing as Android or ChromeOS. There may be more technical reasons why, but a big part is that Flatpak permissions tend to be more permissive than they should be because there isn’t a way to regulate what they get. As of now you have to trust the developer to set good permissions or use Flatseal to edit them yourself.

I think most folks on this forum will admit that Chromium is more secure than Firefox. However, is the difference big enough that you should only use Chromium or that Firefox is insecure? I would argue no. To me, the difference for the security threats that most people face is negligible and you should feel comfortable using either browser.

Flathub will credit the developers for the packages on the repo, but you have to see if it says the package is verified to know that it actually came from the developers themselves. Firefox is actually directly from Mozilla, whereas Edge must be community maintained.

Fun fact, there is actually concern about the flatpak versions of Chromium browsers. Here’s an explanation from someone on the Vivaldi team for why they don’t currently package a Vivaldi flatpak.

From the post:

In short, Flatpak doesn’t allow important parts of the Chromium sandbox to work as intended by the Chromium team, when running under Flatpak. So you either end up with no internal (interprocess) sandbox or one which is replaced with something potentially weaker and certainly less well understood and tested. Zypak is maintained by a single person. Those responsible for the Chromium sandbox are a whole team.

If you check you will see that none of the Chromium-based browsers are officially supported by their developers. That on its own is a factor consider, but depending on your threat model you may also want to think about whether you want to use a Chromium flatpak at all.