last updated: 2022/12/03 Nice Aspects ============ - Publishes sources and largely develops in open - Largely credits the projects they fork - Friendly and active forum - Wide device support - Reasonable pricing for cloud service - Reasonable markup for device sales - Maybe the most successful company trying to sell an aftermarket mobile OS to the general public Web Browser & System WebView ============================ - Currently shipping Chromium 108.0.5359.156 from 2022/12/12 with 165 known security vulnerabilities - 2023/02/06: The cycle starts again - history: https://divestos.org/misc/ch-dates.txt - [FIXED] Currently shipping Chromium 100.0.4896.57 from 2022/03/29 with 306 known security vulnerabilities - 2023/02/06: they shipped 108.0.5359.156 to users in v1.8.1, however at time of writing that is two major versions behind - 2023/01/03: they finally updated after being 280 days behind, but not available to users until v1.8 (eta Feb. 2023?) - 2022/12/23: work in progress rebase: https://gitlab.e.foundation/e/os/browser/-/commits/5986-master-upstream - https://gitlab.e.foundation/e/os/browser/-/commit/453791f1afea6795a1312d9af7f4a061519609b0 - currently: https://gitlab.e.foundation/e/backlog/-/issues/5986 - previously: https://gitlab.e.foundation/e/backlog/-/issues/2180 - https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_29.html - history: https://divestos.org/misc/ch-dates.txt - Note: simply using another browser doesn't mitigate this, the WebView is used by nearly all apps displaying web content - [Invalidated] Disables the Bromite patch which enables use of HTTPS by default - https://gitlab.e.foundation/e/os/browser/-/commit/f89382c8229a256ab6949dda75dce87e5ccb6def - Upstream (Bromite) later actually removed this too App Lounge ========== - See https://nervuri.net/e/app-lounge - /e/OS App Lounge repeatedly shipping outdated versions of apps - See here Signal 5.52 as the "latest" version, despite eleven newer versions being available at that time - https://community.e.foundation/t/problem-registration-signal-app-fairphone-3/44853/4 - See here Mull 91.2.0 as the "latest" version, despite a years worth of newer versions available - https://community.e.foundation/t/new-standard-browser-librewolf/42791/41 - https://divestos.org/misc/ffa-dates.txt - More examples - https://community.e.foundation/t/outdated-apps-in-store/45739 - https://community.e.foundation/t/outdated-app-in-app-lounge-newer-version-not-available/44259 Advanced Privacy ================ - Routes users over Tor without actually mentioning it is Tor, only an "IP scrambler" - Includes the proprietary Mapbox library - https://gitlab.e.foundation/e/os/advanced-privacy/-/blob/d4136b0fd1246a3dc30b721b1dfbf0853115c0ff/dependencies.gradle#L115-118 - https://github.com/mapbox/mapbox-gl-native-android/commit/165dd987cfc33bfb67ffa1ee09fe551b70e427f0 - With a tracker: https://community.e.foundation/t/advanced-privacy-blocks-trackers-from-e-system/41799 - [FIXED] Ships an end-of-life version of Tor 0.4.4.6 from 2020/11/12 - 2022/12/03: appears to be shipping Tor 0.4.7.8 now - https://gitlab.e.foundation/e/os/orbotservice/-/commits/e_16.6.2-RC-4 - https://github.com/guardianproject/orbot/releases/tag/16.6.2-RC-4-tor.0.4.7.8.1 - https://gitlab.e.foundation/e/os/orbotservice/-/blob/e1cc6aef65eb646f347d28174a6b00840c1cb94d/build.gradle#L48 - https://blog.torproject.org/new-releases-tor-03512-0437-and-0446/ - https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/CoreTorReleases#end-of-life PDF Viewer ========== - See https://divestos.org/misc/appsec.txt microG ====== - microG misconceptions - See https://divestos.org/misc/mg.txt - Phones home to Google out of box, despite being "degoogled" - https://gitlab.e.foundation/e/os/android_prebuilts_prebuiltapks_lfs/-/blob/main/GmsCore/microg.xml#L9 - Enables Safetynet checks by default which downloads and executes obfuscated proprietary code from Google - https://gitlab.e.foundation/e/os/android_prebuilts_prebuiltapks_lfs/-/blob/main/GmsCore/microg.xml#L13-14 System ====== - Is consistently behind on the basic monthly AOSP security updates - See https://divestos.org/misc/a-dates.txt - Uses test-keys for verified boot enablement - A system with verified boot must boot yellow state with an aftermarket system - The FP4 is known to trust test-keys by default - /e/OS when booted on FP4 does not display yellow, meaning test-keys are in use - https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/2 - Includes proprietary Google Widevine DRM on nearly all devices - https://gitlab.e.foundation/e/devices/android_device_fairphone_FP4/-/blob/7b2f827428830ad08e6c6aea4f32c69206d41c54/proprietary-files.txt#L373-378 - Even advertises Netflix on the website, see the third carousel image in the third phone mockup down - https://web.archive.org/web/20220720210209/https://e.foundation/e-os/ - Directly uses non-vendored pool.ntp.org address for NTP - https://gitlab.e.foundation/e/os/android_frameworks_base/-/merge_requests/38 - https://gitlab.e.foundation/e/os/android_frameworks_base/-/merge_requests/39 - https://gitlab.e.foundation/e/os/android_frameworks_base/-/merge_requests/37 - https://www.ntppool.org/en/vendors.html - Includes the proprietary Magic Earth app for navigation - Despite FOSS user friendly alternatives existing such as OSMAnd and Organic Maps Sentry Tracker ============== - Opt-in and with a disclaimer: - https://gitlab.e.foundation/e/os/apps/-/merge_requests/261 - https://gitlab.e.foundation/e/os/BlissLauncher/-/merge_requests/141 - https://gitlab.e.foundation/e/os/advanced-privacy/-/merge_requests/112 - https://gitlab.e.foundation/e/os/android_packages_apps_Settings/-/merge_requests/134 - https://gitlab.e.foundation/e/os/android_packages_apps_Settings/-/merge_requests/132 - https://gitlab.e.foundation/e/os/android_packages_apps_Settings/-/merge_requests/133 Device Sales ============ - Pays Google for search ads - https://community.e.foundation/t/e-on-google-ads/49047 or https://archive.is/qy6w1 - Thinks it would even be OK to use donated money for that too - https://community.e.foundation/t/e-on-google-ads/49047/4 - Sells their `Murena One` phone which uses the 5+ year old MT6771 system-on-chip from February 2018 - https://murena.com/shop/smartphones/brand-new/murena-one/ - https://en.wikichip.org/wiki/mediatek/helio/mt6771 - This is the same SoC used in the `Brax Phone` and `Simple Phone` - Sells devices like the Samsung Galaxy S9 which lacks VoLTE under custom operating systems - Many carriers are phasing out 2G/3G, making VoLTE mandatory for placing and receiving phone calls - https://web.archive.org/web/20221203154649/https://murena.com/shop/smartphones/premium-refurbished/murena-galaxy-s9-refurbished/ - https://community.e.foundation/t/samsung-s9-currently-unusable-in-usa-without-volte/39255 - Sells devices that are END OF LIFE, like the Galaxy S9 - EOL devices cannot receive any firmware/blob security updates - https://web.archive.org/web/20221203154649/https://murena.com/shop/smartphones/premium-refurbished/murena-galaxy-s9-refurbished/ - https://9to5google.com/2022/04/04/samsung-galaxy-s9-android-updates-drop-support/ - https://www.androidauthority.com/samsung-galaxy-s9-end-of-software-support-3149055/ - Sells devices with outdated kernels/blobs/etc. - 2+ years old!: https://web.archive.org/web/20221203154521/https://community.e.foundation/t/my-e-exit-interview/45687/8 Cloud Services ============== - E2EE isn't offered on their Nextcloud instance, citing data loss concerns, yet they leaked user data to other users - https://community.e.foundation/t/service-announcement-26-may/41252/27 - https://en.wikipedia.org/wiki//e/OS#Data_leakage_incident - Nextcloud Server Side Encryption (SSE) is NOT secure as they can trivally record your password on login-flow and decrypt your files - https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html - "The encryption app does not protect your data if your Nextcloud server is compromised, and it does not prevent Nextcloud administrators from reading user’s files." - Furthermore it doesn't encrypt file or folder names - "It encrypts only the contents of files, and not filenames and directory structures." - SSE was demonstrated as useless in the leak - Trackers in their newsletter - https://web.archive.org/web/20221203154857/https://community.e.foundation/t/tracker-into-the-e-foundation-letter/38178 - Website requires JavaScript Weather [DEPRECATED] ==================== - Performs requests over HTTP, leaking your location to any observer - https://gitlab.e.foundation/e/os/Weather/-/blob/2c623c7a9b4a341dd3fb6a2545e84ebf850d780b/app/src/main/java/foundation/e/weather/utils/Constants.java#L73 Not Covered (nuanced or needs research/sources) =============================================== - The use of CleanAPK - The state of kernel security patching - The use/recommendation of TWRP for recovery - IMSI to SUPL - Which SUPL server is default? (for example many "degoogled" systems use supl.vodafone.com... which is just a CNAME to Google) - Signature spoofing support, with no restrictions See something wrong? Open an issue or merge request: - https://gitlab.com/Divested-Mobile/DivestOS-Website/-/blob/master/static/misc/e.txt - https://github.com/Divested-Mobile/DivestOS-Website/blob/master/static/misc/e.txt