last updated: 2023/02/24 General ======= - Was proprietary for its first two years - Forked apps reusing the original package IDs - Prevents users from using the real versions - https://github.com/iodeOS/fdroid/issues/1#issuecomment-1308925420 Content Blocker =============== - Called Snort which is likely a trademark violation of Cisco's Snort IDS/IPS - https://en.wikipedia.org/wiki/Snort_(software) - Uses and redistributes lists which are licensed against commercial use (NC) or redistribution (ALL RIGHTS RESERVED) - https://gitlab.com/iode/os/public/lineage/vendor_extra/-/blob/staging/iode-snort/domains-black - They even note these licenses of the lists they use here - https://iode.tech/en/iodeos-en/ - Runs as root - https://gitlab.com/iode/os/public/blocker/iode-snort/-/blob/staging/iode-snort.rc#L23 - Is in C++, likely has memory safety issues - https://gitlab.com/iode/os/public/blocker/iode-snort Browser ======= - Based on Fenix and falls behind updates - See https://divestos.org/misc/ffa-dates.txt - https://gitlab.com/iode/os/apps/iodebrowser - https://gitlab.com/iode/os/apps/iode-browser-components - Doesn't compile GeckoView from source - Google Play Serivces library is included - https://divestos.org/images/IodeBrowser-GMS.png - Mozilla's Google Safe Browsing API key is included, see section 4.4 - https://www.kuketz-blog.de/iodeos-datenschutzfreundlich-aber-abstriche-bei-der-sicherheit-custom-roms-teil3/ - Sometimes doesn't publish source along with releases - https://gitlab.com/iode/os/apps/iodebrowser/-/issues/2 System ====== - No public changelogs so unable to track monthly security updates here - See https://divestos.org/misc/a-dates.txt - Likely falls behind updates - Today is 2023/03/24 (March), yet there is no _February_ 2023 update for FP4 - Check archive.org for https://github.com/iodeOS/ota/releases/tag/v4-FP4 - Occasional 2-3 month gaps without updates - Check archive.org for https://github.com/iodeOS/ota/releases/tag/v3-FP4 - Uses LineageOS WebView which falls behind - See https://divestos.org/misc/ch-dates.txt - However they do allow use of Bromite, Mulch, and Vanadium which is nice - https://forum.fairphone.com/t/fp4-very-privacy-friendly-custom-rom-iodeos/81070/256 - Uses supl.vodafone.com for fallback SUPL - https://gitlab.com/iode/os/public/lineage/vendor_extra/-/blob/00b53c7e0993b7174c81fc48873ec7a02948795e/overlay/packages/apps/CarrierConfig/res/xml/vendor.xml#L4 - https://gitlab.com/iode/os/public/lineage/vendor_extra/-/blob/00b53c7e0993b7174c81fc48873ec7a02948795e/overlay/frameworks/base/core/res/res/values/config.xml#L26 - This is a CNAME to supl.google.com - https://mxtoolbox.com/SuperTool.aspx?action=cname%3asupl.vodafone.com&run=toolpage - https://forum.fairphone.com/t/supl-vodafone-com-supl-google-com/92855 - At least it doesn't send IMSI to SUPL - https://gitlab.com/iode/ota/-/issues/20 - https://news.ycombinator.com/item?id=25068578#25082714 - Enables SUPL MSA mode - https://gitlab.com/iode/os/public/lineage/vendor_extra/-/blob/00b53c7e0993b7174c81fc48873ec7a02948795e/overlay/packages/apps/CarrierConfig/res/xml/vendor.xml#L6 - MSA mode is bad for privacy as it calculates location on the server's end instead of on-device - https://en.wikipedia.org/wiki/A-GPS#Modes_of_operation - Mode 3 is 1 (MSB) + 2 (MSA) - Good news is that supl.google.com doesn't support MSA, but any carrier specificed override may - Hosts update metadata on GitLab and updates on GitHub instead of their own servers - https://gitlab.com/iode/ota - https://github.com/iodeOS/ota/releases - https://gitlab.com/iode/os/public/lineage/packages_apps_Updater/-/commit/97334f33a7eead51e85648a09f9a178ec46926a0 - Uses Quad9's unsecured DNS endpoint - https://gitlab.com/iode/os/public/lineage/vendor_extra/-/blob/00b53c7e0993b7174c81fc48873ec7a02948795e/overlay/frameworks/base/core/res/res/values/config.xml#L47 - https://www.quad9.net/support/faq - "No security blocklist, no DNSSEC, No EDNS Client-Subnet sent" - Directly uses non-vendored pool.ntp.org address for NTP - https://gitlab.com/iode/os/public/lineage/vendor_extra/-/blob/00b53c7e0993b7174c81fc48873ec7a02948795e/overlay/frameworks/base/core/res/res/values/config.xml#L25 - https://www.ntppool.org/en/vendors.html - Uses 1.x.pool.ntp.org which lacks IPv6 support - https://gitlab.com/iode/os/public/lineage/vendor_extra/-/blob/00b53c7e0993b7174c81fc48873ec7a02948795e/overlay/frameworks/base/core/res/res/values/config.xml#L50 - https://github.com/abh/ntppool/pull/176 - Includes the proprietary Magic Earth app for navigation - Despite FOSS user friendly alternatives existing such as OSMAnd and Organic Maps microG ====== - microG misconceptions - See https://divestos.org/misc/mg.txt Website ======= - Requires JavaScript and a ton of scripts to even load - Even fails PageSpeed - https://pagespeed.web.dev/report?url=https%3A%2F%2Fiode.tech%2Fen%2Fiodeos-en%2F Devices Sales ============= - Sells the Google Pixel 3, 4, 5, and 6 for 279€, 359, and 449€, and 519€ respectively - The 3 and 4 are END OF LIFE and receive no security updates - The 5 has seven months left of support - https://endoflife.date/pixel - A brand new Pixel 6a is only 459€ from Google and regularly goes on sale - https://store.google.com/fr/category/phones?hl=fr - Also supported until July 2027 - Sells the Galaxy S9 and S10 which are both END OF LIFE and receive no security updates - https://www.androidpolice.com/samsung-galaxy-s9-retrospective/ - https://www.droid-life.com/2022/12/29/galaxy-s10-gets-one-of-its-final-updates-fold-4-and-flip-4-freshened/ - Sells the OnePlus 9 which has no bootloader locking support - To be fair most of the other devices they sell (eg. Samsung, Sony) have no locking support either. - https://calyxos.org/news/2022/07/06/oneplus-android-12-relock-issue/ - LineageOS also dropped support due to severe issues - https://github.com/LineageOS/hudson/commit/1cf941cc0fdb7392c388373b3fdfecb3ed8501b1 - Other devices may also be end of life, check them yourself - Devices are arguably overpriced See something wrong? Open an issue or merge request: - https://gitlab.com/Divested-Mobile/DivestOS-Website/-/blob/master/static/misc/i.txt - https://github.com/Divested-Mobile/DivestOS-Website/blob/master/static/misc/i.txt