/e/ OS and security criticism

Hi there! first post.

In the past I had heard criticism of /e/ OS about problematic security. Being an /e/ OS user for multiple Phone generations and incrementally moving my family to /e/ based devices I take such criticism quite seriously so in the past I engaged those critics and mostly it came down to edge cases or weird features they where missing.

Now, a hacker news chat brought me to this comparison here:

I didn’t have time to look into its details but a cursory reading seems to indicate the reviewer was checking out an older build of the os (eg: they claim no parental features).

Can somebody with more experience than me weigh in on that comparison?

I also doubt this is really as up to date as it claims to be. CalyxOS ist discontinued (momentarily), for example. It all boils down to Graphene being the only secure OS in the world, which might be true for all I care.

Can somebody with more experience than me weigh in on that comparison?

tl;dr: the chart is generally accurate, but skewed. If security is the one-and-only concern, it’s a great resource, and pretty accurate. If there are other areas of concern, the chart fails to account for some of them.

So, like Coke vs. Pepsi, Mac vs. PC, KDE vs. GNOME, there will always be fans of one system vs. another, and arguments will continue for as long as options exist. That’s just boilerplate.

In terms of what’s written there…my opinion is that the different options serve different needs and thresholds of privacy requirements…also, ‘privacy’ implies a ‘from whom’ that varies; I’m fine with my wife knowing things that I’m not fine with my employer knowing, and I’m fine with my employer knowing things that I’m not fine with Google knowing.

Put this together, and you’ve got a good amount of explanations about the chart. Of course, Graphene looks pretty good on that chart, and credit where it’s due - you’re hard pressed to find a mobile OS that’s more militant about - or effective at - keeping data on the device. However, the criteria itself seems just a little bit slanted, in my opinion. Take for example “Webview update speed”, or “Can disable USB-C and pogo pins data?”, or “Closed cross-profile package leaks?”, each of which Graphene provides, and the others do not. It’s certainly fair that these functions may matter to some people, and most people would prefer having them than not.

The massive counterpoint here is that the chart either glosses over, or omits entirely, the things that make /e/OS stand out, that Graphene does not come close to addressing. There are a few nods to app compatibility, but nothing firm. This is probably a good thing because Revolut - and lots of other banking apps - will not run on Graphene, while Murena has put time and effort into resolving those issues. WhatsApp can work on Graphene with some effort, but it works on /e/OS out of the box. In fact, I’ve run into more issues with apps barking because I run a rooted phone, than apps barking because I’m running /e/OS. The same isn’t true for Graphene. The chart conveniently sidesteps where apps even come from; one has to manually add the Aurora Store or F-Droid (or ‘adb sideload’, for all the fun that is)…but /e/OS ships with the App Lounge, that has OSS apps and PWAs and Play Store Apps, and can handle app updates, all in a UI that’s as easy to use as the Play Store or App Store. Graphene doesn’t offer anything like this at all.

Similarly, Murena gives options for cloud/PIM services. One can sidestep it entirely, or use Murena’s cloud that has entry-level account options for free and inexpensive paid options, or the Murena team provides install options for one’s own server, or one can use their Google e-mail account, or one can put together their own hodgepodge of NextCloud / IMAP mail / CalDAV / CardDAV, and that too is a common-enough use case. With Graphene…there’s no real solution for this. One can put a Seedvault backup somewhere, and that’s great…but if the chart creator put a dozen rows for all the things available on a Murena account, even Google would look favorable to Graphene on a head-to-head comparison.

Finally, the chart tacitly admits another shortcoming of Graphene, namely that it’s only available on Pixel devices; sixteen of them to be exact - the least of any of the ROMs compared. Calyx supports about 30 devices officially, and another 30ish unofficially. iodeOS supports about 50 devices officially, with another 50 or so supported by the community. /e/OS supports over 200 devices officially, with Ronnie and others building ROMs to cover hundreds more. LineageOS is far more difficult to count based on both volume and live cycle; if one were to count the number of devices that ever received a Lineage port, even if the device is EOL, the number would likely be in the thousands. While there is wisdom from a development standpoint in limiting the supported device list, and to be fair, Pixel phones are pretty easy to come by both in retail and on the used market, this decision does severely limit the number of potential users in a way that a broader compatibility list does not.

In summary, it is my assessment that /e/OS is a middle ground between the two extremes of Google-laden stock ROMs (no privacy at all) and GrapheneOS (Extreme privacy at the expense of usability in a number of areas). The chart does a poor job highlighting this balance, since its focus is on the security functions. That’s fine, but if someone were to make another chart that replaced relatively-obscure security functions like “Hardware memory tagging?”, with “Quantity of Top-100 Play Store Apps which require additional steps to load reliably”, or “Quantity of known banking apps with compatibility issues”, or “photo syncing”, the chart starts to look just a little bit different, with the first party stock ROMs ranking far higher in those categories.

This isn’t to disparage Graphene or the chart. Both are solid projects, and there is a market for an OS that focuses on security above all else. Not everyone can just buy a Boeing Black, but Graphene is probably what I’d consider to be the closest to it. If that’s the desire, I don’t know that I’d recommend /e/OS or iode or Calyx because there are some tradeoffs that a security-above-all-else like Graphene foregoes. However, I am of the persuasion that /e/OS and iode and Calyx all remove or effectively mitigate somewhere between 90 and 98% of the Google/Data Broker snooping by default, in a way that retains compatibility for places where I make a conscious choice to utilize a service that can compromise my security in some way.

To me, it looks as if the comparison is specifically tailored to Graphene OS.

And that’s where I immediately disagree: I don’t believe you can de-Google hardware built by Google. And you don’t criticize Google by buying their hardware.

The central thing to care about is “update lag”.

The chart seems to be in the right ballpark for time ranges, but /e/OS also improved since reacting to the valid criticism esp. on webview/browser (that used to lag gravely) and keeping track of the framework patchlevel per /e/OS release.

One issue for not yet end-of-life’d devices (as the others are borked anyway) is /e/OS supporting more than one Android major per device, multiplying maintainer load and creating update lag on some device-android-version combination not present in other combos concerning firmware and vendor kernel.

Some rows are great features (contact scopes? yes!), others on the hardening side that benefit endangered group of users. The verified-boot row ignores devices where avb is solid though. The chart is well-intentioned.

As always when it comes to security and/or privacy concerns you should ask yourself this question in light of your personal threat model.
For most users, /e/os offers a good balance between security, privacy and usability. I believe this is the way Murena devs are working.

You need to decide who you are and what you want to use your phone for.

If you’re an average person who wants to be mindful about not having companies like Google, Apple, and a host of other tech firms constantly in your pocket—monitoring you, building a profile on you, and selling data about you to other companies for profit—yet you still want a fully functional Android experience with almost all its possibilities, then /e/OS is the perfect choice for you.

However, if you’re some sort of secret agent, activist, investigative journalist in a dictatorial country, or even a criminal, and a full‑featured Android experience isn’t that important because you primarily need your phone for secure communications and strictly protected data storage—and there’s a risk that you could be kidnapped, arrested, or have your phone taken away—then GrapheneOS might be the better option.

that is a good framing.

But personally, what I am curious about is less about how /e/ OS stacks up against spy games and more about how its security profile compares to what regular consumers get from a stock iPhone or stock OEM android.

Although I’m not a developer or programmer, but based on publicly available information I don’t see the security level of /e/OS falling short of the security level of the iPhone or OEM Android devices in any way.
At the same time, /e/OS is clearly much more private.
And privacy is not the same as security!
I can only repeat what I wrote above: You need to decide who you are and what you want to use your phone for.

In the past, some ROMs provided security fixes faster than others. However if I understand it correctly, the situation has changed. The issue now relates to the fact that monthly security fixes (which will be restricted to patches for critical security vulnerabilities) are no longer open source. Google only provides them to verified partners (i.e. stock ROMs). The AOSP which e/OS is based on will only receive quarterly security patches. This does not only apply to e/OS but also affects virtually all other custom ROMs e.g. LineageOS and even GrapheneOS. So basically it means that if you really “care” about security, you somehow have to stick to a stock ROM receiving monthly updates (with a strong hit on privacy since Google will have access to your data). With e/OS or any other custom ROM based on AOSP (incl GrapheneOS by the way), you have to accept a lower frequency of updates i.e. quarterly and thus a “lower” security standard. Is this correct?

EDIT: Note that I don’t intend to start another flame war between GrapheneOS vs e/OS security. I’m not saying that GrapheneOS is now “no longer more” secure than e/OS. Rather, both GrapheneOS and e/OS security will take a hit due to Google’s decision to no longer make the source of monthly patches available (until they reach the quarterly update). So the question is no longer GrapheneOS vs e/OS etc, it is more about custom (i.e. AOSP based) vs stock ROM.

Now is the time to fork off from Google reliance completely.

Wouldn’t it be possible to make a real alternate path that does its own AOSP based OS without relying on Google but still allows app devs to port easily?

So we don’t have to rely and adapt to the whims of google’s direction? But pave our own path completely?

With alternative to Google Pay and all the services kept from de-googled phone users?

And an alternative API that allows banking apps and so on to work.

Okay, I was coming here to ask a security-related question and saw this thread already going - so I’ll piggyback here instead of starting a new thread.

Is /e/ doing (or have they already done) anything about this vulnerability with Pixel’s: Leaker reveals which Pixels are vulnerable to Cellebrite phone hacking - Ars Technica

This one is extremely concerning to me. Concerning enough that if there won’t be a fix I’ll replace the two Pixel 8’s I purchased in the last 6 months and rooted with eOS.

Anyone have the inside scoop at /e/?

Unfortunately it is unrealistic to maintain an OS (fork) without google supporting it.

Most of AOSP OS works because google has the user base and money to maintain this huge project. Without google money we would have nothing, that is to say, something of the like of Firefox OS or Linux on smartphones → no banking apps because there will be no large user base to entice developers to develop apps compatible with the platform

Even Microsoft failed attracting developers to windows mobile, despite the huge investment.

The best approach is probably the one of Murena-/e/OS-micro-G: pressure google thanks to the threat of anti-trust laws and state organizations enforcing competition to force them to keep slightly open their app-store, app-APIs (safety net), app-certifications and AOSP development and protocols.

The lawsuit EPIC vs Apple is maybe the reason why Google is still tolerating AppLounge/Aurora store today

@ITSME while it kind of is in the scope of OPs link to the eylenburg chart (unlock pin throttle, auto reboot, usb disable), I’d still shell this out into a separate Cellebrite thread where you can campaign for more physical security

This topic was automatically closed after 11 days. New replies are no longer allowed.