E/os and security

Hello everyone,
After doing some research on digital security and privacy, I came across a community that wrote a guide on the subject ((privacyguides.net/)) and I’m a bit surprised by the criticism of e/os and Murena. Reading this thread in particular ( /e/OS (Murena) and Fairphone - Tool Suggestions - Privacy Guides Community ), I understand that security is a real problem with e/os, which seems to be lagging behind Android’s security updates.
This surprises me a lot, especially since reading about the new features of e/os 3.6 shows that Android’s security updates are due in March 2026.
So what’s the real situation? Is my e/os phone reasonably secure? (Yes, the bootloader is unlocked, but I’m not too worried about a physical attack).
That said, I then looked at the cloud of Murena, I don’t see any information about end-to-end encryption, for example, which makes me wonder, especially since security is mentioned so prominently.

If you have any answers, I would be happy to hear them. Thank you in advance.

there’s substantial threads in the forum. The more recent make sense to read. Check out these:

• /e/ OS and security criticism
• /e/OS and security updates
• e/OS Update and Workspace Question - #2 by tcecyk (no e2ee for synced content)

imo criticism is acknowledged and often warranted, but it isn’t as grim a picture as I read at times, in the end it is Android with more or less mitigation techniques. The divestos txt files were useful at the time to get /e/OS to put more resources on reducing update lag really

Thank you so much for this response. I’ve read all the comments and they’re very informative. But ultimately, I’m still left with the same feeling of confusion.

From my beginner’s perspective, there’s a confusion between privacy, which e/os seems to protect well, and security, where e/os seems perhaps a little less confident (but that’s also related to Android, if I understand correctly), and where significant progress has been made.
Perhaps there’s a slight lack of transparency in the various discussions about e/os?
In any case, I’ve come to the conclusion (but again, this isn’t my area of ​​expertise at all, hence my questions and research): privacy is good, but if security isn’t fully guaranteed, is privacy only partial?
Thanks again.

what debate are you looking for, /e/OS security in broad strokes, or the soon to be end-of-life’d FP3 from a vendor perspective? the linked thread has good advice, but I doubt that there is a significant difference.

I think you understand this correctly. /e/OS is not optimal in terms of security. If you have reasons to fear that you might be spied by governments and such it is not a great option. However, in terms of providing you with a functional phone that does not send your data to Google and other advertising companies, and in terms of keeping the possibility of a degoogled Android alive, I think it is an excellent option.

I suggest reading Gael’s Post about this topic: Some clarification regarding security vs privacy in /e/OS

If you really care about security because you are a person with a threat - don’t use /e/OS. Use graphene instead.
If you care about mass-survaliance without a threat - it’s probably fine to use /e/OS. In the end, its Android with some changes to remove most google Services.

Also something to consider is which phone do you have or want. Graphene likes to present itself like the best option, and in some ways it is, but the hardware is extremely limited. This is an aspect to consider.

About the cloud: I used it but switched to Proton as it seems more reliable. Although this experience is now a year old, so take it with a grain of salt.

Wow, thank you for your feedback and additional information. It’s interesting once again.

Are @GaelDuval comments still relevant? The message is from 2023; have things improved? The work already is enormous!

But more broadly, in my case, it raises the question of the durability of mobile phones because I’m stuck with an FP3 that works perfectly, but isn’t very secure because it’s considered too old. It’s frustrating!
Thanks again for your comments.

And I’d like to add a slight disappointment because the official version of FP3 is no longer being updated, with little forethought from the Murena team. As a result, we’re using phones with limited security while waiting for the update to Android 15 or 16. It’s a bit of a stretch (even if it doesn’t detract from the developers’ work). It certainly raises some questions.

Hello,

Thanks for for clarifying that.

How can I improve the SECURITY of my device?

I’d also like to know if it’s more secure to use a web browser than an app.

Hi there, Vincent!

Others have pointed out that there is a difference between ‘security’ and ‘privacy’, and while there is an overlap between the two, they are separate concepts, and each has different levels of concern for each user.

Whenever the topic comes up, I link to this academic paper that does an incredible job of comparing and contrasting the two concepts (and their derivatives) in greater detail, but here’s a simplified example: “security” is the protection of your data against someone who is attempting to access your data, by the use of some sort of exploit. Whether it’s physical theft of your phone, or leveraging some kind of software vulnerability, or hacking into your Murena account and downloading the data replicated there…that’s the sort of thing where “security” is the idea of how your data is kept safe.

By contrast…there is “privacy”…and “privacy” isn’t a matter of a security exploit. If you text someone a document or photo intended “for their eyes only”, and they show it to a friend on their phone…that was a breach of privacy. In this example, you know the recipient. Nobody else accessed the data, but there was a breach of privacy because the recipient who had permission to access the data, shared it with someone who didn’t. Most of us who run an aftermarket ROM of any kind, are not here because we necessarily believe that the data Google has will be accessed through some illicit means, or because we believe Google’s services are riddled with vulnerabilities that allow some North Korean hacker to gain access to data they shouldn’t. On the contrary, I think many of us would acknowledge that Google is pretty good at keeping data secure…but either shares that data with people we would not want our data shared with, or is using it internally for tasks we would prefer they did not use are data to perform.

Over the years, I’ve heard lots of back-and-forth about how /e/OS isn’t as adamant about security updates as other ROM projects. There may well be some truth to that. I won’t dispute that possibility - in fact, I’ll even grant the argument. The problem, as I see it, is that that the argument rings a bit hollow for me. I have yet to read a case study, a blog post, a forum thread, or even a tweet about a phone running /e/OS, which was remotely exploited and had data exfiltrated, due to a vulnerability present on the /e/OS phone that already had a patch released for it, but was delayed due to /e/OS. Perhaps such a scenario did happen, and I’m open to a link for it…but thus far, I’ve seen a LOT of hand-wringing over update cadence, but purely as a matter of principle.

As far as I’m concerned though, the thing /e/OS has that no one else has available, is /e/Cloud Server. Now sure, I know I’m one of an extreme minority who uses it, but none of the projects who sling mud over security updates even have it as an option. They all get real quiet when it comes to any sort of data syncing or browser-based functionality (“just use Proton!”), but Murena handles that side as well, and even if I have my own complaints on that front…I’m still waiting for any of the other ROM projects address that side of the equation. Maybe it’s not as safe as commercial services, but it’s at least a choice…and those other projects would do well to make some headway on that side, before arguing that /e/OS is inferior because they’re not quite as fast with patches.

Thank you for this message.
Normally, in terms of security, we always prioritize the website over the application when a website exists.

Thank you for your reply and your very kind communication.

I understand your analogy, but if my system isn’t secure, my private communication is likely to be compromised as well, so the two are intrinsically linked.

As for the rest, I agree, I haven’t heard of any hacked E/OS systems, but then again, I’m not necessarily in the right places to hear about it !

If you ask me, it all boils down to what’s your biggest concern. To me it’s escaping from surveillance capitalism and second sustainability.

So I know that someone with the right skills who has targeted me can compromise my device if he wants to but the daily threat of data extraction and profiling for profit is much more of a threat to my personal life.

None OS is secure,
an article about vulnerability researching using LLM : Claude Mythos Preview \ red.anthropic.com

Of course the two are intrinsicalIy linked to some point, but the final choice depends on what level of security/privacy you finally want. I will dare a comparison to our home, to try to be more explicit, knowing that these are my choices, and maybe another person will make different ones.
If I want to increase security I will first change the front door’s lock (obvious one), but if I want/need more also maybe installing bars in front of my windows, putting cameras everywhere and keep images in the cloud (not locally, as the local hard drive can be stolen/destroyed). I might sign for an alarm and if I’m afraid of being personnaly targeted maybe also a security guard patrol service, so they know when I’m a at home and when I’m away, etc…

Now comes the problem (for me) because I’m ok with changing the front door for a better one, and I will just close the blinds but I don’t want to have bars in front of my window, nor a security patrol around my house. I won’t install cameras which record images that can (and will) then be analysed by tier companies in a way and goals that I don’t understand. My choice is to prioritize my comfort and privacy over extreme security.

While some choices are common to both privacy and security (eg. good front door, closing blinds), the others depend on where you draw the line, but one thing’s for sure: you can’t have 100% of both worlds I think. There is a balance between high security and high privacy, so you need to make your own choice on your personal criteria and situation. I accept and live with the the fact that someone really willing to introduce into my house can do it, and I don’t want to compromise my privacy for increasing security. Maybe in another situation I would choose more security over privacy.

Then about the delay in updates I would argue that at least there are updates : I’ve lived with (and still use) a CrossCall Core X4 which has had only 1 (maybe 2) updates since 2023, and which is stuck in Android 10. Though I would make a different choice today, I don’t live in constant fear that it will be hacked, or my data compromised (even though they are already known big Big-tech). I’m not trying to point out the worst examples, but rather to put the need for extreme security into perspective (at least in the case of a standard person, doing standard stuff with it).

This topic was automatically closed after 15 days. New replies are no longer allowed.