/e/ Page says /e/ is ungoogled/degoogled, why is /e/ then connecting to google?

Coming back to this thought …

… as well as seeing this …

https://gitlab.e.foundation/e/backlog/-/issues/5214

… Could you perhaps use the toggles pointed out in the GitLab issue, or uninstall the App Lounge (package name is foundation.e.apps) this way, and have a look whether this changes anything?

Like said, i never touched and started “app lounge”. Not single time.

As you can see in privious posts from me, i blocked like suggested microg and app lounge from internet too. But this didnt seem to help/be the issue.

Sure, i could remove with adb or root all these apps. “App Lounge”, MicroG, etc. But what happens if a update comes over ota? Get this all restored again? Or breaks the updateprocess? Or what happens?

But anyway, this all is only fighting against symptoms. The real issue is, that the devs/founder of /e/ makes statements about /e/ how it safes privacy etc and that /e/ dont make any connection to third party services, wich is in fact not true. its a big lie.

1 Like

No, as you can see in the linked topic.

The App in question gets deactivated for the current user and isn’t available anymore. Which could then perhaps hint at the App in question being the source of the issue, if the troublesome connections would stop appearing.

Of course :roll_eyes:. If the App Lounge is causing this on your phone, it would be an acknowledged issue as you can see, which has to be fixed and naturally would better not have seen the light of day to start with.
But nothing can be discussed anymore without everything being a huge conspiracy and a total outrage. Just tiring.

supl should be A-GPS. This could get interesting, too.

4 Likes

This seems to be from microg too.

Could i remove it completly? So it is NOT possible to restore it again (by me or system or who ever). Dont found a option in the manual of adb until now.

Edit: “Removed” or to be right, deactivated anything i could find. “App Lounge”, microg (4 different apps), mozilla, magic earth, nominatim.

But everything is still on the phone. The only difference is, that the system say they deactivated.

Edit:

beyond1lte:/ $ pm uninstall --user 0 org.microg.nlp.backend.nominatim
Success
beyond1lte:/ $ pm uninstall --user 0 org.microg.nlp.backend.ichnaea
Success
beyond1lte:/ $ pm uninstall --user 0 com.google.android.gsf
Success
beyond1lte:/ $ pm uninstall --user 0 com.google.android.gms
Success
beyond1lte:/ $ pm uninstall --user 0 com.google.android.gms.droidguard
Failure [not installed for 0]
1|beyond1lte:/ $ pm uninstall --user 0 org.microg.gms.droidguard
Success
beyond1lte:/ $ pm uninstall --user 0 com.generalmagic.magicearth
Success
beyond1lte:/ $ pm uninstall --user 0 com.android.vending
Success
beyond1lte:/ $ pm uninstall --user 0 com.reecedunn.espeak
Success
beyond1lte:/ $ pm uninstall --user 0 foundation.e.apps
Failure [not installed for 0]
1|beyond1lte:/ $ [user@titan ~]$

They all still on the device installed.

Edit:

After a reboot, still makes connection to google and amazon:

In the UI ->settings ->system ->advanced ->microG
switching OFF have to be done in the right order : start from the bottom to the top

.

Yeah that wasnt possible. Maybe because of a Bug? Because the “On/Off Slider” dont do anything and stands on “on”. Not matter how hard/precise you decide to touch it.

Anyway, like @AnotherElk suggested, i disabled now App Lounge, Microg, and anything else what have to do with it (still researching how to remove it completly instead of deactivating).

About “supl.google.co_m” i found this german blog: https://www.kuketz-blog.de/android-imsi-leaking-bei-gps-positionsbestimmung/

This seems to fix that. Must find out how to edit it with adb as root, because su is not available.

Than i must find out, what on the phone makes a connection to gllto.glpals.co_m.

Still researching.

Edit: Found one place where gllto.glpals.co_m is written:

beyond1lte:/ $ cat /vendor/etc/gnss/gps.xml

<?xml version="1.0" encoding="utf-8"?> <hal PortName="lhd" NvStorageDir="/data/vendor/gps/"
LogDirectory="/storage/emulated/0/gps/broadcom/storage"

WakeLock="geo"

LPmode="false"
CpColdStart="false"
CpGuardTimeSec="1"
CpLppGuardTimeSec="1"
CpLppeProvideHighAcc3DPosOnComIECap="true"
ReAidingOnHotStart="false"
SuplSslMethod="SSLv23_NO_TLSv1_2"
SuplEnable="true"
SuplUseApn="false"
SuplTlsCertPath="/vendor/etc/gnss/gps.cer"
SuplTlsCertDirPath="/system/etc/security/cacerts"
SuplUT1Seconds="20"
SuplUT2Seconds="20"
SuplUT3Seconds="20"
TcpConnectionTimeout="20"
SuplLppCapable="false"

LbsEnable="true"
LbsServer="BCMLS2.glpals.com"
RtiConfig="gllto.glpals.com:80/rtistatus3.dat"
HttpSyncLto="true"
LbsCellEnable="false"
LtoDir="/data/vendor/gps/"
LtoSyncThresholdDays="1"

IgnoreJniTime="true"
AssertEnabled="false"

IgnoreFwConfig="false"
DisablePglorNmeaCallback="true"

GnssYearOfHardware="2016"
WakelockAlertSec="1800"
EventDumpEnable="true"
AttributionAppPkgName="com.sec.location.nfwlocationprivacy"

/>

<gll
LogPriMask=“LOG_INFO”
LogFacMask=“LOG_GLLIO | LOG_GLLAPI | LOG_NMEA | LOG_RAWDATA”
FrqPlan=“FRQ_PLAN_26MHZ_2PPM_49_152MHZ_300PPB”
RfType=“GL_RF_4755_BRCM_EXT_LNA”
MultiCarrLnaMask =“L1_EXT_ON”
MultiCarrRFMode =“GL_MULTI_CARR_RF_MODE_L1”
WarmStandbyTimeout1Seconds=“10”
WarmStandbyTimeout2Seconds=“15”
RfPathLossDb_Cp=“5.0”
RfPathLossDb_Ap=“5.0”

<gll_features
EnableLowPowerPmm=“true”
EnableBeidou=“true”
EnableGalileo=“true”
EnableACSD=“true”
MPFCollect=“true”
/>

beyond1lte:/ $

Edit: found supl.google.com. Replaced it in every file with “localhost”. Restarted Smartphone, and now only the two amazon services/domains left.

BCMLS2.glpals.co_m and gllto.glpals.co_m

Changing both now too, and then i report again.

(just for some who curious how i found the domains: on /e/ is luckely grep installed. So grep -rnw / -e supl.google.co_m for example shows every file where this domain is set)

3 Likes

is BCM related to wifi portal ?

It seems not. My Research showed that this, or to be pricise the domain bcmls2.glpals.co_m and gllto.glpals.co_m are domains wich the owner is “PERFECT PRIVACY, LLC”. And that, what they want to host, they host it on amazon aws (wich i cant use, because i block everything wich comes from amazon for example like already mentioned). https://www.whois.co_m/whois/glpals.com

The Domains have something to do with (A-)GPS. Replaced any domain with “localhost”.

If you really believe that /e/OS developer are lying to you, I suggest you raise these queries as part of a bug on Gitlab and take this up with the developers. The dev team will not be coming on this forum to discuss this issue, whereas on the GitLab they can be assigned issues, and we can track it to closure.

11 Likes

supl.google.com is default in AOSP, however will likely be overridden by your SIM/carrier.
It can also be overridden on demand during an emergency call, in order to give the operator your location.
AOSP by default sends along your IMEI/phone number to the SUPL for access control reasons.
In A-GPS MSA mode the SUPL will also calculate your location on your behalf.

glpals is just read-only almanac data for GPS.

There are few replacements for either of these.

DroidGuard

This notably downloads and executes proprietary code from Google for SafetyNet.
It is not default enabled in vanilla microG, I hope /e/ didn’t change that.

2 Likes

So even using /e/ Goolag has my IMEI/phone number and possibly location through A-gps?

I had opened a bug for the A-GPS topic one year ago. I think any suggestions or help regarding the A-GPS problem can be added there: GPS daemon tries to access googleapis.com (#2481) · Issues · e / Backlog · GitLab

2 Likes

When can we expect a solution? This is from one year ago… Is this serious? Google tracks location?

2 Likes

@Diana: On one hand it would be interesting why there is no solution yet. So to speak get an update on this matter. On the other hand v1.0 will be released next and officially we are still in beta phase of this product of a non profit organisation. Even with v1.0 we could expect that not all issues are solved. Even big players have a lot of open issues with a v1.0. At this point I would recommend to donate some little amount of money via Patreon. So we could speed up development of this project. I am for myself as ordinary customer/community member do a monthly donation because I know how much money it needs to develop and keep software up-to-date. I think with the size of their team they do extraordinary work. And I hope they do not overstretch their personal capacities. And for the difficulties of this issue please read the conversation on the bug.

By the way - the A-GPS server responding to the requests of the mobile phone depends on the provider of the customized Android software. I think it could be also a Vodafone server for example. And it seems this is hard coded into a special firmware which is separate from the general Android software and closely related to the GPS hardware. The software parts all open Android projects take over from the original phone.
The most shocking part for me is that an unique ID can be sent with it. But it depends on the provider.

3 Likes

@se2019

supl.vodafone.com IS Google:

host supl.vodafone.com
supl.vodafone.com is an alias for supl.google.com.
supl.google.com has address 142.250.138.192
supl.google.com has IPv6 address 2607:f8b0:4023:1009::c0

And the code for sending IMSI is open-source and right here!

I brought it up here back in August of 2021: DivestOS vs. /e/ OS - security and privacy easy - #67 by SkewedZeppelin

This nonsense of “/e/ isn’t security focused” is downright harmful.
Stop giving this company money until they actually start caring about your safety.

1 Like

This page literally has Netflix on it: /e/OS - e Foundation - deGoogled unGoogled smartphone operating systems and online services - your data is your data

You know what DRM Netflix uses? Google Widevine!
Runs highly privileged, phones home to Google too!

Also on that page is Signal!
You know what Signal has? Google Play Services Library!

1 Like

Stop giving this company money until they actually start caring about your safety.

What company are you referring to? I only know about the non profit organisation. And the non profit organisation is limited in its resources.

This nonsense of “/e/ isn’t security focused” is downright harmful.

Yeah. Data privacy is about preventing unwanted drainage of personal data. And you are right this can also happen via security breaches. But then you need something like CC EAL4+ with some threat modelling. OK - maybe start with threat modelling and block the most harmful attack vectors and ensure some basic trust level in the whole production chain. You still need specialized IT personal which costs a ton of money for planning and evaluation. But at first you have to find some experts? The market is bare of this kind of senior experts. And often they are more willing to work for big security companies or take chance to engage into the cryptocurrency space.

I am content with the current state of this project. It is a good start. The security aspect will definitely play a role in the future. When the project get the right traction. At first they need some critical mass in financing. If not we do not need to talk about overall security because it cannot be covered financially.
Security must be paid for. I think that the discussion about data privacy is also about cyber security will be imposed by EU laws in the future. Together with the digital sovereignty some guidelines and maybe public funding will appear. I would like that in the future some technical guidelines together with CC evaluation profiles would be funded by EU. Something like the BSI Technische Richtlinien in Germany.

2 Likes

He probably meens donation to the software foundation, and purchase to the murena phones sellers and for the e-cloud storage hosting,
that is the /e/ business model

1 Like

@piero OK. Thanks for the clarification.

Sadly, Yes.

@anon88181694 yeah: /e/ Page says /e/ is ungoogled/degoogled, why is /e/ then connecting to google? - #18 by neverforget

After editing /vendor/etc/gnss/gps.xml to localhost, its fixed. All other privacy harmful domains i found, i fixed the same way, and pi-hole logged nothing harmful after that.

But, only to be secure, i rooted my phone and installed afwall+ and configured the firewall to block anything except of wireguard and everything in the net of wireguard.

For me personally i dont understand it too, why e.foundation calls /e/OS “deGoogled” and “unGoogled” and still use Google Services like the Playstore or even worse, microg.

Only a suggestion: After flashing /e/OS a Setupscreen shows up to set up Language, Network, Security (PIN, Fingerprint) etc. There i would make a extra screen, where a little info text is like:

“If you want or must to use Google Services like the Apps from the Playstore, or Apps wich needs Google Services, you can enable here microg and the access to the apps from Google”

With default disabled. So if you click next, microg and “app lounge” dont get installed (you could install f-droid instead)

And if you enabled it, the setup installs microg and “app lounge”.

4 Likes