/e/ Page says /e/ is ungoogled/degoogled, why is /e/ then connecting to google?

If you really believe that /e/OS developer are lying to you, I suggest you raise these queries as part of a bug on Gitlab and take this up with the developers. The dev team will not be coming on this forum to discuss this issue, whereas on the GitLab they can be assigned issues, and we can track it to closure.

9 Likes

supl.google.com is default in AOSP, however will likely be overridden by your SIM/carrier.
It can also be overridden on demand during an emergency call, in order to give the operator your location.
AOSP by default sends along your IMEI/phone number to the SUPL for access control reasons.
In A-GPS MSA mode the SUPL will also calculate your location on your behalf.

glpals is just read-only almanac data for GPS.

There are few replacements for either of these.

DroidGuard

This notably downloads and executes proprietary code from Google for SafetyNet.
It is not default enabled in vanilla microG, I hope /e/ didn’t change that.

2 Likes

So even using /e/ Goolag has my IMEI/phone number and possibly location through A-gps?

I had opened a bug for the A-GPS topic one year ago. I think any suggestions or help regarding the A-GPS problem can be added there: GPS daemon tries to access googleapis.com (#2481) · Issues · e / Backlog · GitLab

2 Likes

When can we expect a solution? This is from one year ago… Is this serious? Google tracks location?

2 Likes

@Diana: On one hand it would be interesting why there is no solution yet. So to speak get an update on this matter. On the other hand v1.0 will be released next and officially we are still in beta phase of this product of a non profit organisation. Even with v1.0 we could expect that not all issues are solved. Even big players have a lot of open issues with a v1.0. At this point I would recommend to donate some little amount of money via Patreon. So we could speed up development of this project. I am for myself as ordinary customer/community member do a monthly donation because I know how much money it needs to develop and keep software up-to-date. I think with the size of their team they do extraordinary work. And I hope they do not overstretch their personal capacities. And for the difficulties of this issue please read the conversation on the bug.

By the way - the A-GPS server responding to the requests of the mobile phone depends on the provider of the customized Android software. I think it could be also a Vodafone server for example. And it seems this is hard coded into a special firmware which is separate from the general Android software and closely related to the GPS hardware. The software parts all open Android projects take over from the original phone.
The most shocking part for me is that an unique ID can be sent with it. But it depends on the provider.

3 Likes

@se2019

supl.vodafone.com IS Google:

host supl.vodafone.com
supl.vodafone.com is an alias for supl.google.com.
supl.google.com has address 142.250.138.192
supl.google.com has IPv6 address 2607:f8b0:4023:1009::c0

And the code for sending IMSI is open-source and right here!

I brought it up here back in August of 2021: DivestOS vs. /e/ OS - security and privacy easy - #67 by SkewedZeppelin

This nonsense of “/e/ isn’t security focused” is downright harmful.
Stop giving this company money until they actually start caring about your safety.

1 Like

This page literally has Netflix on it: /e/OS - e Foundation - deGoogled unGoogled smartphone operating systems and online services - your data is your data

You know what DRM Netflix uses? Google Widevine!
Runs highly privileged, phones home to Google too!

Also on that page is Signal!
You know what Signal has? Google Play Services Library!

1 Like

Stop giving this company money until they actually start caring about your safety.

What company are you referring to? I only know about the non profit organisation. And the non profit organisation is limited in its resources.

This nonsense of “/e/ isn’t security focused” is downright harmful.

Yeah. Data privacy is about preventing unwanted drainage of personal data. And you are right this can also happen via security breaches. But then you need something like CC EAL4+ with some threat modelling. OK - maybe start with threat modelling and block the most harmful attack vectors and ensure some basic trust level in the whole production chain. You still need specialized IT personal which costs a ton of money for planning and evaluation. But at first you have to find some experts? The market is bare of this kind of senior experts. And often they are more willing to work for big security companies or take chance to engage into the cryptocurrency space.

I am content with the current state of this project. It is a good start. The security aspect will definitely play a role in the future. When the project get the right traction. At first they need some critical mass in financing. If not we do not need to talk about overall security because it cannot be covered financially.
Security must be paid for. I think that the discussion about data privacy is also about cyber security will be imposed by EU laws in the future. Together with the digital sovereignty some guidelines and maybe public funding will appear. I would like that in the future some technical guidelines together with CC evaluation profiles would be funded by EU. Something like the BSI Technische Richtlinien in Germany.

2 Likes

He probably meens donation to the software foundation, and purchase to the murena phones sellers and for the e-cloud storage hosting,
that is the /e/ business model

1 Like

@piero OK. Thanks for the clarification.

Sadly, Yes.

@SkewedZeppelin yeah: /e/ Page says /e/ is ungoogled/degoogled, why is /e/ then connecting to google? - #18 by neverforget

After editing /vendor/etc/gnss/gps.xml to localhost, its fixed. All other privacy harmful domains i found, i fixed the same way, and pi-hole logged nothing harmful after that.

But, only to be secure, i rooted my phone and installed afwall+ and configured the firewall to block anything except of wireguard and everything in the net of wireguard.

For me personally i dont understand it too, why e.foundation calls /e/OS “deGoogled” and “unGoogled” and still use Google Services like the Playstore or even worse, microg.

Only a suggestion: After flashing /e/OS a Setupscreen shows up to set up Language, Network, Security (PIN, Fingerprint) etc. There i would make a extra screen, where a little info text is like:

“If you want or must to use Google Services like the Apps from the Playstore, or Apps wich needs Google Services, you can enable here microg and the access to the apps from Google”

With default disabled. So if you click next, microg and “app lounge” dont get installed (you could install f-droid instead)

And if you enabled it, the setup installs microg and “app lounge”.

4 Likes

You’re not wrong of course, but a large part of the intended target audience of /e/OS wouldn’t understand what that means and what the consequences are in practice.
Support and the forum would probably get flooded with “Where are the Apps?” and “Nothing works!”

e foundation have decided where they want to go with the OS, and they decided to include microG for their purposes.
If the OS itself still connects to Google, it obviously doesn’t work as intended and needs to get fixed, this is the priority.
If microG could be made optional, that would be nice, but for most devices compatible with /e/OS there’s still LineageOS, and possibly even iodéOS (at least once they make their blocker Open Source).

6 Likes

No opt- in/out at first boot but it can be completely disabled afterwards.

1 Like

Do you know if Google tracks me if i turn off GPS then? If i am not using GPS then there is no A-gps right? And Google will probably track me only when GPS is on. But even then it does not know my identity - who am i, who this number and IMEI belongs to? Right?

Are those things really true? Why the developers put this code? Any official comment from /e/ team?

1 Like

Dont know. Theoreticly it should be enough to disable GPS. I dont tested it. I only found out with my Pi-Hole (and only because i luckely block literarly every service wich collects data) that /e/OS tried to connect to google & co and searched and found the problem and solved it.

Disabled yes. But couldnt find a way to remove it completly.

Then the other way around :slight_smile: Standard enabled, and anybody who is “technicly skilled enough” or know exactly what microg and app lounge do, can uncheck/“unslide”/disable it on the setup screen.

There should atleast be a Message/Article on top of the website /e/OS that /e/OS have the GOAL to be degoogled/ungoogled, but now, and in near future, it still not complety degoogled/ungoogled is.

Edit:

Thanks for the tip for iodeOS. But they use microg too. So this isnt a better situation. But atleast they make no claim iodeOS is a degoogled/ungoogled OS.

1 Like

It’s optional over there.

https://iode.tech/en/iodeos-installation/#1611170965861-c319bb84-23a5

"We included many useful default apps, but our choice cannot suit everyone; so we added the possibility to remove them. It can be done at the end of the phone setup, or at any time by going to Parameters → Apps & Notifications → Preinstalled apps.

MicroG core apps: GmsCore, GsfProxy, FakeStore.
[…]"

1 Like

All the apps you mention can be disabled in /e/OS, via Settings | Apps | Show system apps.

1 Like

On the one hand I agree because I still have to use my google account for certain apps. but on the other hand I don’t know if you’re absolutely right, but I sometimes have doubts what does /e/ do with my data and isn’t there secretly a backdoor???

we put our trust in their hands they can do what they want i think.

it’s a question of trust