/e/ review in German language by Mike Kuketz

As mentioned in Kuketz-Blog is going to review /e/ OS
German security researcher Kuketz has reviewed /e/:

https://www.kuketz-blog.de/e-datenschutzfreundlich-bedeutet-nicht-zwangslaeufig-sicher-custom-roms-teil6/

Basic summary: good privacy, but lacking in security.

13 Likes

The points of criticism in this review have already been discussed here in many places. We know that /e/OS is not perfect. But, the way I see it - there is simply nothing better when I look at it from the point of view of a “simple” user.
For me, /e/OS is still the best mix of usability, privacy and ease of use.

3 Likes

This article criticizes:

  • that connectivity-checks (to connectivity.murena.io) are carried out bypassing the VPN. These relatively frequent automatic checks are not carried out by the VPN, even if the Block connections without VPN setting is activated.

  • Cromite browser contains WebView-Version 117.0.5938.156 (10/2023). But the current version is 120.0.6099.43 (11/2023).

  • Several attempts were made to update the network time via NTP and update checks were carried out - although the check should only be carried out once a day. The setting was set to “daily”, but there was more than one request in 24 hours.

  • microG connections
    System -> microG -> Google Geräte-Registrierung Users may also not want connections to http://android.clients.google.com. Even if in this case, Push-Notifications, SafetyNet and API-Components would be deactivated/distracted. android.clients.google.com

3 Likes

First: He is also a known privacy expert.

He critizizes that the “fully” degoogled /e/os is not fully degoogled.
@Shakatus “there is simply nothing better”, with such a statement is not compatible.

Other critizized points:

  • The usage of microG should be chosen by the user to ensure that connections to google are really deactivated if the user wants to
  • On each update request a unique identifyer is sent to server which is definitely a huge drawback in terms of privacy and it is not necessary. It was hided from GUI which seems a bit suspicious
  • The updates take too much time. It is maybe not possible to ensure immediate updates but the last periods 40 - 50 days is too long even when saying “we are not secure but privacy friendly”. There is a minimum requirement for an OS to be useable. And this crosses the red line. And this does not include the unbelievable delay for webView.
  • When using “unterstütztes GPS” (supported GPS (don’t know the exact translation)) supl.google.com is called. A better approach is to use a proxy server so google is not able to identify the device/user (like Graphene does with supl.grapheneos.org). The same goes for “https://agnss.goog/rtistatus.dat
  • A filter list is downloaded using bromite.org which is outdated (the filter list nearly one year old)
  • Lack of information about dev team
  • Not easy to install (harder than other custom ROMs)
  • No defined update times
  • Verified Boot is only supported for a few devices

Summary:

Security:

  • Increase speed of updates

Privacy:

  • Do not enable microG per default but on users decision
  • Eliminate the OTA-ID for update requests
10 Likes

Right, there were other points of criticism, but “Undertaker” was quicker. I’ll add them anyway, even if it might sound doubly critical.

  • Whether every keystroke should be transmitted to the search engine or only after the search term has been fully entered
    Einstellungen → Datenschutz und Sicherheit → Suchvorschläge verbessern an/aus

  • Google receives approximate location data that can be linked to the IP address, among other things. To prevent this, the the custom ROM GrapheneOS, for example, has set up a SUPL proxy server (supl.grapheneos.org), which receives or forwards all SUPL requests or forwards them on behalf of Google. The result: Google cannot assign the location request to any user/device.
    If you activate this:
    Einstellungen → Standort die Option Unterstütztes GPS verwenden
    Also: this connection bypasses the VPN or is not recognized there

  • If the »Unterstütztes GPS verwenden« function is activated
    The PSDS help data is obtained directly from the Google cloud servers:
    agnss.goog/rto.dat
    agnss.goog/lto2.dat
    agnss.goog/rtistatus.dat
    GrapheneOS own server:
    broadcom.psds.grapheneos .org/rto.dat
    broadcom.psds.grapheneos .org/lto2.dat
    broadcom.psds.grapheneos .org/rtistatus.dat

  • In order for /e/ to be considered privacy-friendly, the unique OTA ID (Unique Device Identifier), which is transmitted during each update check, would have to be removed.

  • After starting the browser, a connection to www.bromite.org is established to download an outdated filter list (12/2022)

5 Likes

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.