InfoSec Handbook, 25.12.2019, Final look

5 Likes

Thanks, @Guenter, for posting this. I realize that it’s Christmas, and that it might take a while for people from /e/ to respond. In the meantime, though, I’m considering /e/ as not meeting my security needs, based on the article.

Okay, accepted. Every user has their own security needs.

I’m generally satisfied with the development, even if there are still a few problems.The /e/ web browser and /e/ Apps Store can currently be removed relatively easily and safely and replaced by alternatives.

Compared with our second report, network traffic to Google servers seems to be reduced to the web browser of /e/. The cleartext traffic of Magic Earth disappeared. The Weather app still leaks all traffic, including device information.

All in all, /e/ improved their ROM since our first test about 9 months ago. There is still network traffic to Google, however, this has been definitely reduced to a minimum.

What makes me intensely thoughtful is, for one thing …

Warning
As of November 2019, Google does not support Android 7.1.2 anymore. Google does not provide any new security updates for this ROM.

The Android security patch level is November 5, 2019, according to the settings. As mentioned above, Google dropped support for this ROM and didn’t release any security updates for Android 7 in November 2019. We don’t know why the patch level is November in this case. It should be October 2019. The current patch level is December 2019.

… and for another…

How can Chairman Gaël Duval, president of the board of the e.Foundation publicly speak of “A fully UnGoogled smartphone”?

The change to at least /e/ OS 9-pie is now the first duty. At the same time, the rest of the connections to the G°°-Servers must be eliminated in order to be credible in terms of /e/ manifesto to stay.

thanks for this post!

unfortunately i have to agree with most of this remarks.

it’s hard to accept, that users are still not allowed to uninstall this useless weather-troian-horse one a privacy focused mobile platform and important system updates are always again postponed for ever and a day…

1 Like

The uninstallation via adb-commans isn’t difficult. Give it a try. See also …

Android Debug Bridge (ADB) commands for uninstalling the /e/ weather app:


C:\ adb devices
List of devices attached
04157df25122019d device

… adb has recognized the connected device.

pm list packages|grep -i weather

… finds all components of /e/ weather app

C:\adb shell
$ pm list packages|grep -i weather
package:org.lineageos.openweathermapprovider
package:foundation.e.weather
package:org.cyanogenmod.weatherservice
package:org.cyanogenmod.weather.provider

…uninstalls all components of the weather app:

pm uninstall -k --user 0 org.lineageos.openweathermapprovider
pm uninstall -k --user 0 foundation.e.weather
pm uninstall -k --user 0 org.cyanogenmod.weatherservice
pm uninstall -k --user 0 org.cyanogenmod.weather.provider

Last step: Restart the device

yes - i now it’s possible by this rather uncomfortable workaround.

and it’s indeed a solution, which will solve the issue for you and me, but it’s definitely not a anwser to the much more important principal probleme: how to guide/support the main audience – i.e. all those more ordinary end users, which want to use and expect a more acceptable privacy respecting default setup with minimal additional reconfiguration efforts resp. without tricky workarounds.

1 Like

Yeah, you’re absolutely right. This is not for “Mom and Dad”! But we are and still are in the beta phase. The near future will / must get better.

1 Like

Some of those developments are disappointing. The first article was nine months ago. That analysis is great work, it makes valid points.

“e/ never replied to any of our direct messages via e-mail or Mastodon during testing, and they never tried to contact us.” - whoever in the e project is responsible might think about changing attitude. That’s not really a sign for a serious project.

What is the deal with those old android versions? They do not look secure anymore. It’s a shame how google tries to force users to buy new phones or let them use an insecure one.

G°°gle as the rights holder and manufacturer of Android is a quasi-monopolist (Android achieved a worldwide market share of 76.2% in September 2019 in the Android sector. The Alphabet Group dictates the market. And G°°gle is “evil” …

On the question being raised on the forum regarding the Security Patch for Nougat showing Dec 5th, 2019 when *google has stopped patches

  • Please note there has been a Security String bump on Github on the LineageOS sources.
  • You can read more details about this here
  • Please read the query raised below … Patches have been backported from Oreo and Pie and the date updated as per the response given.
  • Since /e/ forks the LineageOS code we are also showing similar patch dates.
  • What this means in exact terms for Nougat users is being checked by the development team.

Will update once we have more details on this.

1 Like

That’s a logical explanation. But why didn’t they tell the reading of infosec-handbook and the author : Benjamin.

Now the information is being read all over the world: “We don’t know why the patch level is November in this case. It should be October 2019. The current patch level is December 2019.” and damages the trust in /e/.

I consider it absolutely necessary to take immediate action with infosec-handbook to prevent greater damage to trust from /e/.

Please initiate this @Manoj

Better communication with infosec-handbook certainly wouldn’t hurt, if it indeed has been a problem. But the greater problem is that there are prospective users like me who were expecting /e/ to have all the latest Android patches, which doesn’t seem to be possible if /e/ is using a version of Android that is no longer being supported. If we hadn’t found this out from infosec-handbook, we might have found it out from someone else. If /e/ is somehow able to support code that Android is no longer supporting, then it’s critical to communicate that to users. But if /e/ really is using unsupported code, then I have no idea why anyone should be using /e/.

Sorry, but from what I’ve seen/read what Infosec showed was applicable to Android 7 which is the last version Moto G can be upgraded to.

I have a Moto G 2014, I can’t upgrade to Oreo or Pie so I must change my phone to get the latest Android. It’s reached its EOL.

Did I understand it right?

If that is the explanation, than it would be helpful for the /e/ team to clarify what they mean when they talk about never dropping support for a supported device.

the situation for other mobile phones doesn’t look much better.

first it takes a long time, before they are supported by alternative os alternatives, and than you have to wait forever to see support for the more actual releases resp. all it’s included security improvements.

if you just consider, how unpleasant slow the pie support for /e/ actually grows resp. how few phone models are officially supported till now, it’s really frustrating.

at the end it leads to the paradox situation, that the window between fist support by linage os or /e/ and EOL looks rather short again in relation to vanilla android. and that’s definitely not the most inviting perspective in case of a main audience, which in most cases isn’t only interested in acceptable privacy, but also doesn’t like stupid consumerism and unjustifiable throwaway culture.

This probably is an official statement from Motorola… Same with the FP2. Fairphone managed to port nougat, and lineage is available in version 17 (16 is official). Looks like you’re device is still super by LOS

I agree with this point of view.
I must say that, not only because of the Infosec issue, /e/ is yet not ready for moms and dads. And that’s because it’s not mature enough.
From my point of view, elder people use their phones to reach out family members, old friends and they get thrilled when they understand that the whole world can be reached thru a simple device that they can carry wherever they may go.
They know nothing about security and/or privacy. So it’s up to us, the family members with actual knowledge of this kind of stuff, to keep them safe. For instance, my mom doesn’t have a bank app on her phone but my sister does.
All that said, /e/ must follow updates/upgrades as fast as possible. And yes, the roadmap should be noticed more often.
So far I’m confortable with /e/ because I can manage to protect myself and my data but I am expecting for v.1.0.0 sooner than later.

Judging by Lineage website, my MotoG is out in the cold :smile:

I understand InfoSec’s info like you and that means an official support end of Android 7.1.x for me:

Source → The state of the LineageOS-based /e/ ROM in December 2019
waring_712

My opinion is supported by a look into the → Android Security Bulletin.

In 11/2019 there were no more security patches for Android 7.1.1 and 7.1.2.

We are working on upgrading all Nougat devices. Have you tried flashing the Unofficial Oreo/ Pie builds for the MotoG and do they work well? If yes then the upgrade to the official version should also work fine.