InfoSec Handbook, 25.12.2019, Final look

The uninstallation via adb-commans isn’t difficult. Give it a try. See also …

Android Debug Bridge (ADB) commands for uninstalling the /e/ weather app:


C:\ adb devices
List of devices attached
04157df25122019d device

… adb has recognized the connected device.

pm list packages|grep -i weather

… finds all components of /e/ weather app

C:\adb shell
$ pm list packages|grep -i weather
package:org.lineageos.openweathermapprovider
package:foundation.e.weather
package:org.cyanogenmod.weatherservice
package:org.cyanogenmod.weather.provider

…uninstalls all components of the weather app:

pm uninstall -k --user 0 org.lineageos.openweathermapprovider
pm uninstall -k --user 0 foundation.e.weather
pm uninstall -k --user 0 org.cyanogenmod.weatherservice
pm uninstall -k --user 0 org.cyanogenmod.weather.provider

Last step: Restart the device

yes - i now it’s possible by this rather uncomfortable workaround.

and it’s indeed a solution, which will solve the issue for you and me, but it’s definitely not a anwser to the much more important principal probleme: how to guide/support the main audience – i.e. all those more ordinary end users, which want to use and expect a more acceptable privacy respecting default setup with minimal additional reconfiguration efforts resp. without tricky workarounds.

1 Like

Yeah, you’re absolutely right. This is not for “Mom and Dad”! But we are and still are in the beta phase. The near future will / must get better.

1 Like

Some of those developments are disappointing. The first article was nine months ago. That analysis is great work, it makes valid points.

“e/ never replied to any of our direct messages via e-mail or Mastodon during testing, and they never tried to contact us.” - whoever in the e project is responsible might think about changing attitude. That’s not really a sign for a serious project.

What is the deal with those old android versions? They do not look secure anymore. It’s a shame how google tries to force users to buy new phones or let them use an insecure one.

G°°gle as the rights holder and manufacturer of Android is a quasi-monopolist (Android achieved a worldwide market share of 76.2% in September 2019 in the Android sector. The Alphabet Group dictates the market. And G°°gle is “evil” …

On the question being raised on the forum regarding the Security Patch for Nougat showing Dec 5th, 2019 when *google has stopped patches

  • Please note there has been a Security String bump on Github on the LineageOS sources.
  • You can read more details about this here
  • Please read the query raised below … Patches have been backported from Oreo and Pie and the date updated as per the response given.
  • Since /e/ forks the LineageOS code we are also showing similar patch dates.
  • What this means in exact terms for Nougat users is being checked by the development team.

Will update once we have more details on this.

1 Like

That’s a logical explanation. But why didn’t they tell the reading of infosec-handbook and the author : Benjamin.

Now the information is being read all over the world: “We don’t know why the patch level is November in this case. It should be October 2019. The current patch level is December 2019.” and damages the trust in /e/.

I consider it absolutely necessary to take immediate action with infosec-handbook to prevent greater damage to trust from /e/.

Please initiate this @Manoj

Better communication with infosec-handbook certainly wouldn’t hurt, if it indeed has been a problem. But the greater problem is that there are prospective users like me who were expecting /e/ to have all the latest Android patches, which doesn’t seem to be possible if /e/ is using a version of Android that is no longer being supported. If we hadn’t found this out from infosec-handbook, we might have found it out from someone else. If /e/ is somehow able to support code that Android is no longer supporting, then it’s critical to communicate that to users. But if /e/ really is using unsupported code, then I have no idea why anyone should be using /e/.

Sorry, but from what I’ve seen/read what Infosec showed was applicable to Android 7 which is the last version Moto G can be upgraded to.

I have a Moto G 2014, I can’t upgrade to Oreo or Pie so I must change my phone to get the latest Android. It’s reached its EOL.

Did I understand it right?

If that is the explanation, than it would be helpful for the /e/ team to clarify what they mean when they talk about never dropping support for a supported device.

the situation for other mobile phones doesn’t look much better.

first it takes a long time, before they are supported by alternative os alternatives, and than you have to wait forever to see support for the more actual releases resp. all it’s included security improvements.

if you just consider, how unpleasant slow the pie support for /e/ actually grows resp. how few phone models are officially supported till now, it’s really frustrating.

at the end it leads to the paradox situation, that the window between fist support by linage os or /e/ and EOL looks rather short again in relation to vanilla android. and that’s definitely not the most inviting perspective in case of a main audience, which in most cases isn’t only interested in acceptable privacy, but also doesn’t like stupid consumerism and unjustifiable throwaway culture.

This probably is an official statement from Motorola… Same with the FP2. Fairphone managed to port nougat, and lineage is available in version 17 (16 is official). Looks like you’re device is still super by LOS

I agree with this point of view.
I must say that, not only because of the Infosec issue, /e/ is yet not ready for moms and dads. And that’s because it’s not mature enough.
From my point of view, elder people use their phones to reach out family members, old friends and they get thrilled when they understand that the whole world can be reached thru a simple device that they can carry wherever they may go.
They know nothing about security and/or privacy. So it’s up to us, the family members with actual knowledge of this kind of stuff, to keep them safe. For instance, my mom doesn’t have a bank app on her phone but my sister does.
All that said, /e/ must follow updates/upgrades as fast as possible. And yes, the roadmap should be noticed more often.
So far I’m confortable with /e/ because I can manage to protect myself and my data but I am expecting for v.1.0.0 sooner than later.

Judging by Lineage website, my MotoG is out in the cold :smile:

I understand InfoSec’s info like you and that means an official support end of Android 7.1.x for me:

Source → The state of the LineageOS-based /e/ ROM in December 2019
waring_712

My opinion is supported by a look into the → Android Security Bulletin.

In 11/2019 there were no more security patches for Android 7.1.1 and 7.1.2.

We are working on upgrading all Nougat devices. Have you tried flashing the Unofficial Oreo/ Pie builds for the MotoG and do they work well? If yes then the upgrade to the official version should also work fine.

InfoSec Handbook added information regarding the patch level of the ROM.

Update (Dec 26, 2019): The Android security patch level is November 5, 2019, according to the settings. Literally minutes after we published this article, a newer version of the ROM became available. This version (December 25) reports patch level December 5, 2019. As mentioned above, Google dropped support for Android 7.1.2 and didn’t release any security updates for Android 7 in November and December 2019. We don’t know why the patch level is November/December in this case. It should be October 2019.

A reader pointed to an ongoing discussion on community.e.foundation. There, the /e/ supports said: “Please note there has been a Security String bump on Github on the LineageOS sources. […] Patches have been backported from Oreo and Pie and the date updated as per the response given. Since /e/ forks the LineageOS code we are also showing similar patch dates. What this mean [sic] in exact terms for Nougat users is being checked by the development team.”

Assuming that all security patches are actually backported, the Moto G4 is still not fully up-to-date since the firmware doesn’t get any security updates. Of course, the vendor patch level depends on your device.

Hopefully, the /e/ team will provide more transparency on security updates in their different ROM versions in the future.

The right information policy combined with the necessary transparency is the recipe for success in cooperation with /e/ users and media and is a key to the success of /e/volution.

At the moment I´m waiting for my “second first” /e/Phone. The first one had a scratch on the display so I could send it back to get it swapped without ever switching it on.

The /e/Phone shall replace my wife´s Blackberry DTEK50 with Android 6.0.1 and the last security patch from June 2018.

Now, when the /e/Phone arrives, will I have an up-to-date patch level or will I at least get the latest patch via update? Or do I swap one outdated phone with another one?

What do I have to expect? I´m not sure if I understand all the (technical) comments above correctly. So, could anybody explain it in easy words?

Thank you in advance!

I only have one phone and it was a friend of mine who flashed it for me.
After reading this article I was considering learning how to do it myself and try exactly this @Manoj: flash some unofficial Oreo build.
But I need some time to learn and test it. I don’t need to care about backup because everything is on my own cloud back home so it’s only a matter of spare time.
I’ll give it a try though.

@Guenter, would you please simply formulate how you understood the topic. The community could then make corrections if necessary.

Tip: Enjoy /e/ forum in German (join Deutsch group to contribute). Genieße das /e/ forum auf Deutsch (der Deutschen Gruppe beitreten um mitzuwirken). In your native language, understanding complex topics is usually easier.