I kinda agree with the sentiment in the articles from an AOSP/lineage/cyanogen perspective.
They should definitely embrace the Telegram FOSS fork [1] and OSMAnd~ [2] (which is a superb offline navigation tool btw) and remove all Apps that require the Android 10 firebase hockey-based notifications. [5] and [6]
A lot of apps use this for convenience and because it was _required_ since AOSP 10 but there are ways to work around that requirement with a high priority notification.
I would additionally recommend to use AppWarden [3] and Blokada [4], because both are amazing additions for an Android device.
Firefox for Android, though, is still a nightmare with all the telemetry. The old TOR Browser 9.5 series is based on old Firefox pre-quantum, 10 is based on Firefox post-quantum.
The issue with current Firefox and TOR Browser is that Mozilla decided to include the Adjust-, Firebase- and LeanPlum-SDK which introduce now more user tracking than ever before. You'll even sometimes see different A/B UIs based on your browsing behavior (not kidding) and geolocation, and of course this happens more often with Orbot being used as a Proxy.
(You can verify this via AppWarden if you don't trust me)
Besides, some of their practices like redirecting every blocklist through their own mirror (blokada.org/mirror) and in some cases through their URL shortener (go.blokada.org), makes me think they're not really as private as they claim to be.
Also, Blokada leaks DNS connections over TCP and doesn't let you set your own DoH resolver.
Those SDKs have indeed no place in Tor Browser, though at least they appear to be disabled. Have you witnessed Tor Browser sending telemetry data to these services on Android?
One of the things that feels a bit problematic here - the webpage is avoiding mention of the fact that this is still Android. In essence, this is still Google's OS and the team has decided to start a fight against Google by taking their opensource and perpetually fight against the main developer by removing their proprietary component.
I don't think this is a fight that's sustainable - a giant graveyard of Android privacy forks shows that. In the end, the major contributor to this OS is and will remain Google.
In that respect, Purism's PureOS seems like a more sustainable effort.
I don't think the graveyard of Android privacy forks is that big? All I can think of is CopperheadOS which died because it was company-backed. You could argue CyanogenMod died, though really it's still well alive in LineageOS. (and CyanogenMod wasn't really privacy-focused)
I have a very high respect for all the work that's been done on the various GNU/Linux mobile distributions, but it's still so far away from Android wrt usability...
I agree there is something weird about fighting Google with Android, but still it makes perfect sense.
From a business or engineering PoV, you want best features for the fastest MVP. Android gives you just that. Actually it goes way beyond, /e/ didn't do much of engineering, they mostly re-used what's done by the Android FLOSS community. (Honestly I don't really like /e/ because they basically don't give anything back to the community but well).
If /e/ is ever successful, they can hire many engineers to actually fork Android to have their own. That's what Android did for Linux in the first place anyway! Most OEMs have a lot of changes to their Android, even though they keep using Google apps, and they are just fine. I'm pretty sure that Samsung have an order of magnitude more changes in Android than LineageOS (which /e/ is a pretty direct fork of), and they maintain it just fine.
The original developer of CopperheadOS is continuing the work as GrapheneOS, after a split with his former business partner, over dilutions of the privacy guarantees, among other things. https://grapheneos.org/
CyanogenMod, as the name suggests, was explicitly a nod to add in features that didn’t exist before.
That was indeed a losing battle because Google has far more resources to add features ans beat CyanogenMod.
On the other hand, a de googlized and privacy focused platform provides something that Google can never provide.
There’s also a change in the environment surrounding all
Of this. Thanks to the weaponization of Android by the American government, every country and company in the world is looking for a De GoogliZed alternative.
/e/ mostly uses LineageOS code without providing attribution. They have a fair fight ahead of them and the Android FLOSS community benefits from this internal competition.
This was the conclusion I came to after using android 4-5 for a while.
Android is not designed for the community to be hacking on it. While these projects occasionally appear they don't last because of the incredible amount of work required to maintain them. You're much better off finding a normal Linux distro/phone pair that can make phone calls etc.
Nowadays I single-handledly (well almost, I do have some contributors, thanks to them) maintain a pure unmodified Android that works on hundreds (probably thousands) of different devices.
It has become a lot easier thanks to Project Treble.
I guess it depends where your priorities lie, but this effort seems _more_ sustainable to me because it can run most proprietary android apps, and everything on F-Droid right out of the box.
PureOS has to try and reimplement an entire mobile app ecosystem just to get to parity with existing competitors.
The way to go, IMO, is having Android emulation on your device for backwards compatibility.
SailfishOS has this, and doesn't do tracking.
PureOS and Purism One implement some FOSS techniques and rebrand them. I believe Nextcloud does this as well. Not sure why projects don't clearly mention what they're based upon, especially when its a lot like original.
On the other hand by being Android you get to run all the Android apps out there.
What I seek in a phone is control over my privacy, not necessarily a vegan FOSS system.
What that means is things like:
- Fine-grained control of permissions to apps (e.g. access to rear camera only, access to only city-level accuracy of locations, access to read from only directories I specify)
- For apps that insist on having permissions to things like location and wi-fi scans to use them, the ability to make the app think it got said permissions, but receives fake data. And no, Android's mock location feature doesn't work, because apps can check if the feature is enabled or not
- The ability to fake IMEI, phone number, contact list, installed apps, and other identifying data
- Ability to generate fake IMU, proximity, temperature, barometer, and all other sensor data that could conceivably be used for fingerprinting
izacus' comment is exactly about that. That keeping it deGoogled is a constant uphill battle, and it sounds good in theory, but as previous forks show - according to izacus - it's eventually a losing strategy.
LineageOS does not support MicroG officially, you will not receive support from them so I don't know what your benchmark for sustainability is.
The officially stated reason (I'm paraphrasing) was because it allows for fudging the signatures of apps and services on the OS, and this breaks the security model.
Why do we have to give access to our entire hard-drive to share one file once? How is it legal for someone else to give away your phone number, your addresses for the last 30 years, your email addresses, and the rest of your personal contact information, along with all the contact information of everyone else they ever met to any app they like? Why can apps run your mic and camera 24 hours a day in the background because you wanted to record a gif once? Why should an app be able to read every sms for all eternity because they wanted to verify your phone number once?
Ungoogling is a fine step but the whole thing needs to be rebuilt:
- Sharing Contacts: Should be illegal and removed as an option. Apps shouldn't be able to trick/coerce/incentivise people to harvest and sell other people's private information. When people give out their phone numbers and addresses they do it with some expectation of care, not with the intention of having it immedietly uploaded to Flappy Bird. The most that should be allowed is perhaps some sort of hash of contacts to be able to bootstrap some friend graph, but that's it.
- Sharing Files: There should be a single general default "file manager" app that acts as the intermediary between your files, and other apps, giving them only the files they need for the specific task at hand. Permission for the filemanagers themselves can be given with multiple ALL CAPS permission warnings not to do it.
- Camera/Mic/Location: Trusted intermediate app should capture and provide the data needed for the task at hand. At the absolute minimum, permissions should default to only recording while the app is open (like android location now). Persistent background recording should only be allowed after multiple ALL CAPS stern warnings and suggestion to reject unless absolutely necessary.
- SMS/etc: Have intermediate trusted apps select and share the specific messages you need to share for the task at hand.
In short, data access should be handled by few, trusted, vetted, intermediary apps, with heavily gated permissions for those apps themsevles; and sharing other people's private contact information should be illegal.
Because J Random Grandma just wants to share photos of her grandkids or whatever and doesn't understand all this "computer nonsense". I agree that security needs to be rethought, but putting more moats / popups in the way is not going to work. We already learned that from the past- it doesn't matter how many warnings you put in a web browser, those that are uneducated are still going to mash the install button to get those Comet Cursors or whatever.
I'm curious how this will change when the entire populate has more tech knowledge in general. A few decades, and everybody on the planet will have grown up with computers, and a couple more past that and everyone will have always had a smart phone.
I'm not super hopeful though. Security and Privacy are always a tradeoff with convenience. And if I've learned anything during my revolutions on this planet, it's that we humans really love convenience. I'd say this will keep getting worse until we get a massive data breach... but we've already had a few of those and aside from it being on the news and maybe a congressional hearing, nothing changes. So I think it will keep getting worse until we find out what the market will bear. And I'm morbidly curious what that will be, even as I scream into the wind attempting to prevent it.
Good point but one additional advantage on mobile is the app stores. Currently apps are (supposed to be) rejected if they ask for more permission than their app requires. The problem is that the permissions themselves are too broad. If permissions were divided between regular permissions and super permissions where the latter were flagged for extra approval time and care in approval, it seems like you could have a scalable system vetting the handful of apps that risk asking for them.
Additionally it seems like you could design proper super warnings that get adhered to. Do you know of any interesting examples of really severe/gated warnings that are consistently ignored? If you try to visit a website with a bad certificate, for example, it's almost impossible to get to it.
This is sort of how iOS works(worked?). To share a photo, you had to go find the photo you want to share, then pass that photo explicitly to the app/context you wanted to share it. So a model where you push the content you want into the share app, the app itself was unable to request (pull) data.
I'm using e.foundation for a while now on my Moto G3 (osprey) and it's working ok despite a few camera/gallery crashes here and there.
The only thing I'm not really fond of, is that the apps come from an opaque source (https://info.cleanapk.org/). I also found no information on how those apps are signed, and how this is checked. Upon asking them, someone pointed me to a git commit where an outdated public key of F-Droid was used.
Yeah, that's the thing that would worry me the most: it's nice and all that I can use many regular Android apps, but how do I know that that's safe? In practice, I'd probably still restrict myself to F-Droid, like I do today - the only app I'd like to use in addition is our Corona warn app.
Doesn't /e/ just take Lineage OS, install microg on top of it add their crappy launcher, and then take $$$ as donations. If anyone deserves donations its Lineage or MicroG. Donate upstream instead of this.
I think part of their approach is also to sell refurbished phones (or, in partnership with Fairphone, new ones) with /e/ preinstalled, lowering the barrier to entry. There might be more, but I'm not too familiar with them.
I've been using /e/ as my primary smartphone for a couple months now. It's certainly usable: The experience is more pleasant and integrated than stock LineageOS + MicroG, but there's still quite a few rough edges.
I hope they can make a go of it, but I think it'll take adoption by a deep-pocketed sponsor (Samsung? Huawei? The German government?) before it would be polished enough to be a real contender for non-technical users.
But I do think the idea of an Android fork that maintains some compatibility with existing apps is more likely to find success than something like Sailfish OS, that's entirely distinct.
I have been using it for I think over a year now as my only phone, on a Samsung Galaxy S9+. It's honestly not much different from Android (although a little out of date), and the only real issue I have is that installing software is a little inconvenient. (The built in app store doesn't work reliably.)
I've been using it for a few weeks: It doesn't force you to put anything on the cloud. If you choose to create an /e/ account, it makes it easy to sync/backup to their cloud services, but it's completely optional.
Unlike Google or Apple, you're not required to create a cloud account just to use your own device.
The cloud "just" uses davx5, which you can ignore, or use to sync to your own nextcloud server, or you can create an account on their nextcloud instance.
I obviously use my own nextcloud.
Some mircrog stuff is enabled by default, which means it does allow apps to talk to Google for eg. push messages. It's not much work to disable, though.
I looked at /e/ extensively before buying a new phone and ultimately settled on GrapheneOS. I'd much prefer the de-Googling to be combined with a focus on security, where Google has admittedly done some important work for Android. I'm sure it's not quite as functional as /e/ given the lack of integrated Google services and other bits and pieces, but a surprising number of apps work perfectly without these things and I rarely miss them.
I would also recommend Shelter for a work profile for non-open source apps, which one can install on one of the Play Store clones such as Aurora.
Thanks for posting this. I spent some time looking at how "de-Googled" GrapheneOS is. If you define "de-Googled" as meaning the phone makes no connections to Google servers that you do not explicitly acknowledge/permit, then GrapheneOS is still far from "de-Googled". Just to give one example, SUPL. There are also plenty of unGoogled-Chromium patches GrapheneOS doesn't apply. I'm not saying GrapheneOS isn't way better than the Android that ships on phones, but it's misleading to pretend they care about de-Googling as a first tier priority.
GrapheneOS does do some privacy oriented work, but it's far more focused on hardening.
I look forward to examining /e/ and CalyxOS since their focus is more heavily on privacy. For my use cases, I'm less worried about hardening than privacy.
Also, it's a lot of work to keep Android both up-to-date and de-Googled. I started patching GrapheneOS and realized I did not have the bandwidth to maintain the patchset. And still had no good answer for SUPL. Hopefully CalyxOS and /e/ have maintainers with the bandwidth.
Readit News
Here's some reading that covers the basic points though:
https://intangiblesheep.neocities.org/rants/eelo.html
https://web.archive.org/web/20191224031946/https://ewwlo.xyz...
They should definitely embrace the Telegram FOSS fork [1] and OSMAnd~ [2] (which is a superb offline navigation tool btw) and remove all Apps that require the Android 10 firebase hockey-based notifications. [5] and [6]
A lot of apps use this for convenience and because it was _required_ since AOSP 10 but there are ways to work around that requirement with a high priority notification.
I would additionally recommend to use AppWarden [3] and Blokada [4], because both are amazing additions for an Android device.
Firefox for Android, though, is still a nightmare with all the telemetry. The old TOR Browser 9.5 series is based on old Firefox pre-quantum, 10 is based on Firefox post-quantum.
The issue with current Firefox and TOR Browser is that Mozilla decided to include the Adjust-, Firebase- and LeanPlum-SDK which introduce now more user tracking than ever before. You'll even sometimes see different A/B UIs based on your browsing behavior (not kidding) and geolocation, and of course this happens more often with Orbot being used as a Proxy.
(You can verify this via AppWarden if you don't trust me)
[1] https://github.com/Telegram-FOSS-Team/Telegram-FOSS
[2] https://github.com/osmandapp/OsmAnd
[3] https://gitlab.com/AuroraOSS/AppWarden/
[4] https://github.com/blokadaorg
[5] https://github.com/Telegram-FOSS-Team/Telegram-FOSS/blob/mas...
[6] https://developer.android.com/guide/components/activities/ba...
Besides, some of their practices like redirecting every blocklist through their own mirror (blokada.org/mirror) and in some cases through their URL shortener (go.blokada.org), makes me think they're not really as private as they claim to be.
Also, Blokada leaks DNS connections over TCP and doesn't let you set your own DoH resolver.
None of these are problems with Nebulo which is also recommended by https://PrivacyTools.io/providers/dns/ over Blokada.
https://git.frostnerd.com/PublicAndroidApps/smokescreen
https://play.google.com/store/apps/details?id=com.frostnerd....
https://gitlab.torproject.org/tpo/applications/fenix/-/issue...
Those are all completely stubbed out in Tor Browser Android. I helped with some work on that a few years back.
/e/ “believes” in open source. Less along the lines of “concerns itself with every philosophical checkbox”.
IMO you and the author are filling in the blanks as you wish, landing in the realm of no true Scotsman.
Freedom to create as one would > flocks of sheep.
Personal emotional religion must take a backseat to suggesting folks discuss or use their time otherwise.
Dead Comment
I don't think this is a fight that's sustainable - a giant graveyard of Android privacy forks shows that. In the end, the major contributor to this OS is and will remain Google.
In that respect, Purism's PureOS seems like a more sustainable effort.
I have a very high respect for all the work that's been done on the various GNU/Linux mobile distributions, but it's still so far away from Android wrt usability...
I agree there is something weird about fighting Google with Android, but still it makes perfect sense.
From a business or engineering PoV, you want best features for the fastest MVP. Android gives you just that. Actually it goes way beyond, /e/ didn't do much of engineering, they mostly re-used what's done by the Android FLOSS community. (Honestly I don't really like /e/ because they basically don't give anything back to the community but well).
If /e/ is ever successful, they can hire many engineers to actually fork Android to have their own. That's what Android did for Linux in the first place anyway! Most OEMs have a lot of changes to their Android, even though they keep using Google apps, and they are just fine. I'm pretty sure that Samsung have an order of magnitude more changes in Android than LineageOS (which /e/ is a pretty direct fork of), and they maintain it just fine.
That was indeed a losing battle because Google has far more resources to add features ans beat CyanogenMod.
On the other hand, a de googlized and privacy focused platform provides something that Google can never provide.
There’s also a change in the environment surrounding all Of this. Thanks to the weaponization of Android by the American government, every country and company in the world is looking for a De GoogliZed alternative.
CopperheadOS did not die. https://copperhead.co/android
/e/ mostly uses LineageOS code without providing attribution. They have a fair fight ahead of them and the Android FLOSS community benefits from this internal competition.
Android is not designed for the community to be hacking on it. While these projects occasionally appear they don't last because of the incredible amount of work required to maintain them. You're much better off finding a normal Linux distro/phone pair that can make phone calls etc.
It has become a lot easier thanks to Project Treble.
PureOS has to try and reimplement an entire mobile app ecosystem just to get to parity with existing competitors.
SailfishOS has this, and doesn't do tracking.
PureOS and Purism One implement some FOSS techniques and rebrand them. I believe Nextcloud does this as well. Not sure why projects don't clearly mention what they're based upon, especially when its a lot like original.
What I seek in a phone is control over my privacy, not necessarily a vegan FOSS system.
What that means is things like:
- Fine-grained control of permissions to apps (e.g. access to rear camera only, access to only city-level accuracy of locations, access to read from only directories I specify)
- For apps that insist on having permissions to things like location and wi-fi scans to use them, the ability to make the app think it got said permissions, but receives fake data. And no, Android's mock location feature doesn't work, because apps can check if the feature is enabled or not
- The ability to fake IMEI, phone number, contact list, installed apps, and other identifying data
- Ability to generate fake IMU, proximity, temperature, barometer, and all other sensor data that could conceivably be used for fingerprinting
I think the effort is very good. The result is excellent and it's really addressing a much bigger audience that PureOS.
I think they legally can't call it "Android" in this case so it's not really their fault that they aren't mentioning this.
The officially stated reason (I'm paraphrasing) was because it allows for fudging the signatures of apps and services on the OS, and this breaks the security model.
Ungoogling is a fine step but the whole thing needs to be rebuilt:
- Sharing Contacts: Should be illegal and removed as an option. Apps shouldn't be able to trick/coerce/incentivise people to harvest and sell other people's private information. When people give out their phone numbers and addresses they do it with some expectation of care, not with the intention of having it immedietly uploaded to Flappy Bird. The most that should be allowed is perhaps some sort of hash of contacts to be able to bootstrap some friend graph, but that's it.
- Sharing Files: There should be a single general default "file manager" app that acts as the intermediary between your files, and other apps, giving them only the files they need for the specific task at hand. Permission for the filemanagers themselves can be given with multiple ALL CAPS permission warnings not to do it.
- Camera/Mic/Location: Trusted intermediate app should capture and provide the data needed for the task at hand. At the absolute minimum, permissions should default to only recording while the app is open (like android location now). Persistent background recording should only be allowed after multiple ALL CAPS stern warnings and suggestion to reject unless absolutely necessary.
- SMS/etc: Have intermediate trusted apps select and share the specific messages you need to share for the task at hand.
In short, data access should be handled by few, trusted, vetted, intermediary apps, with heavily gated permissions for those apps themsevles; and sharing other people's private contact information should be illegal.
I'm curious how this will change when the entire populate has more tech knowledge in general. A few decades, and everybody on the planet will have grown up with computers, and a couple more past that and everyone will have always had a smart phone.
I'm not super hopeful though. Security and Privacy are always a tradeoff with convenience. And if I've learned anything during my revolutions on this planet, it's that we humans really love convenience. I'd say this will keep getting worse until we get a massive data breach... but we've already had a few of those and aside from it being on the news and maybe a congressional hearing, nothing changes. So I think it will keep getting worse until we find out what the market will bear. And I'm morbidly curious what that will be, even as I scream into the wind attempting to prevent it.
Additionally it seems like you could design proper super warnings that get adhered to. Do you know of any interesting examples of really severe/gated warnings that are consistently ignored? If you try to visit a website with a bad certificate, for example, it's almost impossible to get to it.
DVB as in the Digital Video Broadcasting standard? I'm surprised Android has a specific permission for this.
The only thing I'm not really fond of, is that the apps come from an opaque source (https://info.cleanapk.org/). I also found no information on how those apps are signed, and how this is checked. Upon asking them, someone pointed me to a git commit where an outdated public key of F-Droid was used.
See also https://community.e.foundation/t/microg-what-you-need-to-kno...
I think part of their approach is also to sell refurbished phones (or, in partnership with Fairphone, new ones) with /e/ preinstalled, lowering the barrier to entry. There might be more, but I'm not too familiar with them.
I hope they can make a go of it, but I think it'll take adoption by a deep-pocketed sponsor (Samsung? Huawei? The German government?) before it would be polished enough to be a real contender for non-technical users.
But I do think the idea of an Android fork that maintains some compatibility with existing apps is more likely to find success than something like Sailfish OS, that's entirely distinct.
- Occasional "X app stopped unexpectedly" messages.
- Font sizing is really weird on the built-in email app (a K9 Mail reskin)
- System webview sometimes (maybe once a week?) starts rendering blank white pages until I reboot the phone.
Does it force you to have data on the cloud? Or can you get by without using the cloud?
Simply put: I don't want anyone having my data anywhere apart from me and my device.
Unlike Google or Apple, you're not required to create a cloud account just to use your own device.
... asking for a friend ...
I obviously use my own nextcloud.
Some mircrog stuff is enabled by default, which means it does allow apps to talk to Google for eg. push messages. It's not much work to disable, though.
If you truly don't want that postmarketOS and a number of Linux distros work on some older phones and the pinephone now.
And like the color of the Ford T, you will have the choice of your phone as long as it's a Pixel ;)
What apps are you writing for yourself on Graphene?
Have you considered being a maintainer for one of the companion apps/Graphene itself on a device? The project could really use you.
I would also recommend Shelter for a work profile for non-open source apps, which one can install on one of the Play Store clones such as Aurora.
GrapheneOS does do some privacy oriented work, but it's far more focused on hardening.
I look forward to examining /e/ and CalyxOS since their focus is more heavily on privacy. For my use cases, I'm less worried about hardening than privacy.
Also, it's a lot of work to keep Android both up-to-date and de-Googled. I started patching GrapheneOS and realized I did not have the bandwidth to maintain the patchset. And still had no good answer for SUPL. Hopefully CalyxOS and /e/ have maintainers with the bandwidth.