iodéOS: Privacy-friendly, but compromises on security

iodéOS on the test bench by Mike Kuketz. The focus is on the analysis of data transmission behaviour.

Apart from the permanent request for current weather data, the system is relatively quiet.

If the user activates microG, the system is immediately a little more talkative - which is not unusual, of course, because microG is a (not complete) replica of the Google Play services. Unlike Google Play services, microG at least does not track user activity on the device. Furthermore, users can partly determine themselves which API functions (Google Cloud Messaging, SafetyNet, the Exposure Notification Framework) they want to use.

Even if no apps are registered to receive push notifications yet, a permanent update of the connection to mtalk… takes place.

(Security) updates do not appear as promptly as known from systems like GrapheneOS. … It was only on 02.04.2023 that the update to the status of 5 March appeared. This means that for almost a month there was an “Internet-to-Baseband Remote Code Execution (RCE)” in the system. On a scale of 1 to 10, this is an 11. At least for such serious security gaps, the iodéOS team should rethink the update cycle.

On the other hand, I have to mention the firewall integrated in iodéOS in a really positive light.

In fact, iodéOS has succeeded relatively well in reducing Google’s data collection frenzy - but not completely. For example, to speed up location tracking, the system accesses the Google SUPL server and the included browser uses Google Safe Browsing. Apart from that, the developers have done a good job of “de-googling” iodéOS. However, if you enable microG, you have to be aware that some connections to Google will be made. However, this is purely optional and one can use iodéOS almost free of Google.

iodéOS könnte insbesondere durch eine schnellere Bereitstellung von (Sicherheits-)Updates verbessert werden.

:arrow_upper_right: Source, 2023-4-6

1 Like

Yes, overall a positive review and definitely better than what Mike Kuketz rated CalyxOS
Some of his more critical points are simply inherant of running MicroG (opposed to a completely Google-free OS) or not being aware of all the functions of iodéOS (like being able to unistall preinstalled apps like Geometric Weather or even MicroG )

1 Like