/e/ and iode have vulnerabilities and/or "backdoors"?

K8y

Gos claims they might, but what evidence is there?

https://alternativeto.net/news/2025/11/grapheneos-ceases-operations-in-france-amid-pressure-and-legal-threats-by-the-government/

yore

K8y Gos claims they might

Do you have a source to them saying that?

de0u

K8y Here is a complaint about /e/OS on the /e/OS forum: https://community.e.foundation/t/voice-to-text-feature-using-open-ai/70509

Is that particular example a back door? Perhaps not, but it is arguably not a good privacy practice.

23Sha-ger

They are both months behind patches that Google themselves claimed have been exploitable in the wild.
I can guarantee that Cellebrite cracks those devices open easily, because LineageOS devices were pretty
easy targets, although somewhat rare. Mostly among "enthusiasts" who believed they are more secure.

So you don't need backdoors when there is an open front door.

K8y

23Sha-ger LineageOS devices were pretty
easy targets, although somewhat rare. Mostly among "enthusiasts" who believed they are more secure.

would lineage be harder to remote into than regular android, because it's a different OS and the remote attackers might only be used to (or their attack tools be formatted for) regular android and ios?

userofgos

yore Do you have a source to them saying that?

https://xcancel.com/GrapheneOS/status/1991345623132520956#m

@K8y However, GrapheneOS did NOT say they have backdoors. What they DID say is (emphasis added):

/e/ provides much easier access to devices for governments through the extremely poor security so there's little reason they'd have an issue with it

23Sha-ger

K8y
Why it will be harder if it is a regular Android, just without verified boot and other important mitigations?
All the "privacy" those projects provide is mostly snake-oil hoax. DNS blocklists for ads, built-in F-Droid, Microg
for compatibility. There is not even 1 security feature. They degrade security by disabling verified boot.

K8y

23Sha-ger ok, but going back to the backdoor, since iode and e are open source, wouldn't it be hard to hide a backdoor?

Or can these OS be logging all its user's data and history and give to governments like the article suggests GOS implies?...is that even possible for iode and e to do?

23Sha-ger

K8y
I already answered the question that there is almost no need for a backdoor, but if we go further,
since there is no verified boot, and the devices they run on (except Pixels) treat any custom OS as just
a piece of partition on the device, there is nothing that theoretically stops them from signing and providing
malicious updates if the French government forces them to. They can even sign it with their own keys and
distribute it to specific users, based on IP or country, but not limited to. That modification does not have to
go to Github, it can be silent, signed malicious update sent to the update servers, where the web-server
will direct all "normal" users to the original "clean" update, and the targeted users to the malicious one.

MetropleX

I amended the title as userofgos stated we have not in any capacity said they have backdoors.

We have simply stated that they are easier to exploit using known vulnerabilities that remain unpatched etc.

I would then also direct you to a comprehensive statement and thread with multiple project responses here:

https://discuss.grapheneos.org/d/24134-devices-lacking-standard-privacysecurity-patches-and-protections-arent-private