Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content

Weather widget leaks the user location

  • /e/ version: current v0.18
  • Device model(s): all
  • Device rooted: yes/no

Summary

Update endpoints to HTTPS as in upstream PR https://github.com/qqq3/good-weather/pull/41

(I'm aware Good Weather is no longer (v0.16 or 17?) in the default apps)

The proposal was made by the Author of DivestOS in a thread at https://community.e.foundation/t/divestos-vs-e-os-security-and-privacy-easy/33717/67

The problem

Steps to reproduce

Run the weather app, look at Wireshark. As location is essential for weather requests, the contents of the request shouldn't be disclosed.

What is the current behavior?

the HTTP endpoints of the weather service are used

What is the expected correct behavior?

use the HTTPS API

Technical informations

checking in on https://gitlab.e.foundation/e/apps/Weather/-/blob/master/app/src/main/java/foundation/e/weather/utils/Constants.java HTTP endpoints are used. Should be an easy straightforward patch. I don't understand why it's not merged upstream.. probably because of work on the original qqq3/good-weather stopped (only few merges in 2017, then stopped) and moved on to your-local-weather.

Alternative

In your-local-weather App https endpoints are used, so an alternative solution is to rebase the /e/ fork to this app https://github.com/thuryn/your-local-weather/blob/master/app/src/main/java/org/thosp/yourlocalweather/utils/Constants.java

Edited by Nicolas Gelot