Murena One Review: De-Googling your phone, only to replace it… with Google
If you’re in the market for a new phone and wish to escape the Apple and Google duopoly, there’s not much choice left out there. That’s why, when a company claims to be able to provide the same experience without either of those, most of the tech world immediately becomes skeptical. The Murena One phone is one such device that claims to be fighting the good fight by providing a de-Googled phone experience, but the catch is that to install any apps on it, you’ll be making use of Google anyway.
To roll things back a bit, the Murena One phone was announced at the end of May this year, and it’s a phone that runs /e/OS. It removes a lot of Google apps and other dependencies and opts instead for free and open source alternatives. It’s powered by a Mediatek Helio P60 SoC and 4GB RAM and has a pretty basic 6.53-inch IPS LCD display with a resolution of 1080 x 2242. It also has 128GB of internal storage that can be expanded via microSD, with a quad camera array on the back. It has a digital assistant too.
Problems begin the closer you look, starting off with the phone’s custom app store, dubbed App Lounge. The company up until recently wasn’t been too open about what App Lounge actually is, but if you’re familiar with Aurora Store, that’s exactly what it is. It uses the same underlying methodologies as Aurora Store, except it highlights open source applications and can also pull from F-Droid, too. What’s more, it supports logging into your Google account (just like Aurora Store) so that you can download the apps that you’ve paid for.
Murena One: Specifications
|Dimensions & Weight||
|RAM & Storage||
|Battery & Charging||4,500mAh|
|Security||Side-mounted fingerprint sensor|
|Software||/e/OS 1.0 based on Android 10|
About this article: Murena sent us the Murena One phone for review. While the company sent us this device, it did not have input into the contents of this article, apart from the statement that they provided on our request.
Murena One: Pricing and Availability
The Murena One is available globally for purchase for €349, and the next batch of devices is expected to ship in September of 2022. The company says that it should work on all major European carriers.
Software: The Murena One’s unique approach is to use… Google
The part that sets off alarm bells for me is not that it’s making use of Google’s services. Previously, the company had advertised its Murena One phone with its own app store and gave seldom few details about where those apps would come from. You would be forgiven for assuming that maybe the company had paired up with F-Droid for app distribution, but no, instead it opted to essentially create its own Aurora Store. That in itself is not a problem either, but it does highlight an issue that may arise.
Aurora Store technically lives in a gray area currently. That’s not to say that it’s illegal, but it’s not quite legal either. It pulls from Google’s servers and bypasses the need to have a Google account. It has served me well on Huawei devices and is also great for installing the latest versions of apps without needing to navigate to APKMirror or the like. However, selling a phone with that exact process to install apps is very different from a small enthusiast app that you can download if you know where to look.
What’s more, technically, using Aurora Store (when logged in) can get your Google account banned. That’s because this app very likely violates Google’s own Terms of Service, and Rahul Patel, the lead developer behind Aurora Store, agrees. I spoke with him, and he told me that it’s his belief that Aurora Store violates Google’s terms of service, but that the company turns a blind eye as it does not really cause it to lose money or negatively affect its infrastructure.
However, that then changes when we contextualize what App Lounge on the Murena One is. It’s a replacement for a pre-installed Google Play Store, while still providing much of the same functionality. Therefore, it does negatively impact Google’s cash flow, as the alternative would be to pre-install the Google Play Store and for Google to receive a fee for that licensing. This circumvents the need to pay the fee and may force Google to act. Problems arise then when we consider that users can log in to their real Google accounts on this device and in Aurora Store in order to download the apps that they’ve paid for. Who’s to say Google won’t ban these users to make a point?
If that is the case, then that’s another problem for Aurora Store users too. Patel confirmed to me as well that it uses the GPlayApi that’s a part of Aurora Store, and that App Lounge fetches applications for download the same way. This means that on Google’s end, both apps look similar. They use the same methods to download apps, and the same methods to log users in to download their own purchased apps. That means if Google decides to take action against App Lounge, then Aurora Store users will likely be caught in the crossfire too. Patel believes that it’s highly possible Google will want to take action against App Lounge.
We reached out to Murena, expressing our concerns and asking if the company had an official stance on the fact that Google may look unfavorably upon this solution. We also asked what happens if Google decides to close down the routes they adopt, or worse, takes action against users who may choose to log in to it with their Google accounts. We were given the following statement from the company’s founder, Gaël Duval.
We think that with App Lounge users do no [sic] infringe play store Terms of Services.
We also think that play store terms of services:
– infringe laws regarding free competition rules
– infrige [sic] laws regarding rights to portability
It’s not the most convincing statement.
An interesting feature that App Lounge does add is a privacy rating out of ten. It automatically analyses applications based on their permissions and trackers included in the application. It then gives it a rating out of ten, with ten meaning that it’s less likely to track you.
Hilariously, though, the privacy score calculated for Facebook was nine out of ten, suggesting that the Facebook app does a great job at respecting user privacy. It’s obviously not a score that you should rely on all the time, but this drives home that point. For reference, both Telegram and Signal scored the same or just a little bit lower. For now, I’d recommend using App Lounge or Aurora Store via a throwaway Google account.
/e/OS & Security
Backing up a bit to the rest of the phone, it’s clear that there’s more than just a passing iOS influence. The “Music” logo looks exactly like the Apple Music logo (though with the white and red swapped), and the overall layout is quite similar too. It’s not quite an iOS rip-off, but there’s no doubt some heavy inspiration going on here.
There are a set of pre-loaded applications that can’t be uninstalled, including a gallery, mail app, recorder, and note-taking app. If you’re worried about location trackers, the pre-installed navigational app dubbed “Magic Earth” is also closed source. It’s up to you whether that’s a problem or not, but the e Foundation says that the Magic Earth developers “have provided us documentation about the privacy behavior of this application.”
Something puzzling to me as well is that the phone’s software is outdated. It runs on Android 10, with an Android security patch level of April 2022 and a vendor security patch level of November 2020. Not to mention that the Helio P60 itself has been vulnerable in the past and still technically is, though there are no public exploits that I know of. There are still, to this day, security patches being released with fixes for MT6771, which is the codename for the Helio P60. One such exploit that was only recently fixed is the following:
“In telecom service, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.”
For a smartphone that claims to be built around user security, aging vulnerable hardware and older security patches seem a bit impractical. What’s more, I can’t find the kernel sources published anywhere yet. We reached out to Murena to ask where they are and will update you if we hear back.
On the company’s FAQ page for the Murena One, it says the following as well:
“We publish software updates for our phones at least every 2 months. We sometimes even have updates every month.”
For a smartphone that claims to be secure, it seems odd to leave one-month gaps for security updates. Security is the entire premise of the phone, and yet, it falls behind some devices such as the likes of Google’s Pixel smartphones or even unlocked Samsung phones.
Why would someone who is security conscious want a smartphone with extremely out-of-date vendor patches, a promise of security patches every two months, and an Android version that’s almost three years out of date? What’s more, my device arrived with the bootloader unlocked. That’s a privacy concern in and of itself. I asked Murena about this and was told that retail units will come with a locked bootloader. However, user reports of other Murena devices suggest that the company tends to sell them unlocked. It’s obviously different as the company is a bit more in control of the hardware this time around, though.
In other words, the whole situation is just… weird.
De-Googling Play Services
On any “normal” Android phone, the Google effect extends onto two main branches: app distribution and the services framework for third-party apps to use. We’ve seen how the Murena One handles app distribution in the absence of the Google Play Store, but how does it handle the absence of the Google Play Services framework?
Given that you’re living without Google services, it’s obviously going to be a bit of a change. The Murena One’s solution is to include microG, an open source replacement for Google services that aims to retain as much functionality as possible. Apps that rely on Google services will instead be calling microG, and you can log in to your Google account with microG and benefit from the likes of push notifications and more. It works well in some places, and poorly in others. For example, this is an app that I quickly put together from the Google Maps template in Android Studio. It’s supposed to load a map and place a marker in Sydney, Australia.
While the marker doesn’t get placed, it’s clear that it did focus on Sydney. You can change the location and rebuild the application, and it does move, too. This same feature works in other apps too; for example, the Uber app will show the Mapbox widget instead. The fact it intercepts and injects its own map over a Google Maps widget is pretty neat, and I will admit that I’m impressed by how it just works out of the box. I don’t know how compatible it will be with apps that rely on Google Maps heavily, but it works for at least casual usage.
However, it’s not all fun and games with microG. For example, both Free Now (a European taxi app) and Pokemon Go will not be able to log in with Google. The phone does pass Google’s SafetyNet, so you can use Snapchat and the like, but it seems that anything requiring Google to log in to your account won’t work. Some apps may also complain when they’re installed from outside of the Google Play Store, even if you used App Lounge to install them.
Basically, while microG does its best to be a drop-in replacement for Google services, it’s not perfect. You will notice that things don’t work. I think that most people who are buying one of these phones know what they’re getting into, but I can see that the premise of dropping Google and only using it on your terms is tempting. It’s just a shame that those terms are very restrictive.
Performance: Using the Murena One as a smartphone
With all of that aside, the Murena One phone is… interesting. It’s not the most powerful smartphone, and you won’t be playing high-octane games from the Play Store on this. In fact, you won’t be able to play previously-purchased titles such as Minecraft thanks to their reliance on the Play Store for DRM. What’s more, because it’s a MediaTek chipset, emulation for consoles and handhelds like the 3DS, PlayStation 2, and even the Wii are basically off the table.
Knowing that you can’t really game on this phone, what can you do with the Murena One? Still, admittedly, a fair bit. You can use most of your favorite apps by downloading them through App Lounge, and /e/OS (being a fork of LineageOS) also has popular features included out of the box like Trust. It’s a pretty user-friendly setup, and you’ll be up and running with anything you want really quickly. Bear in mind that it’s not the most powerful smartphone, so you’ll probably have to be fairly lightweight with your usage. I installed a handful of my usual apps such as Facebook Messenger, Instagram, WhatsApp, Reddit is Fun, and more without any problems, though the phone does struggle performance-wise.
/e/OS isn’t all that different from LineageOS, and there aren’t a whole lot of changes immediately apparent. The first thing I did notice was the extra page on the left of the home screen, which has access to your most recent apps, controls for your /e/Account, and an advanced privacy tracker that allows you to toggle a system-wide VPN that comes with the phone for free.
Here’s the thing though: it’s not exactly a VPN, and instead routes all of your traffic over Tor. When you enable it, it will deny access to all trackers on your phone, fake your location, and hide your IP address. The IP address used tends to be identifiable to websites as a proxy service, so you won’t be able to use it to watch Netflix in other countries. I did verify that the IP address I was given was a valid Tor exit node. The speed also becomes a lot slower, though that’s to be expected when using the Tor network. It maxed out at 3.2Mbps when testing with it enabled when the phone hits 28Mbps on Wi-Fi. As an aside, that Wi-Fi speed is also pretty terrible. On other devices, I can get as high as 400Mbps.
The Murena One is a privacy-centric smartphone that misses the mark
Truth be told, the Murena One is an excellent concept, but it fails to deliver on several fronts. It can’t escape the shackles of Google for one, and actively puts users’ Google accounts at risk for another without providing a fair warning or disclaimer. What’s more, the security aspect of the phone is merely a facade, packing older hardware with outdated vendor patches and a security patch update routine that doesn’t meet what other, less privacy-conscious smartphone providers are doing. Enthusiasts who would be the kind of people to buy this phone will also likely note the lack of released kernel sources.
With those security concerns in mind, I attempted to execute MediaTek-su, the vulnerability that once affected this chipset. It didn’t work, but that’s because it was patched out in a previous security update. While the phone is no longer vulnerable to that, there’s no telling what it is vulnerable to. You can simply look through past monthly security bulletins from MediaTek to see if there are any fixes for this particular chipset.
I really wanted to like the Murena One, as it’s an interesting phone with a lot of premises. A phone that’s sold with what’s essentially a custom ROM preloaded, with a promise of updates and a way to avoid the spying of companies like Google? Cool! That sounds great on the surface, but when executed poorly, it’s not really a phone for anyone. You can totally use a phone without Google apps (I did use the Huawei P50 Pro after all…) but when the phone swaps out Google apps for something else entirely, and that something else entirely doesn’t really work the way that it should, I ask myself why I’m using it in the first place.
Given the unlocked bootloader, lack of security patches, and unclear software situation with App Lounge. You’re just better off buying a cheaper, more modern mid-range smartphone and sticking a custom ROM on it. You’ll have some of the same levels of security without over-paying on a phone that was considered mid-range back in 2018.