Is OSMAnd Cloud Secure & Private?

OSMAnd is listed as a PG Navigation recommendation. It has wonderful capabilities, integrating openstreetmaps & allowing offline navigation. Ive very much enjoyed using it

However, the number of ‘regions’ one can download locally is paywalled at 7, after which an account & paid subscription is required

The account itself is no tremendously offensive privacy breach, requiring only an email. The subscription payment portal additionally asks for a card, name, and zip code

With this paid subscription automatically comes a cloud backup & sync tool, called OSMAnd Cloud. This tool seems to automatically back up your map data to a cloud server.

If given the choice, you may be tempted to opt out of the cloud service entirely. But it seems to be unavoidably bundled with the subscription. Network permissions can be revoked most of the time, but they will need to be reenabled to download new maps, thus reestablishing a connection

The OSMAnd privacy policy claims to delete all individual data from their servers within 7 days of user request, and all account data immediately upon account deletion. I can find no evidence this infrastructure has been audited to verify this policy is being followed, nor details regarding encryption or cyber security practices.

There is a lower subscription tier, called ‘Maps+’. It does not nominally necessitate OSMAnd Cloud, but it claims to include ‘Favorite Location Syncing’. I am unable to confirm whether or not this stores location data to a remote server

To summarize: in order to download more than 7 maps onto the PG-recommended OSMAnd, your app needs to connect to a cloud server that wants to back up location data. An account is needed, PII is collected. I cannot find technical specs on this cloud service, I cannot verify it is private & secure. I see no evidence of an audit. While the app itself is reviewable on GitHub, the cloud infrastructure does not appear to be FOSS. Is this cause for concern?

It is good to remember that there is no tool or software that is perfect.

To me, this is no cause for concern. Considering the terrible alternatives, even if this was half as open it would still be a lot better than other big tech alternatives.

Personally, when it comes to maps, I prefer high quality and accurate info and still would use Google Maps for my navigation needs.

Weird update & resolution:

Despite citing the same github repo source code, The ‘version’ of OSMAnd published to FDroid (net.osmand.plus) is an altogether different app than the ‘version’ published to the OSMAnd website (net.osmand). Both can be simultaneously installed on a single device

The FDroid version does NOT have a 7 map download limitation. One can download any arbitrary number of maps without creating an account or providing any PII

Oddly enough, the version available to purchase on Google Play for $70 seems to match the version available for free on FDroid. I can’t provide any insights on the iOS version or the Huawei version

I am tempted to make a tool update request, suggesting PG to specifically recommend against downloading the apk from OSMAnd’s site, mentioning that this version alone requires PII for full app usage

Same thing here I don’t recall ever seeing the 7-map limit in my app, also from F-Droid. It seems like an arbitrary client-side restriction that one should be able to patch out by compiling from source anyway.

Yes, there are multiple build flavors IIUC. You can download different versions at Versions | OsmAnd too, but I really prefer F-droid.

Definitely. That is the one I would recommend users to use. F-droid version also does not have some proprietary Google binary blobs.