Continuing from the previous post about the pros and cons of CoMaps, a fork of OrganicMaps for Android, let’s have a look at how private and offline CoMaps actually is. From a privacy respecting maps app, I expect that the app doesn’t spill my location to anyone on the network, including potential project servers. So that’s my baseline here.
To find how CoMaps behaves, I traced my network traffic while CoMaps was running. The result: After an initial one time download of the maps I needed, there was no further network interaction by CoMaps itself. Nothing on startup and also nothing while being used. Very nice, but let’s dig a bit deeper:
As CoMaps requires the location, the operating system will query for the satellite almanacs when CoMaps starts, so my location could be spilled to a third party during this step. As I run GrapheneOS, the request is proxied via one of GrapheneOS’ servers and all private information such as the IMSI is removed from the query. And here are the two domains that are queried for this procedure on my Pixel 8:
broadcom.psds.grapheneos.org
gs-loc.apple.grapheneos.orgVery nicely done on the part of GrapheneOS. For the details, search for ‘GNSS’ and ‘IMSI’ on this GrapheneOS FAQ page.
And again, the story doesn’t quite end here. CoMaps has the option to query a Google API to get an initial location or a location when being indoors without GPS reception by collecting information about Wi-Fi networks the device receives and sending this information to a service on the network. By default, CoMaps has this option disabled, as on a standard Android device, a privacy invading query would be made to Google servers. On GrapheneOS, this service is modified and goes to GrapheneOS servers that do a bit of a different thing here to make sure your privacy is respected, despite the local information sent as part of the query. For details see this article. As I trust GrapheneOS, I have activated the feature in CoMaps, which doesn’t know anything about GrapheneOS. It just uses the API and is never bothered with the fact that the ‘network based’ location request query does not go to Google, but to another service. Very nice and I get an initial location in a fraction of a second after starting the app.
Location Sharing
CoMaps also has an option to share the current location or any other location pointed to on the map. In addition to the standard ‘GEO:’ coordinates, the app also creates a link. Here is an example, which points to a book store in the main train station in Rome:
At first, the link doesn’t look like it includes the coordinates. So I was wondering if something was stored in the network and later retrieved when the URL is requested. So I traced the connection again with Wireshark and couldn’t see interaction with a server. So I did a bit of research and found out that the coordinates are actually encoded in the short string after the domain name. It looks very short to be the exact coordinates, but the numbers from 0 to 9 are encoded into a much bigger alphanumeric code space, which significantly shortens the URL. Must have been a thing when every bit in a message to be sent to another party counted.
Summary
While CoMaps is pretty new in 2025, the programs it has forked from are not, and I’m amazed that I haven’t come across it so far. It’s the typical effect: It takes a lot to go away from something you have grown accustomed to over the years and it really has to disappoint in some big way before any alternatives are considered. But now that I’ve made the switch I rarely resort to falling back to something else. Ready to get ‘locked-in’ to this one 🙂