I did not verify the contents of the following link, yet:

https://wuffs.org/blog/pulling-apart...emfota-updater

There seem to be MAJOR security issues with the OTA Updater of the cosmo.
and the content of the website makes me switch back to my S4-Mini with aokp, once I'm back at home.

I had a short glimpse at the mentioned OTA-Update for the Cover display.
(the website says, the CODI updater updates from here: http://fota.planetcom.co.uk/stm32fla...e_versions.txt which is only available via http, and the binaries which are flashed to the outer display are also only available by http). If i would like to persist malware on a cosmo, I'd chose the CODI subsystem.

I need to verify the URLs with wireshark once I'm back home.

Edit: This is the authors twitter thread for this issue: https://twitter.com/_Ninji/status/1201275091297931268