The microG Project aims to fully de-Google the Android OS by providing free open source alternatives to Google's proprietary services and libraries. You can follow the project at:
MicroG's website is at https://microg.org
MicroG is used for example by @e_mydata on their de-Googled Android phones.
@inference You are confusing, privacy with security.
In addition, while it could allow for some privacy leaks through security exploits, its main purpose is to limit being reliant on installing full G services, to gain some usability with your android phone.
No, #MicroG signature spoofing does not allow “government backdoors” to be “trivial”
I’d also like to point out a myths I heard regarding signature spoofing. Some people assume, that signature spoofing allows to break the Android signature security model and thus rogue applications can access private app storage. But in fact signature spoofing is only applied after installation if the permission was granted, it has no influence on the package manager security model.
By allowing signature spoofing, you are allowing anyone to push an update
This is not true. From MicroG FAQ:
Wait, on their FAQ page I see that they don’t want to include the patch for security reasons. Is this ROM unsafe? No. LineageOS’ developers decided not to include this patch for various reasons. The signature spoofing could be an unsafe feature only if the user blindly gives any permission to any app, as this permission can’t be obtained automatically by the apps. Moreover, to further strengthen the security of our ROM, we modified the signature spoofing permission so that only system privileged apps can obtain it, and no security threat is posed to our users.
Which is indeed the case per MicroG code.
I tried a dozen of various Android builds, including GrapheneOS, but Micay has proven to be a toxic and arrogant dick which kind of discouraged me from using it. It also was much slower than other Android builds, which I understand is a price of all the extra hardening but it’s a price I’m not willing to pay at my risk profile. Eventually, I settled with /e/ on Fairphone which includes secure boot and firmware updates.
If you don’t trust Google, and it’s okay not to, use F-Droid, or, even better, self-sign like I do after compiling apps.
Sorry, I can’t compile my banking app and a dozen other apps that I need for my business, and they also won’t work without Google Play Services. Which is precisely why I rely on MicroG to work around this vendor lock-in.
I'd seriously like to know what's the source for your claim, "by allowing signature spoofing, you are allowing anyone to push an update", because it is entirely untrue (which is also explained in my blog post linked above) for the signature spoofing patch I developed and all derivatives of it known to me.
The signature spoofing code is not invoked by any part of the Android OS that is relevant to package management. This means that the patched code cannot effect the ... (1/5)
... process involved when updating apps and as such, updates can't be affected. Signature spoofing basically only allows a third-party app to look to other third-party apps as if it was signed differently. However third-party apps should normally not even look at the signatures of other third-party apps - and since Android 11, it's even harder for them to do so: https://developer.android.com/training/package-visibility.
Even if the signature spoofing code was also ... (2/5)
... affecting the OS package management, it wouldn't mean that anyone can just install updates. The signature spoofing feature allows an app - after it was installed and granted a special permission - to spoof it to be signed by one specific certificate (that the app must provide at installation time). It is always the already installed app that does this, not the app to be installed (which also can't request the permission yet because its code is not run). Or to ... (3/5)
... phrase it differently: If signature spoofing would affect the OS package management, apps that already use signature spoofing (e.g. microG) could be updated to the app they claim to be (e.g. Play Services) - not the other way round.
Whoever started that myth of signature spoofing "allowing anyone to push an update" probably mixed it with completely disabling signature checks, which was a developer feature provided via Xposed framework https://www.xda-developers.com/application-signature-verification-how-it-works-how-to-disable-it-with-xposed-and-why-you-shouldnt/. (4/5)
Again: The signature spoofing patch does not disable or otherwise affect the signature verification process during update of an app and never did that.
Everyone claiming otherwise just does not know what they are talking about.
And, unfortunately, I have to explain this over and over again, because such claims just stick around forever. (5/5)
@FediFollows @microg @e_mydata microG is a truly excellent free and open source project that lets you access features and get notifications from all of your apps without installing Google's proprietary Play Services library on your Android device.
The latest version is able to pass SafetyNet, which lets microG work with more bank, game, and media apps. microG is safe to use.
I highly recommend microG for anyone who wants to reduce their privacy exposure to Google!
1. Universal SafetyNet Fix: https://github.com/kdrag0n/safetynet-fix
2. MagiskHide Props Config: https://github.com/Magisk-Modules-Repo/MagiskHidePropsConf
Then, use a terminal app (like Termux) and apply the certified device fingerprint for your device. You need to run "su" then "props" in the terminal. Restart and it should work!
@inference @e_mydata @FediFollows Everyone has different priorities. Many users enjoy the functionality of a rooted phone, such as unrestricted app backups and full terminal access. Many users want to use bank, game, media, and other apps that require their device to pass a full SafetyNet check. microG and Magisk allow users to do all of these things without Google Play Services. And that's good enough for them.
@inference @e_mydata @FediFollows I'm glad that you're doing well without Play Services or an equivalent. But not everyone wants to go without push notifications for some apps. Some users prefer functionality over security.
Asking people to avoid anything that doesn't meet your standard of security is a harder sell than asking people to consider #FOSS apps that meet their needs. microG does what some users ask for, and it's great that the option is there.
Compared to having neither microG nor Play Services, microG enables push notifications, map widgets, and other features. Compared to Play Services, microG is ad-free.
And with Magisk, microG users can pass SafetyNet to work with the bank, game, and media apps that require it, apps that you apparently aren't using.
Not everyone uses the same banks as you. Or the same games. Or the same media apps.
You're entitled to your own opinions, but nobody is obligated to match your preferences.
@inference @e_mydata @FediFollows People who prefer #FOSS enjoy the freedom to inspect, run, modify, and redistribute the source code. These benefits exist regardless of whether there's a community or movement behind it.
I appreciate microG and other FOSS for providing the features that I want. It seems that you're not interested in microG. That's fine, and you don't have to use it. The rest of us users will continue to enjoy it.
A newer server operated by the Mastodon gGmbH non-profit