Follow

The microG Project aims to fully de-Google the Android OS by providing free open source alternatives to Google's proprietary services and libraries. You can follow the project at:

➡️ @microg

MicroG's website is at microg.org

MicroG is used for example by @e_mydata on their de-Googled Android phones.

@FediFollows @e_mydata MicroG is a security flaw ridden project which does nothing to help your privacy, thanks to requiring signature spoofing, which allows any app to pretend to be any other app.

A government backdoor added to an app is trivial to achieve, due to not having digital signatures which cannot be spoofed.

One of my blog posts talks about why the FOSS movement is working against itself:
https://inferencium.net/blog/foss-is-working-against-itself.html

@inference You are confusing, privacy with security.
In addition, while it could allow for some privacy leaks through security exploits, its main purpose is to limit being reliant on installing full G services, to gain some usability with your android phone.

@inference @FediFollows @e_mydata

No, #MicroG signature spoofing does not allow “government backdoors” to be “trivial”

https://blogs.fsfe.org/larma/2016/microg-signature-spoofing-security/

I’d also like to point out a myths I heard regarding signature spoofing. Some people assume, that signature spoofing allows to break the Android signature security model and thus rogue applications can access private app storage. But in fact signature spoofing is only applied after installation if the permission was granted, it has no influence on the package manager security model.

Last-year’s change to #Google stock #Android policy that mandates that developers’ keys are to be hosted with Google kind of does 😉

@kravietz @FediFollows @e_mydata

I already read this article and found major flaws in the reasoning and model.

What is the reason for Android signatures? It's to prevent another actor from pushing an update to an already installed app, which the article does get right. However, that's where the failure of understanding begins to show.

By allowing signature spoofing, you are allowing anyone to push an update, via any channel, onto your device, and use any signature (because signature doesn't matter at this point). They now have complete access to your data and any privacy gains are negated.

As for Google hosting keys, this is the same for F-Droid (exception is they host their own keys), and even your own if you self-sign your own compiled apps. Signatures such as Android APK signatures and X.509 are completely based on the trust model, which is what we should be aiming to decrease, not increase. By using MicroG, you are putting extreme amounts of trust into it every app not being spoofed, which is exactly what MicroG allows, thus defeating the entire reason of signing in the first place.

If you don't trust Google, and it's okay not to, use F-Droid, or, even better, self-sign like I do after compiling apps.

Unless you cease using Google Play apps, you're always going to be stuck in this cycle and gain neither privacy nor security.

Sorry to crash your party, but I'll continue to debunk any and all misleading "FOSS hero" information you send my way. I know what I'm talking about, but you don't seem to.

@inference @FediFollows @e_mydata

By allowing signature spoofing, you are allowing anyone to push an update

This is not true. From MicroG FAQ:

Wait, on their FAQ page I see that they don’t want to include the patch for security reasons. Is this ROM unsafe? No. LineageOS’ developers decided not to include this patch for various reasons. The signature spoofing could be an unsafe feature only if the user blindly gives any permission to any app, as this permission can’t be obtained automatically by the apps. Moreover, to further strengthen the security of our ROM, we modified the signature spoofing permission so that only system privileged apps can obtain it, and no security threat is posed to our users.

Which is indeed the case per MicroG code.

@kravietz @FediFollows @e_mydata

LineageOS itself is a ridiculous idea to use as a daily driver, so anything running on it is already defeated, not only MicroG:
https://madaidans-insecurities.github.io/android.html#lineageos

@inference @FediFollows @e_mydata

I tried a dozen of various Android builds, including GrapheneOS, but Micay has proven to be a toxic and arrogant dick which kind of discouraged me from using it. It also was much slower than other Android builds, which I understand is a price of all the extra hardening but it’s a price I’m not willing to pay at my risk profile. Eventually, I settled with /e/ on Fairphone which includes secure boot and firmware updates.

@kravietz @FediFollows @e_mydata

> Micay has proven to be a toxic and arrogant dick

Agree. However, not using the only properly secure and private OS is not worth it just because of an apparent asshole. Most passionate technology groups are like this, including Rust and even /e/.


> It also was much slower than other Android builds, which I understand is a price of all the extra hardening but it’s a price I’m not willing to pay at my risk profile.

False. GrapheneOS, when running on a Pixel 4 or newer, has around 100 ms on app cold start time. There is zero slowdown anywhere else, and opening an app with a slowdown of 0.1 seconds isn't noticeable at all. Pixel 3a and below did have this issue due to lack of proper SSD.


> Eventually, I settled with /e/ on Fairphone which includes secure boot and firmware updates.

Secure boot is not the same as verified boot. I'm hoping you mean VB, because that's Android's proper boot chain protection, not SB.

@inference @FediFollows @e_mydata

If you don’t trust Google, and it’s okay not to, use F-Droid, or, even better, self-sign like I do after compiling apps.

Sorry, I can’t compile my banking app and a dozen other apps that I need for my business, and they also won’t work without Google Play Services. Which is precisely why I rely on MicroG to work around this vendor lock-in.

@kravietz @FediFollows @e_mydata

You don't seem to realise that any apps with Google Play services in the code can "phone home" even without Google Play services or MicroG being installed. Without an implementation of Google Play services, whether GPS proper or MicroG, they can't push to device, but they can still send and recieve Google data.
@inference

This kind of tracking applies to any non-FOSS app, and is defeated using adblockers

@FediFollows @e_mydata
@kravietz @FediFollows @e_mydata

An ad blocker which can stop phoning home? Doubtful.

This requires DNS request blocking, URL blocking, and fragments and complicates the security and privacy model. Complex designs are rarely the best designs.

Piling on "privacy" features are not giving privacy at all; they are simply making it more difficult to maintain the model, while diversifying your fingerprint to stand out.

@inference
I'd seriously like to know what's the source for your claim, "by allowing signature spoofing, you are allowing anyone to push an update", because it is entirely untrue (which is also explained in my blog post linked above) for the signature spoofing patch I developed and all derivatives of it known to me.

The signature spoofing code is not invoked by any part of the Android OS that is relevant to package management. This means that the patched code cannot effect the ... (1/5)

@inference
... process involved when updating apps and as such, updates can't be affected. Signature spoofing basically only allows a third-party app to look to other third-party apps as if it was signed differently. However third-party apps should normally not even look at the signatures of other third-party apps - and since Android 11, it's even harder for them to do so: developer.android.com/training.

Even if the signature spoofing code was also ... (2/5)

@inference
... affecting the OS package management, it wouldn't mean that anyone can just install updates. The signature spoofing feature allows an app - after it was installed and granted a special permission - to spoof it to be signed by one specific certificate (that the app must provide at installation time). It is always the already installed app that does this, not the app to be installed (which also can't request the permission yet because its code is not run). Or to ... (3/5)

@inference
... phrase it differently: If signature spoofing would affect the OS package management, apps that already use signature spoofing (e.g. microG) could be updated to the app they claim to be (e.g. Play Services) - not the other way round.

Whoever started that myth of signature spoofing "allowing anyone to push an update" probably mixed it with completely disabling signature checks, which was a developer feature provided via Xposed framework xda-developers.com/application. (4/5)

@inference
Again: The signature spoofing patch does not disable or otherwise affect the signature verification process during update of an app and never did that.

Everyone claiming otherwise just does not know what they are talking about.

And, unfortunately, I have to explain this over and over again, because such claims just stick around forever. (5/5)

@inference @e_mydata @kravietz @FediFollows your fact about F-Droid is also not completely right. Google forces devs to upload their keys. F-Droid allows devs to use their own via reproducible builds...

@jr @e_mydata @kravietz @FediFollows

I didn't say F-Droid forces dev keys to be stored, I said you're trusting F-Droid with their own keys (F-Droid compiles and signs the software, themselves, hence why updates from devs don't work when the F-Droid app is installed).

Dev signatures can be used via app sideloading or their F-Droid repo.

@inference @kravietz @e_mydata @FediFollows that's wrong, F-Droid also allows the app to be signed with the devs key, but then the app needs to be build reproducible, so F-Droid could verify that the app was build from source by the devs

@jr @FediFollows @e_mydata @kravietz Ultimately, the only way to guarantee that the app and key has not been compromised is to self-sign after self-compiling. My point still stands solid.

@FediFollows @microg @e_mydata microG is a truly excellent free and open source project that lets you access features and get notifications from all of your apps without installing Google's proprietary Play Services library on your Android device.

The latest version is able to pass SafetyNet, which lets microG work with more bank, game, and media apps. microG is safe to use.

I highly recommend microG for anyone who wants to reduce their privacy exposure to Google!

@rogue @FediFollows @microg @e_mydata

Thank you for pointing out that SafetyNet works now! I didn't know that, just checked and basic integrity check works, so exciting.
No CTS match, but maybe that's because I use Magisk and beta build of the rom.

@didek @FediFollows @microg @e_mydata You're welcome! To pass the CTS match on Magisk 24, turn on Zygisk in the settings and install these Magisk modules:

1. Universal SafetyNet Fix: github.com/kdrag0n/safetynet-f

2. MagiskHide Props Config: github.com/Magisk-Modules-Repo

Then, use a terminal app (like Termux) and apply the certified device fingerprint for your device. You need to run "su" then "props" in the terminal. Restart and it should work!

@rogue @FediFollows @e_mydata

I refer you to 2 sources.

1, my blog post:
https://inferencium.net/blog/foss-is-working-against-itself.html​

2, Madaidan's excellent article on the matter:
https://madaidans-insecurities.github.io/android.html#microg-signature-spoofing​

There is no privacy without security.

@inference @e_mydata @FediFollows Everyone has different priorities. Many users enjoy the functionality of a rooted phone, such as unrestricted app backups and full terminal access. Many users want to use bank, game, media, and other apps that require their device to pass a full SafetyNet check. microG and Magisk allow users to do all of these things without Google Play Services. And that's good enough for them.

@rogue @e_mydata @FediFollows

Incorrect.

I'm using GrapheneOS, and have been for 1.5 years, without Google Play services installed. All of my apps have worked, and do work, fine.

Aurora Store gets the Google Play apps you want or need. The worst thing I've found is that some apps say something similar to "This app won't work because requires Google Play services which aren't supported by your device." The app does indeed work just fine, minus Google Maps or notifications.

As for notifications, there are alternatives with proper notification systems instead of the lazy Google Cloud Messaging implementation. If you want to get away from GPS, stop supporting apps which use them, or use them without.

Bypassing any encryption, obfuscation, or privacy, gains from using *any* app or OS on a rooted or signature spoofed phone, as stated in both articles I linked to, allows extremely easy access because you've quite literally given anyone both a remote and local backdoor to your apps and OS, without the ability to even detect this, never mind fix it.

As stated in my blog post, the FOSS movement is flawed and is working against what it's fighting for. This mentality is exactly why FOSS-only will never happen beyond a niche group of people.

@inference @e_mydata @FediFollows I'm glad that you're doing well without Play Services or an equivalent. But not everyone wants to go without push notifications for some apps. Some users prefer functionality over security.

Asking people to avoid anything that doesn't meet your standard of security is a harder sell than asking people to consider apps that meet their needs. microG does what some users ask for, and it's great that the option is there.

@rogue @e_mydata @FediFollows

> Some users prefer functionality over security.

Tell me, what reason do people use MicroG? It's for privacy. There is no loss of "functionality" from using Google Play services proper, rather than MicroG (if anything, MicroG causes losses of functionality, not the opposite).

As stated, and what you still don't seem to understand, is that MicroG causes a crack in your entire chain of trust, meaning *anyone*, whether your neighbour, Google, or a government, can easily access all files on your device and install any tracking they wish.

Sorry to crash your party, but using any app with Google Play services in the code can contact Google at any time, regardless of whether Google Play services is installed on your device or not; Google Play services simply allows device access and pushing, it does not prevent the app from "phoning home".

Clearly, you have no idea what you're talking about, and have no clear threat model; you're just piling on "privacy" features without just cause.

@inference @e_mydata @FediFollows microG is while Play Services is not. You might not care about this, but the FOSS community does.

Compared to having neither microG nor Play Services, microG enables push notifications, map widgets, and other features. Compared to Play Services, microG is ad-free.

And with Magisk, microG users can pass SafetyNet to work with the bank, game, and media apps that require it, apps that you apparently aren't using.

@rogue @e_mydata @FediFollows

> microG is #FOSS while Play Services is not. You might not care about this, but the FOSS community does.

You just agreed that you have no clear threat model and proved my blog post to be correct. You are using emotion over logic, which is stated in the final paragraphs of my blog.

> And with Magisk, microG users can pass SafetyNet to work with the bank, game, and media apps that require it, apps that you apparently aren't using.

Banking apps work fine, just as mine does. Yes, I do use these apps, and I can send you a screnshot of my perfectly working apps, if you'd like, including a banking app.


Try again.

@inference @e_mydata @FediFollows Whether an app is free and open source is not an "emotional" argument. The license is either or not. The FOSS community prefers FOSS apps.

Not everyone uses the same banks as you. Or the same games. Or the same media apps.

You're entitled to your own opinions, but nobody is obligated to match your preferences.

@rogue @e_mydata @FediFollows

> Whether an app is free and open source is not an "emotional" argument. The license is either #FOSS or not. The FOSS community prefers FOSS apps.

Why follow a movement unless you're emotionally attached to it? That's emotion. Educate yourself.


> Not everyone uses the same banks as you. Or the same games. Or the same media apps.

Ah, so now you're backtracking on what you said, because you've been defeated.


> You're entitled to your own opinions, but nobody is obligated to match your preferences.

Opinions wouldn't have sources to back up how it actually works, rather than thinking about how it works. This is fact, not opinion.


Thanks for proving me to be correct and showing that you are one of the people who will cause FOSS to be forever niche and never become the norm.

@inference @e_mydata @FediFollows People who prefer enjoy the freedom to inspect, run, modify, and redistribute the source code. These benefits exist regardless of whether there's a community or movement behind it.

I appreciate microG and other FOSS for providing the features that I want. It seems that you're not interested in microG. That's fine, and you don't have to use it. The rest of us users will continue to enjoy it.

@rogue @e_mydata @FediFollows

> People who prefer #FOSS enjoy the freedom to inspect, run, modify, and redistribute the source code. These benefits exist regardless of whether there's a community or movement behind it.

What use is that if you get neither security nor privacy? That's worse than using closed source. Isn't FOSS all about regaining control and privacy? Again, read my blog until it soaks in.

@tychosoft @microg

E Foundation is @e_mydata, they use microG as part of their /e/ version of Android.

MicroG is concentrating on degoogling part of Android's OS, /e/ is selling degoogled phones.

MicroG is part of the OS that /e/ provides, they are complementary projects.

Sign in to participate in the conversation
Mastodon

A newer server operated by the Mastodon gGmbH non-profit