Latest release of my DivestOS can now run microG in an unprivileged manner:
not a privileged system app and not a regular system app
not pre-installed
no special permissions
no automatically granted permissions
feature gated behind a toggle in Settings
user must install the apps themself
only available to the profile the user installed it to
signature spoofing is behind the toggle and bound to the official microG build certificates and gated with version code and target SDK checks and can only spoof the Google signature
That would be much more work to maintain and initially backport.
This is an extremely simple implementation that is in line with the goals of DivestOS.
numbers wise: Sandboxed Play is in excess of 5,000 lines changed, whereas this is barely 100.
Sandbox Play is far more of a first-class feature in GrapheneOS, whereas unprivileged microG is moreso a bonus feature for DivestOS.
I think allowing a flawed and insecure re-implementation of Google Play services to spoof actual Google Play services should probabaly not be ‘in line with goals of DivestOS’…
There is no need to ship Google’s proprietary code in an Custom OS, in fact MicroG runs proprietary Google binaries (like droidguard, safetynet, snet)
If a user trusts microG to achieve what it does then there is no issue with this implementation.
I don’t care if some proprietary garbage app that depends on Play ends up talking to an impersonator (microG) if the user evidently consents to it by explicitly opting-in.
Here is the toggle itself which literally notes this for the time being:
This is a really cool idea. So one big benefit would be network location services, right?
I use a DOS phone with only GPS, plus a Lineage phone with Google Play Services primarily for driving navigation in situations where I need reliability.
So while this feature is not recommended, are there any downsides compared to Lineage+Google, or would it be an example of harm reduction? DOS is available for my Lineage phone, so perhaps it warrants a switch.
So it seems there’s three (four) different approaches:
Sandboxed Play Services like in GOS, main advantage being best compatibility, main disadvantage being that you run Google proprietary spyware (even though somewhat mitigated by the sandbox denying lots of info to Google)
Privileged microG with signature spoofing like in CalyxOS, main advantage that it’s open source and you don’t directly have Google apps installed, main disadvantage that Google ironically has more access to your phone info compared to sandboxed Play Services, given the privileged system app status of microG (at least that’s what the GrapheneOS dev says)
Unprivileged microG like in DivestOS, main advantage same as above, main disadvantage that SafetyNet doesn’t work (for banking apps)
Run neither, main advantage that you don’t talk to Google, main disadvantages that your apps needing FCM notifications and integrated maps and Safetynet probably won’t work correctly
In my opinion, DivestOS has the best balance. I wish others like CalyxOS or GrapheneOS would copy this approach.
So how come nobody made a sandboxed microG with Safetynet support? Wouldn’t that be the most privacy and freedom while still allowing notifications and banking apps to work?
