[jbg_]

It does not turn off signature checking. It allows selective, whitelisted system apps to impersonate other apps after a permission is granted by the user.

Specifically, it allows the open-source, auditable microG apps to impersonate the closed-source, unauditable Google Play Services apps.

[morganvachon]

As much as I like the idea of running an Android device without gapps while remaining fully functional, and I feel this fork goes out of its way to attempt to remain secure, I just can't get past the fact that it's still a security hole. Eventually some bad actor is going to hammer at this hole until he finds a way in, then it's game over, restart from scratch.

I think the larger problem, the one that caused the microg gang to go this route, is the increasing control Google wants to hold over their platform. Fanatics always promote Android as the "open source alternative" to iOS and Windows Phone, but if you have to strip out so much proprietary gunk that it renders the device unusable, how can they claim it's open source with a straight face? Sure, the core Android code and kernel is still open, but there's a huge difference between being able to boot a device and actually using it daily.

[jbg_]

This doesn't make sense to me. You already have other permissions (draw on top of other apps, full filesystem access, etc) that could be catastrophic to grant to malicious apps. If you don't trust yourself not to grant them, or you don't trust the Android permissions system itself to be implemented correctly, it's already game over.

(Edit to add: I agree with everything in your second paragraph.)

[morganvachon]

I may be misunderstanding the methods involved then; I'm not a security expert and I no longer use Android so I am behind the curve.