[headmelted]

From the FAQ:

Q) "Wait, on their FAQ page I see that they don't want to include the patch for security reasons. Is this ROM unsafe?"

A) "No. LineageOS' developers hide behind the "security reasons" shield, but in reality they don't care enough about the freedom of their users to risk to upset Google by giving them an alternative to the Play Services... Moreover, to further strengthen the security of our ROM, we modified the signature spoofing permission so that only system privileged apps can obtain it, and no security threat is posed to our users."

This is such a petulent attitude towards what sound like well-founded objections to the outright spoofing of Google signed apps that I'm just plain out already.

Also, using the phrase "no security threat is posed to our users" in ANY context is blindingly arrogant, and pretty irresponsible to boot.

[xg15]

They gave an explanation of the security issue, along with a (rather unhelpful) link to LineageOS' stance on the matter and explained which defenses they employed to keep it secure (put it behind a permission prompt that is only available for system apps)

This seems reasonable to me. How is this more dangerous than, e.g., giving an app permission to continously track your physical location?

[headmelted]

That's comparing apples to oranges.

One is replacing signed system components, the other is volunteering to share whereabouts with a third party.

The biggest concern with this is that Google has the resources (and pressure) to get something so central to the security model correct. I've no inside information on how Google develops Play Services, but I imagine they have quite stringent policies with regards to testing and peer review.

The actual functionality of Play Services is only one part of the work that goes into delivering it to your phone, and it's a lot of trust to place in anyone to get something like that right (considering the personal, security-sensitive information we keep on our phones now).

My point was that the FAQ was a big red flag for me in thinking that the developers grasp this aspect of what they're proposing here.

[lucideer]

Your comment about the petulant FAQ item was on point: it's possible to develop an alternative fork without taking such a childish attitude toward discourse with the original project.

On the other hand, I think your implicit trust in internal Play Services policies may be a little over-egged. Google definitely has some great security teams (Chrome/Chromium's security team have made some good contribs to the web, Project Zero is also cool, if a little externally-focused) but this is by no means universal. Android's been a bit of a sore spot in this regard generally (particularly in comparison to Apple).

[UncleMeat]

Is this actually still true? If you look at the public patch notes for ios and android, the number of platform bugs is similar.

[lucideer]

I'm more thinking of architectural decisions rather than outright bugs, but yes it is improving - e.g. with projects like Treble.

[ehsankia]

How is comparing the security of Android, which is a far more open and diverse platform, to Apple, a walled garden, fair at all? And let's not forget about how Apple happily gives backdoor access to apps like Uber.

[lucideer]

I'm not sure what "fairness" has to do with it.

Sure, Apple makes their own life easier in terms of security by applying draconian restrictions on the freedoms of their own users. But this and the fact that things are not as easy for Google to do effective security doesn't make it any less true that they aren't doing it.

Again, Apple's Uber backdoor isn't really relevant - I never implied Apple were benign, just that Google's security record is imperfect, and compares poorly.

The openness and diversity of Android's platform isn't a wholesale excuse for not securing users.

[s73ver_]

They're both smartphone platforms. Of course they're going to be compared to one another.

[eptcyka]

You can't use the remote APIs you need to deliver the same local APIs that are required to run modern apps without spoofing the signatures of applications - otherwise google's remote APIs would forbid access. This is where security measures are also inherently DRM-ish, and to deliver the experience typical end users expect using free software (free-er than stock android) it's necessary to circumvent it. One could argue that such circumvention is illegal. I hope no one deems it to be so.

[chasil]

What makes you think that Play Services is well-designed?

Google also designed the media system, and that leads the security patches every month - what would have rehabilitated them?

https://interviews.slashdot.org/story/16/08/26/1338246/the-s...

"Don't start me on Stagefright and Mediaserver, I could rant for 2 or 3 hours non-stop! Seriously, the code over there is crap, and has insane concepts, like aborting the whole mediaserver (and all related media decoding of all other applications running at the same time), when it parses a file with attributes it does not know, instead of skipping the file. We discovered some issues in Stagefright (busy loops, device reboots, mediaserver crashes) quite early, but we never thought about submitting them."

[cptskippy]

They're dismissing risk as a non issue since they've displaced responsibility on the user. Their system isn't more secure because it is reliant on the user. Time and time again it's been shown that the user is the weakest link which is why some many of these types of systems are in place.

People are 100% vigilant all the time.

[hedora]

Their system is explicitly for people that don’t trust Google.

With certificate spoofing, the risk is that I might accidentally click through permissions on a malicious, already installed and privileged app.

With LineageOS the risk is that I will, with 100% certainty, run code that I have deemed malicious (== any service-facing client-side Google blob).

Maybe you haven’t decided those binaries are malicious, but that doesn’t change my opinion, and what I do with my phone isn’t your business.

I don’t see why certificate spoofing is controversial at all (especially amongst the “free as in freedom” crowd).

[cptskippy]

> Their system is explicitly for people that don’t trust Google.

Yes, and LineageOS is not. LinesageOS has an interest in maintaining the ability to run Google blobs and accepting such a patch might potentially harm that interest.

Instead of accepting that, this project acts all butt hurt and whines that LinesageOS's position is inconceivable.

[dcow]

NO! LineageOS has no agreement with Google to provide Play Services. In order to do that you have to literally pirate play services and install them on LineageOS. That, IMHO is a far greater concern than allowing a SYSTEM app (one that is built into the framework) to pretend to be google play services.

[cptskippy]

No one said they have an agreement. I said they didn't want to do anything to disrupt the status quo.

[aaomidi]

Well this isn't a normal OS that an everyday user uses?

There are people who don't want any binary blobs from Google on their devices.

[cptskippy]

And there are people who do want those blobs. LineageOS has chosen to err on the side of caution and not allow a patch that might prompt Google to take action.

[traverseda]

So what you're saying is that you believe the real reason this patch wasn't merged is because google might take action, and the security concerns are not as relevant? One might even call them a... shield?

[cptskippy]

Why can't it be both?

[Qwertious]

>People are 100% vigilant all the time.

I think you mean the reverse?

[mschwaig]

Someone built a location API or crypto API or whatever so that apps can use that data.

If there is a permission that violates the trust between the system and an app using aforementioned APIs all bets are off. This is similar to why rooted devices are bad for security.

[gjjrfcbugxbhf]

All bets are off for the owner of the device or the author of an app? Bad for who's security?

As a device owner and user I don't care for DRM style 'security' protecting app authors from me running my software on my computer.

[dcow]

Take a look at the actual technical rationale: https://blogs.fsfe.org/larma/2016/microg-signature-spoofing-...

I understand why this seems alarming to a bystander. But if you're still dubious go read the Gerrit reviews--it's pretty clear the CM team was unwilling to accept the patch because "it allows one app to impersonate another" not because it presents a security hole. The patch went through multiple iterations ending on one that means users would literally see a prompt:

  "microGapps is requesting permission FAKE_SIGNATURE to ..."

The point is that it's not a security concern _if the user allows it_. By definition.. it's tautologically impossible to classify such a scenario as a security concern if the user selects "this is not a security concern" when asked if they're concerned about about allowing microGapps to fake the google play services signature.

The microGapps team then asked "how would you propose we land on a solution so that we can provide an alternative to gapps while still checking the [x] security box? The CM team failed to provide any sort of compromise stating that allowing one app to impersonate another is not a feature they were willing to support on their platform.

So you see, it's not security that was the issue. The issue is that the CM team was unwilling to give users the freedom to allow the system to work as they want. What's infinitely ironic is that CM used to ship with root. It was the community fork "for the community by the community". It's not hard to correlate their sell out with their rollback on providing support for apps that need root and then irrational stance on letting some other thing be google play services.

The uGapps team is frustrated, but it's not petulant. It's very valid.

[jtmb]

LineageOS provides the root flashable zip for any of their ROMs.

I will read more into the security claims and concerns, and may be persuaded, but at first blush I support not spoofing application signatures, as this is the same sort of chain of trust that package managers and app stores are built on.

As a consumer, I appreciate that LineageOS with Google services passes most to all of the CTS/Safetynet checks, and doesn't make me choose between having an updated, streamlined version of Android, and using my bank app, or playing Pokemon Go.

I think merging these changes could easily jeopardize that and maintaining it as a fork makes sense to me.

[phh]

There is a security threat for the user, only if the user puts application inside its /system/priv-app folder.

If an application is in /system/priv-app, it can do pretty much anything anyway. Worse than that, a threat-model assuming an attacker can write in /system/priv-app, he can most likely write into the whole /system, and replace everything of Android, install Xposed, etc... So I totally agree that if the patch does what it says (I didn't read, but it's possible.), "no security threat is posed to our users".

Though an acceptable reason from LineageOS imo is "this will be used to circumvent protections (read SafetyNet), we don't want that"

[guelo]

Calling DRM "security" is bullshit and should be called out every time. It's not extra security for the user, it's security for someone else's revenue stream.

[craftyguy]

What are you talking about?

The comment above has to do with package signing, which is a security feature. It prevents malicious software from replacing legitimate programs on your device (e.g. a malicious "messages" app cannot overwrite the legit "messages" app you installed). It doesn't have anything to do with DRM.

[guelo]

Basically, Google built important Android OS APIs into proprietary libraries that check that the API-implementing library is signed by Google. This is done for DRM purposes to prevent users from using alternate services and to give Google leverage over manufacturers that use the "open" Android OS. It does not benefit users or provide them any extra security.

[kuschku]

The package signing is only circumventable if you already have write access to /system.

That's all the μG team is asking for: If you already have write access to the entire system, at least provide a simple API to circumvent the signatures.

[Sir_Cmpwn]

Maybe some of us don't want any kind of google services on their phone, open source or not?

[traverseda]

That how lineage ships by default. It's a bit of a pain and many other apps (even open source ones) won't work, since google is providing the library for those apps to do things like access your location.

[Sir_Cmpwn]

I'm able to access my location no sweat. The proprietary google track-and-upload-everywhere-you-go thing is an anti-feature, GPS alone works perfectly for me.

[madez]

Programs that require Google Services just plain suck. That's like a game that only runs if you have a mouse from Logitech or a document viewer that only supports printinf if you have a HP printer. Both would just suck and be shitty, borderline malicious programs.

[drampelt]

I don't know if that's a fair comparison since Google Services are running on the vast majority of Android devices (except in China) but Logitech or HP don't have that same market share for those respective products.

I get that it's annoying if you choose not to run Google Services. But from a developer perspective if 99.9% of their target market does run Google Services and they make development of the app easier or provide useful features, I can see why they would choose to rely on them.

[kuschku]

The problem is that Google has moved almost all Android features into Google apps.

You can't access the stepcounter directly anymore, only through Google Fit.

Most location features are only available through Google Play's location API.

You can't even get up-to-date openssl or OpenGL support in your app without Play Services.

[mcny]

The way they've done this basically has users begging for it though because the alternative would likely be excessive battery usage for some things and no updates for others. I'm on lineage but most people aren't fortunate enough to have nexus devices or don't know/care enough to run anything other than what comes with their device. I think moving everything possible to play services is helpful for them.

[larma]

If it was about the features, they could (and should) have released these bits as part of AOSP, as free software.

Not doing so reveals there actual reason: control. Forcing every manufacturer to ship Play Services and thus being able to force various things on their devices is a major financial benefit. It also ensured that Amazon or Nokia were unable to set up a commercially viable Android Fork without Google.

[Espionage724]

In that case, you can still have signature spoofing support built-into the ROM, but without microG, it just won't be used.

Signature spoofing only affects app you explicitly give permission to use it, and only apps that call for it.

[s73ver_]

But, isn't the whole point of this to access Google services? If you didn't want them on your phone, why are you still using them?

[Sir_Cmpwn]

No, I don't want to access Google services. I don't want microG on my phone. I don't want Google Play Services on my phone.

[dcow]

Then don't install it or uGapps. The point of uGapps it to provide an open-source implementation that can be audited so it's easier for you or me to decide if we want the code running on our phones.

[velobro]

Then don't get an Android phone?

[Sir_Cmpwn]

Why? AOSP doesn't talk to Google. All you need to do is not add shit to it.

[ksk]

Did you try understanding or asking them why they made those choices, and whether your interpretation is accurate?