[ForHackernews]

Not standard LineageOS, but LOS forks that provide microG in place of Google Apps have to support "signature spoofing" so that MicroG can impersonate the missing proprietary Google apps.

More details here: https://blogs.fsfe.org/larma/2016/microg-signature-spoofing-...

> I’d also like to point out a myths I heard regarding signature spoofing. Some people assume, that signature spoofing allows to break the Android signature security model and thus rogue applications can access private app storage. But in fact signature spoofing is only applied after installation if the permission was granted, it has no influence on the package manager security model.

[hiq]

Correct me if I'm wrong, but your quote then implies that it's still fine even with microg installed, right? So maybe OP is talking about something else? Or are you saying that they're misguided?

[ForHackernews]

I'm not enough of an expert to say for certain, and I'm not exactly sure what parent comment means when they accuse LineageOS of "destroying" the "Android security model", but from what I've read, concerns about signature spoofing are overblown - provided the user is very selective about what apps they grant spoofing powers to.