update Play services compatibility app roadmap

2021-02-10 19:50:45 -05:00 · 2021-02-10 19:50:45 -05:00 · 68e68fb1b0
commit 68e68fb1b0
parent a2fe953515
1 changed files with 42 additions and 35 deletions
--- a/static/index.html
+++ b/static/index.html
@ -84,44 +84,51 @@
            <section id="never-google-services">
                <h2><a href="#never-google-services">No Google apps or services</a></h2>
-                <p>GrapheneOS will never include either Google Play services or another implementation
+                <p>GrapheneOS will never include either Google Play services or another
-                of Google services like microG. Those are not part of the Android Open Source Project
+                implementation of Google services like microG. Those are not included in the
-                and are not required for baseline Android compatibility. Apps designed to run on
+                Android Open Source Project and are not required for baseline Android
-                Android rather than only Android with bundled Google apps and services already work on
+                compatibility. Apps designed to run on Android rather than only Android with
-                GrapheneOS, so a huge number of both open and closed source apps are already available
+                bundled Google apps and services already work on GrapheneOS, so a huge number of
-                for it.</p>
+                both open and closed source apps are already available for it.</p>
-                <p>AOSP APIs not tied to Google but that are typically provided via Play services will
+                <p>AOSP APIs not tied to Google but that are typically provided via Play services
-                continue to be implemented using open source providers like the Seedvault backup app.
+                will continue to be implemented using open source providers like the Seedvault
-                Text-to-speech, speech-to-text, non-GPS-based location services, geocoding,
+                backup app. Text-to-speech, speech-to-text, non-GPS-based location services,
-                accessibility services, etc. are examples of other open Android APIs where we need to
+                geocoding, accessibility services, etc. are examples of other open Android APIs
-                develop/bundle an implementation based on existing open source projects. GrapheneOS is
+                where we need to develop/bundle an implementation based on existing open source
-                not going to be implementing these via a Google service compatibility layer because
+                projects. GrapheneOS is not going to be implementing these via a Google service
-                these APIs are in no way inherently tied to Google services.</p>
+                compatibility layer because these APIs are in no way inherently tied to Google
                services.</p>
-                <p>We're developing support for installing microG as a regular app without any special
+                <p>We're developing a minimal Play services compatibility layer as a regular app
-                privileges. This will allow users to choose to use a partial reimplementation of Play
+                without any special privileges. The app will provide a stub implementation of the
-                services in a specific profile. We won't be supporting arbitrary signature spoofing by
+                entire Play services API pretending the servers are down and the functionality is
-                microG or any other app since it seriously compromises the OS security model. Guarding
+                unavailable. It will always be disabled by default since apps will detect Play
-                it by a permission isn't enough, both because users don't understand the substantial
+                services is available and will try to use it rather than alternatives. As an
-                impact on the security model and it weakens security for the verified boot threat
+                example, Signal would try to use a non-functional FCM implementation rather than
-                model where persistent state such as granted permissions is controlled by an attacker.
+                their own server push implementation. The intention is that users will only enable
-                Instead, the OS will specifically make microG signed with our microG signing key
+                this in profiles dedicated to running apps with an unnecessary hard dependency on
-                appear to other apps as signed with the Google Play services key. It won't bypass any
+                Play services. We'll likely prevent enabling it in the owner profile to help users
-                other signature checks, only a check for Play services, and other apps also won't be
+                avoid those kinds of pitfalls.</p>
                able to pretend to be Play services to intercept FCM messages, obtain Google
                credentials, etc. It will not be granted any privileged permissions or other special
                capabilities unavailable to a regular untrusted app.</p>
-                <p>In the longer term, we also plan to offer a more minimal compatibility layer which
+                <p>Our Play services app won't have any special privileges or whitelisting in the
-                pretends that Google services are offline rather than implementing them. Users will
+                OS like Play services or microG. There will be no support for bypassing arbitrary
-                have the choice between no implementation of Play services, microG and this minimal
+                signature checks like the microG signature spoofing patch since it substantially
-                implementation not implementing Google services. This choice will be available because
+                compromises the OS security model and breaks other security features like verified
-                we won't be bundling any of this into the OS. Ideally, Google themselves would support
+                boot. Instead, our app will be signed with a GrapheneOS Play services key and the
-                installing the official Play services as a regular Android app, rather than taking the
+                only OS support for the app will be presenting the GrapheneOS Play services key as
-                monopolistic approach of forcing it to be bundled into the OS in a deeply integrated
+                the Google Play services key.</p>
-                way with special privileged permissions and capabilities unavailable to other cloud
+
-                service providers competing with them.</p>
+                <p>Ideally, Google themselves would support installing the official Play services
                as a regular Android app, rather than taking the monopolistic approach of forcing
                it to be bundled into the OS in a deeply integrated way with special privileged
                permissions and capabilities unavailable to other service providers competing with
                them. Even though we would never include it in GrapheneOS, it would be great if
                users did have the option to install Play services as a regular app in specific
                profiles. It's unfortunate that the approach taken to it is so deeply integrated
                and anti-competitive. GrapheneOS users can still choose to use Google services if
                they choose, but largely only via a browser. A few of their apps like Google Maps
                do work with reduced functionality without Play services but most won't.</p>
            </section>
            <section id="history">