expand on Play services compatibility plans

2020-11-24 21:55:38 -05:00 · 2020-11-24 21:55:38 -05:00 · f7cd3591eb
commit f7cd3591eb
parent f195b74410
1 changed files with 31 additions and 7 deletions
--- a/static/index.html
+++ b/static/index.html
@ -127,13 +127,37 @@
            GrapheneOS, so a huge number of both open and closed source apps are already available
            for it.</p>

-            <p>Open APIs not tied to Google will continue to be implemented using open source
-            providers like the Seedvault backup app. Text-to-speech, voice-to-text, non-GPS-based
-            location services, geocoding, accessibility services, etc. are examples of other open
-            Android APIs where we need to develop/bundle an implementation based on existing open
-            source projects. Compatibility with apps depending on Google APIs / services will be
-            improved by implementing them in a way that pretends Google has stopped existing and
-            the servers are unavailable.</p>
+            <p>AOSP APIs not tied to Google but that are typically provided via Play services will
+            continue to be implemented using open source providers like the Seedvault backup app.
+            Text-to-speech, voice-to-text, non-GPS-based location services, geocoding,
+            accessibility services, etc. are examples of other open Android APIs where we need to
+            develop/bundle an implementation based on existing open source projects. GrapheneOS is
+            not going to be implementing these via a Google service compatibility layer because
+            these APIs are in no way inherently tied to Google services.</p>
+
+            <p>We're developing support for installing microG as a regular app without any special
+            privileges. This will allow users to choose to use a partial reimplementation of Play
+            services in a specific profile. We won't be supporting arbitrary signature spoofing by
+            microG or any other app since it seriously compromises the OS security model. Guarding
+            it by a permission isn't enough, both because users don't understand the substantial
+            impact on the security model and it weakens security for the verified boot threat
+            model where persistent state such as granted permissions is controlled by an attacker.
+            Instead, the OS will specifically make microG signed with our microG signing key
+            appear to other apps as signed with the Google Play services key. It won't bypass any
+            other signature checks, only a check for Play services, and other apps also won't be
+            able to pretend to be Play services to intercept FCM messages, obtain Google
+            credentials, etc. It will not be granted any privileged permissions or other special
+            capabilities unavailable to a regular untrusted app.</p>
+
+            <p>In the longer term, we also plan to offer a more minimal compatibility layer which
+            pretends that Google services are offline rather than implementing them. Users will
+            have the choice between no implementation of Play services, microG and this minimal
+            implementation not implementing Google services. This choice will be available because
+            we won't be bundling any of this into the OS. Ideally, Google themselves would support
+            installing the official Play services as a regular Android app, rather than taking the
+            monopolistic approach of forcing it to be bundled into the OS in a deeply integrated
+            way with special privileged permissions and capabilities unavailable to other cloud
+            service providers competing with them.</p>

            <h2 id="history">
                <a href="#history">History</a>