expand on Play services compatibility plans

This commit is contained in:
Daniel Micay 2020-11-24 21:55:38 -05:00
parent f195b74410
commit f7cd3591eb

View File

@ -127,13 +127,37 @@
GrapheneOS, so a huge number of both open and closed source apps are already available
for it.</p>
<p>Open APIs not tied to Google will continue to be implemented using open source
providers like the Seedvault backup app. Text-to-speech, voice-to-text, non-GPS-based
location services, geocoding, accessibility services, etc. are examples of other open
Android APIs where we need to develop/bundle an implementation based on existing open
source projects. Compatibility with apps depending on Google APIs / services will be
improved by implementing them in a way that pretends Google has stopped existing and
the servers are unavailable.</p>
<p>AOSP APIs not tied to Google but that are typically provided via Play services will
continue to be implemented using open source providers like the Seedvault backup app.
Text-to-speech, voice-to-text, non-GPS-based location services, geocoding,
accessibility services, etc. are examples of other open Android APIs where we need to
develop/bundle an implementation based on existing open source projects. GrapheneOS is
not going to be implementing these via a Google service compatibility layer because
these APIs are in no way inherently tied to Google services.</p>
<p>We're developing support for installing microG as a regular app without any special
privileges. This will allow users to choose to use a partial reimplementation of Play
services in a specific profile. We won't be supporting arbitrary signature spoofing by
microG or any other app since it seriously compromises the OS security model. Guarding
it by a permission isn't enough, both because users don't understand the substantial
impact on the security model and it weakens security for the verified boot threat
model where persistent state such as granted permissions is controlled by an attacker.
Instead, the OS will specifically make microG signed with our microG signing key
appear to other apps as signed with the Google Play services key. It won't bypass any
other signature checks, only a check for Play services, and other apps also won't be
able to pretend to be Play services to intercept FCM messages, obtain Google
credentials, etc. It will not be granted any privileged permissions or other special
capabilities unavailable to a regular untrusted app.</p>
<p>In the longer term, we also plan to offer a more minimal compatibility layer which
pretends that Google services are offline rather than implementing them. Users will
have the choice between no implementation of Play services, microG and this minimal
implementation not implementing Google services. This choice will be available because
we won't be bundling any of this into the OS. Ideally, Google themselves would support
installing the official Play services as a regular Android app, rather than taking the
monopolistic approach of forcing it to be bundled into the OS in a deeply integrated
way with special privileged permissions and capabilities unavailable to other cloud
service providers competing with them.</p>
<h2 id="history">
<a href="#history">History</a>