Open APIs not tied to Google will continue to be implemented using open source - providers like the Seedvault backup app. Text-to-speech, voice-to-text, non-GPS-based - location services, geocoding, accessibility services, etc. are examples of other open - Android APIs where we need to develop/bundle an implementation based on existing open - source projects. Compatibility with apps depending on Google APIs / services will be - improved by implementing them in a way that pretends Google has stopped existing and - the servers are unavailable.
+AOSP APIs not tied to Google but that are typically provided via Play services will + continue to be implemented using open source providers like the Seedvault backup app. + Text-to-speech, voice-to-text, non-GPS-based location services, geocoding, + accessibility services, etc. are examples of other open Android APIs where we need to + develop/bundle an implementation based on existing open source projects. GrapheneOS is + not going to be implementing these via a Google service compatibility layer because + these APIs are in no way inherently tied to Google services.
+ +We're developing support for installing microG as a regular app without any special + privileges. This will allow users to choose to use a partial reimplementation of Play + services in a specific profile. We won't be supporting arbitrary signature spoofing by + microG or any other app since it seriously compromises the OS security model. Guarding + it by a permission isn't enough, both because users don't understand the substantial + impact on the security model and it weakens security for the verified boot threat + model where persistent state such as granted permissions is controlled by an attacker. + Instead, the OS will specifically make microG signed with our microG signing key + appear to other apps as signed with the Google Play services key. It won't bypass any + other signature checks, only a check for Play services, and other apps also won't be + able to pretend to be Play services to intercept FCM messages, obtain Google + credentials, etc. It will not be granted any privileged permissions or other special + capabilities unavailable to a regular untrusted app.
+ +In the longer term, we also plan to offer a more minimal compatibility layer which + pretends that Google services are offline rather than implementing them. Users will + have the choice between no implementation of Play services, microG and this minimal + implementation not implementing Google services. This choice will be available because + we won't be bundling any of this into the OS. Ideally, Google themselves would support + installing the official Play services as a regular Android app, rather than taking the + monopolistic approach of forcing it to be bundled into the OS in a deeply integrated + way with special privileged permissions and capabilities unavailable to other cloud + service providers competing with them.