New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add user-install microG User Services #2188
base: master
Are you sure you want to change the base?
Conversation
@p1gp1g |
@@ -36,6 +36,7 @@ | |||
import static android.os.Build.VERSION.SDK_INT; | |||
import static android.os.Build.VERSION_CODES.ICE_CREAM_SANDWICH; | |||
import static org.microg.gms.common.Constants.GMS_PACKAGE_NAME; | |||
import static org.microg.gms.common.Constants.MICROG_GMS_PACKAGE_NAME; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wouldn't be better something like USER_GMS_PACKAGE_NAME?
Both are still microG.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
Now it fails build:
|
I've not tested locally, but it should build now. I'll rebase to fix the commit into the previous one later.
IIRC signature spoofing works only for system app, so microG (system) should have a different signature. I think we should test this case. A few things should be done on the UI for the user services:
|
microG Services can be installed as a user / non-system app already. (If that's not possible on GrapheneOS that might be a GrapheneOS specific issue and would be interesting to analyze that.) As a matter of fact, I personally run microG as a user app myself (using my homebrowed OS that's just very few modifications on top of AOSP). Many systems would not allow signature spoofing when installing microG as a user app. While signature spoofing might be restricted to system apps on systems that come with microG, that doesn't mean it needs to be. DivestOS for example supports signature spoofing for microG running as a user app. Signature spoofing does not have an impact on any (security) feature of the OS that are signature specific (like signature shared permission declarations). Signature spoofing only affects apps that ask the OS for the signing certificate of an app - which essentially is only the play services client library, because use of that OS feature is discouraged by Google for being insecure as a security mechanism (it's possible to run race attacks against it) and unsuitable for anything else. Some OS include modified or resigned versions of microG Services. Those obviously have a different signature and can't be upgraded from the original microG package. Otherwise, I would nornally expect both variants to be signed using the same signing key, so that it's easy for users to verify. To prevent users from installing both, we can and probably should just display appropriate messages when the user does so. Reworking the self-check has been on my list for some time already, so this could become part of it. Given what I wrote I think the branding as "microG User Services" is very much misleading. We should come up with another name before publishing this. Something along the lines of "microG Services without Google Play Services compatibility", which would be more descriptive but not a nice name ;) |
I'll use CGAG for services with id com.google.android.gms and OMG to talk about services with id org.microg.gms.
TIL about DivestOS doing it. A user installing OMG when CGAG is already installed should not be an issue since CGAG has always the priority. The main issue is :
Note that the 2nd issue is already there. So. Maybe we should add a dialog to CGAG:
It isn't important if both is installed, CGAG takes the priority.
I know, that's a temporary name :) microG Minus Services ? |
Signature spoofing has no impact here.
|
Sorry, I missed that point, I've edited the previous comment |
d304a7d
to
af11563
Compare
The last commit introduced a function to remember the service used by the application. That way, if I use the embedded core, then the app won't use an external one after OMG/CGAG install. For instance, CCTG won't lose its data. Also, I adds a check to be sure microG/Play services is legit to reduce risks of malicious app branded as another. It assures the service
I think this is important because: if a user doesn't have play services/microG with id com.google.android.gms (big if), a malicious app installed with id com.google.android.gms, branded has another service (a cooking app for instance), may use the FIDO service to get access to some services: PS: I don't think the CI Out Of Memory error is related to this PR, isn't it ? Could it be restarted ? |
Quote:
Isn't this simpler? |
Instead of the resValue package_id ? I've done that because I don't know if that's possible to use it in the activity's xml. |
Yes, for the microG self check it should be the simplest way (it also avoid passing context), for other cases I don't know; I don't have time to try currently. |
In |
You mean the check in function |
The packageId must be shared with a resValue if it used in resource files (eg. https://stackoverflow.com/questions/57074999/get-application-id-in-xml-dynamically) |
af11563
to
07c9829
Compare
I have renamed the services microG Minus Services, this will be less confusing. Feel free to change the name I have also added a dialog on first run to inform the user that this flavor is only compatible with microG libraries, I hope it will reduce users misunderstanding. |
(JFTR, since it was discussed earlier, there is now a major ROM allowing signature spoofing as user app: https://review.lineageos.org/c/LineageOS/android_frameworks_base/+/383573) |
I'm OK to check the microG signature (or Google Play signature) instead of controlling the application name: https://github.com/microg/GmsCore/pull/2188/files#diff-4fe7d2cf47e0e66eec592e3286e77a70323b66a82f5d43bfe7f903623230525dR77 . I've done that because some other project may want to fork microG/reimplement (I've seen one exists). I can change it if you want |
@ArchangeGabriel |
But this PR introduces 2 things too:
|
Many ROMs ship a custom microG with a different signature, so a signature check isn't a good thing. |
I don't think this name check is really necessary or a good idea. I would prefer if forks of microG would not call themselves microG (to not confuse users), but this reinforces them to actually have microG in their name. I personally don't think apps taking over the package name is a huge risk as there is a ton of other ways that malware could affect your system if you install apps blindly from untrusted source. But anyway, I'd propose to do at most the following: Doesn't need to be part of this pull request though. |
I know, I was just replying to:
from @p1gp1g, even though @mar-v-in already addressed that with:
I was just wanting to point out that allowing signature spoofing as user app just become suddenly much more common. ;) |
7af7d59
to
b399e09
Compare
I'm OK with that. I've set a signature check, tested with Google Play, if someone can test it with microG. I've started to look into the user confirmation when the signature doesn't match, it introduces 2 main changes:
I think the user confirmation can fit another PR, but I need to know what's your way to deal with those 2 points :) |
a46ff9a
to
91f9ff9
Compare
I've changed the new app name to microG Limited Services. There is already a dialog explaining how it is different from the regular one. I think this should be clear enough for the users microG lib will now connect to the PlayServices if:
I think this is enough for any fork to work. In addition, a user interaction to use CGAG or OMG with other signatures (user installed) is still good to implement |
@mar-v-in Is it possible to add it to the next milestone ? |
@mar-v-in What is missing for this PR to be merged ? I've seen you have changed the milestone but the PR is ready and nothing seems blocking. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for not replying yet. I didn't have a lot of time to do testing yet, so this round of review is only on the code. While it looks as if it should work fine, I want to at least run this once before merging.
|
||
public class MultiConnectionKeeper { | ||
private static final String TAG = "GmsMultiConKeeper"; | ||
private static final String PREF_MASTER = "GmsMultiConKeeper"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The preference file name should be properly scoped to ensure there won't be conflicts with the app using the library. Use a name like org.microg.gms_connection
instead. Also would be preferably to call the constant PREFERENCES_FILE_NAME
or similar.
|
||
public class MultiConnectionKeeper { | ||
private static final String TAG = "GmsMultiConKeeper"; | ||
private static final String PREF_MASTER = "GmsMultiConKeeper"; | ||
private static final String PREF_TARGET = "GmsMultiConKeeper_target"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The preference name is already scoped through the file name (PREF_MASTER
), so for readability I think it would be preferably to not prefix the preference name with the file name.
@@ -21,9 +21,11 @@ | |||
public class Constants { | |||
public static final int GMS_VERSION_CODE = (BuildConfig.VERSION_CODE / 1000) * 1000; | |||
public static final String GMS_PACKAGE_NAME = "com.google.android.gms"; | |||
public static final String MICROG_PACKAGE_NAME = "org.microg.gms"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Rename to USER_MICROG_PACKAGE_NAME
or similar.
SharedPreferences prefs = getSharedPreferences(FirstRunMaster, MODE_PRIVATE); | ||
if (BuildConfig.APPLICATION_ID == Constants.MICROG_PACKAGE_NAME && | ||
prefs.getBoolean(FirstRunPref, true)) { | ||
AlertDialog.Builder builder = new AlertDialog.Builder(this); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use buildAlertDialog()
from org.microg.gms.ui.buildAlertDialog
(which will use Material design when applicable)
private static final String FirstRunMaster = "FirstRun"; | ||
private static final String FirstRunPref = "FirstRun_pref"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Constants are all caps
private static final String FirstRunMaster = "FirstRun"; | ||
private static final String FirstRunPref = "FirstRun_pref"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As above, don't prefix the preference name with the file name
private static MultiConnectionKeeper INSTANCE; | ||
|
||
private final Context context; | ||
|
||
private final String gmsPackage; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
targetPackage
would be a better name IMO.
|
||
private String getTargetPackage() { | ||
SharedPreferences prefs = context.getSharedPreferences(PREF_MASTER, Context.MODE_PRIVATE); | ||
final String SELF = "SELF"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of special handling for SELF
/ null
, you can just use context.getPackageName()
(both in the preference and returned from getTargetPackage()
and extend isMicrog()
to return true if the service's package name is the current package name (because the service won't be found inside the same package if it's not microG)
Move default config out of flavors
29e662f
to
0d911b5
Compare
0d911b5
to
ffb5815
Compare
Following discussion on #2183 (which may be closed ? Superseded by this one)
@mar-v-in @ale5000-git
I have tested, and org.microg.gms can't be installed on a system with com.google.android.gms (Google or microG) because of duplicate permission.
I have used the dimension 'target' for the user flavor, I think that's the one to use.