Do not really understand how Android sandboxing works for system apps.
the answer is yes, unless you’re on GrapheneOS. Google Services is a privileged app and therefore it can bypass permissions as it sees fit.
GrapheneOS (optionally) installs it as a unprivileged app, which you can restrict permissions to. Still, I wouldn’t recommend installing it since they have extensive telemetry.
Isn’t the telemetry neutered by not giving GSF network permissions (on grapheneos)?
what’s the purpose of not giving it network permissions? you won’t be able to install apps, use push notifications or any other major functionality.
I could be missing something, of course.
Google services framework is a load of libraries for other apps to use; Google play store is something else on top.
Apps can depend on one or both.
I wouldn’t be so sure about the possibility of a bypass. I’ve heard that system applications have more privileges, but sandboxing is still active and permissions work for them.
Wasn’t there news a couple years ago that google tracked your location even if you had location turned off?
You can’t disable location permission for google services, so that’s obvious. But microphone/camera permissions can be disabled, that’s why I’m wondering.
You can even turn off sensors in Androids developer options, but your dialer app for example will still be able to use your microphone
As long as the hardware isn’t physically disconnected, you kinda have to assume it can be used and abused.
I’m rooted with GSF, revoking some permissions forcibly from Play Services (most notably location access) causes the device to reboot, and the permission gets restored forcibly.
This never used to happen previously (the permission used to get revoked successfully, and things like Google Timeline would act as if your device had disappeared despite location being enabled). I assume a background update implemented this permission recovery mechanism - i’ve since disabled play store on my device and slowly been culling off my usage of other Google apps
There really should be no doubt that a system application can have unlimited and unrestricted access to everything, bypassing all security and sand boxing. That is the extent of the meaning of system app. It’s like having root privileges, admin access.Whether Google makes use of it or not is something else, but it could be exploiting that privilege and with Google’s history and the fact that the distributed version of android which contains the google services pre installed is a custom version of android of which you’ll never see the source code, you really have to ask yourself.That’s why GrapheneOS is so important: you are the user and you get to control how Android works: the way it actually should, where if you install google services (which is up to you!) it gets installed under your terms and with your permissions.
Edit: correcting a misinformed message and the irrelevant followup. More clarification on system apps here: https://developer.android.com/guide/platform/
Tell me how you know nothing about how Android works, without telling me you know nothing about how Android works. Speak authoritatively once you learn beyond what r/privacy comments tell you.
Would you care to put any weight behind your accusation?
The main issue I’m trying to expose is that any custom distribution by an OEM can implement any app/service the way they want. The android source code is available, any access and permission can be obtained depending on how you implement it in the source code. You can even weaken the security if you want. Any distribution by these OEMs is a secret sauce, you have no way of knowing what shenanigans they are pulling on your phone.
So yes, they can get root access if that’s what they want.
This is not to say they do. I’m just saying we have no way of knowing how things are implemented and hence why open source is so fundamental to security.
Edit: I concede that the strict definition of what considers a system app does not provide with these accesses. I’m saying any custom distribution with built in apps may have been customized to allow for these things to happen. Perhaps this is where we may have misunderstood each other.
No package in Android has the ability to bypass app permission system (introduced with 4.4 KitKat), unless there is an expensive or undiscovered 0day (that allows Pegasus to work), or some malicious “Administrator” user installed onto device allowing to accomplish this. This covers both system and userspace packages. GMS is no different. There exists no evidence to what you claim.
Any distribution by these OEMs is a secret sauce, you have no way of knowing what shenanigans they are pulling on your phone.
Would you care to put your weight behind your claims? If I have to spot a half knowledge person, I just need to spot anyone cheering about GrapheneOS being some kind of revolutionary AOSP fork.
Android, including its OEM and AOSP forks, is fairly very deterministic and not some Madagascar jungle with man-eating plants and magical evil vines.
Just stop blabbering these buzzword phrases “opensource=security” “grapheneos gud” to fuel your confirmation biases.
It absolutely can. It took a screenshot of what I was doing without my permission. Only reason why I found out was cause it for a survey they were doing. So I wouldn’t be surprised if they’re doing it all the time without me knowing.
How did you catch it taking the screenshot?
Because it showed it to me.
I’m confused, I’ve never seen gpservices take a screenshot. Is there any reason/context I should be looking out for?
Wait, what? Do GrapheneOS have telemetry?
No, they meant that Google Play Services has telemetry.
Basically, GrapheneOS makes it much safer to use Google Play Services if you have to use it, though it still isn’t entirely safe and should generally be avoided where possible.
Aha. Phew :)
Nonsense and FUD. Google Services is unable to bypass the permission system in Android, just like any other package. GrapheneOS is a fork of AOSP and is no different than AOSP custom ROMs in its core framework.
So these are the permissions google service has.
- network (didnt had enough space on screen)
Thanks. Wouldn’t be able to check it myself, because of using microG :D
Everyone talk about GrapheneOS. But CalyxOS is very good too.
“Good” really depends on what you’re after. Do not use CalyxOS if you care about security. They are significantly behind in implementing security patches, regularly. You are in some way more vulnerable with CalyxOS than regular android on a pixel because you would get security updates faster on pixel. Additionally, the network permission of GrapheneOS is a paramount security and privacy feature. Also, GrapheneOS takes over all location services requests even if you use google services, making sure that even if google services are installed, google only gets location info whenever the location request is for the google services, not all/any services or apps on your phone. There are additional points too, but CalyxOS, while I don’t want to bash them, should not be considered a secure OS the same way GraphemeOS is.
The problem with Graphene os is that it is unethical. I want my device to be fully free or as free as it possibly can be. Graphene doesn’t see to care about that.
Calyx is a bit better because it is a little stricter on software. Probably the best solution is to only install a apps you need and only get them from F-droid.
How is GrapheneOS unethical? How isn’t it as free as CalyxOS? Basically everything they add to the OS can be disabled. Personally, I’d say GrapheneOS and CalyxOS are the same in this regard.
How is CalyxOS stricter on software? With GrapheneOS, a user can opt to only use F-Droid to install everything too if they wanted to.
https://old.reddit.com/r/privatelife/comments/13teoo9/
I wrote this. Perhaps it may be worth a read, since I am the sole person to have documented this over 5 years.
What about DivestOS? Only option for a private system when you don’t have a Pixel
Divest os is much more free in terms of software freedom. They minimize binary blobs and keep everything clean. They also maintain mull browser.
DivestOS dev bans anyone that criticises GrapheneOS on the orders of Daniel Micay. An excerpt from my GrapheneOS expose few months ago:
DIVESTOS DEVELOPER BANNING ME ON MICAY’S ORDERS OTHERWISE HE WILL INITIATE A SOCIAL MEDIA HARASSMENT CAMPAIGN AGAINST DIVESTOS
Yes, this happened, and this is my favourite part as far as everything GrapheneOS head/mods have done to date. As dramatic as it sounds, Micay in realtime, in DivestOS’ XMPP chatroom, was accusing me of the typical “harassment ringleader campaign” BS, and ordered DivestOS/Mull developer (these are his aliases) SubZer0Carnage/Tad/SkewedZeppelin that if I was not banned immediately, DivestOS and him would face social media targeted campaign and DivestOS will have to forcibly pull off any borrowed GrapheneOS code. DivestOS developer dusted his hands off me, since he does not like me apparently for liking some closed source software and he benefits off of the crybully. Also, unlike the crybully, I have never harassed or harmed anyone because I have a moral conscience to not be an abusive asshole on internet, so he will face no issues on my end.
Screenshot 1: https://i.imgur.com/Al65uTZ.jpg
Screenshot 2 continuation: https://i.imgur.com/mT8W9pa.jpg
Also just incredibly well-documented
And very good with security patches
The only problem I have with it is one I have with Custom ROMs in general:
The Camera API to make use of all the lenses modern phones have. There is one single app that can somewhat hook into it for me to use my second lens, and it’s extremely unstable to the point of being functionally useless.
Everyone talks about custom ROMs, it’s so fucking annoying not a single one is supported on my Motorola g73. Next phone I’m getting is a fairphone, and I’ll dual boot a custom Android ROM and postmarket OS.
Excuse me, dual boot? Is that still a thing?
still a thing for postmarketOS, not regular Android
I recommend checking this table out.
CalyxOS misses the mark imo. It does a couple things well (such as its improved Dialer app, and the ability for hotspots/tethered devices to be able to use the phone’s VPN/Tor) that I hope to see other projects adopt, but beyond that, it just doesn’t seem to stack up.
I’m not trying to bash them or anything because at the end of the day, they clearly have good intentions which I can respect, but I do hope they improve on a lot of things, because in its current state, CalyxOS just doesn’t even compare to GrapheneOS or DivestOS.
The only thing which stop me to install Graphene is that I need some apps that I’m not sure will work with this os
GrapheneOS has pretty much perfect app compatibility. I don’t think I’ve ever ran into an issue in around a year of using it as my daily driver.
Most apps function without Play Services, but you may lose some functionality like notifications, and a couple apps do very rarely genuinely break. But, that’s where Sandboxed Play Services comes in, which you can even put in an entirely separate user profile if you want to, so that you can still safely use those apps.
But yeah, I’ve personally had no issues with app compatibility. Even my bank app works perfectly on Graphene (didn’t even require Play Services either!).
Ok thanks! Let’s try Graphene then
definetly :)
No, and there exists no evidence that if you disable the permissions via AOSP app permission system (hidden AppOps or the app settings GUI we commonly use) for any Android package, there will be some mysterious spooky force that will bypass it. Unless there is a 0day (that allows Pegasus to work) that allows some form of privilege escalation without user prompt, or if there is some kind of malicious “Administrator” user (work MDM or such) installed on the device, there exists no method on Android to accomplish this. This covers both system and user space packages, and also covers Google’s GMS packages.
There will always be some form of prompt, for example in Safetynet based apps that require you to, and show a “Enable Google Play Services” popup upon opening such apps, and even past that, the permissions need to be enabled for the app to be able to do anything with camera, mic, sensors and so on.
Source: I am the author of the well known non-root smartphone guide. https://lemmy.ml/post/128667
Edit: guys, check comments in this tree below. there is solution to use gapps privately with permissions revoking through shizuku and it actually works, checked myself :D
Seems like it is true information but GServices have another way to bypass permission. Check this comment
There are prerequisites to what that commenter suggests. You have to have the phone rooted and unlocked, and Google allowed all the permissions, something which can be dealt with using the AppOps mechanism (the real AOSP permission system beneath the GUI). It is not possible for any package to do whatever it wants, if the internal app permissions have been neutered. Evidence to the contrary, or real life example capable of being replicated, simply does not exist to date.
The problem is that GServices can’t work without these permissions, they crash. So the phone becomes mostly pointless.
How does it crash? I neutered its permissions long before ProtonAOSP/GrapheneOS made “sandboxed play services” concept known to privacy community. SafetyNet apps work ideally for me, and the only data that Google can siphon off of me is the IP address and the CTS attestation keys for GMS certification verification purpose. Normally, GMS takes location, sensor data, storage/installed apps scanning and dozens of other metrics every 7 minutes.
sorry, what’s the way to do it? manually editing config files? or some app? App Manager from GitHub f.e. can’t do it.
This can be done on any Android, regardless of root or bootloader unlock status, post Nougat 7.0 version. You use Shizuku from F-Droid (requires root or USB debugging via PC), and install from the same developer’s website AppOps. You can manipulate any and all permissions for both main and work profile apps. This is the AppOps core mechanism of AOSP that supersedes the permissions GUI that people normally use.
There is a weaker option via ADB with AppOpsX, but I prefer the superior Shizuku method for additional work profile control.
Thank you so much. i tried it, all permissions were indeed revoked. checked on the camera app - it works. THANK YOU!!!
In order to have google apps and google services on an android installation that doesn’t have them yet, you need to sideload them. LineageOS has a list of GApps zips and here’s an example of how to install them for a FairPhone running LineageOS.
If you look into the zip
/system/system_ext/etc/permissions/privapp-permissions-google-system-ext.xml, you can see all the permissions given to it a system application.android.permission.RECOVERY, android.permission.MANAGE_USERS, android.permission.INTERACT_ACROSS_USERS stand out the most. These permissions allow the phone to be started, arbitrary apps to be installed and users to be created with new permissions.
Google Services doesn’t need to have access to camera or any other component as it can install whatever it likes that has access to those.
Let’s not kid ourselves, if you have Google Services installed, you have a rootkit installed with a bunch of proprietary code.
Here’s the entire file for reference and you can look up each permission individually to see what access will be given.lemmy doesn’t handle XML in triple backticks well (at all).How well do you think Graphene’s sandboxed play services alleviates these concerns?
Entirely. On GrapheneOS, Google Play services run in the normal Android app sandbox, just like any other app you install. That way, they only have the permissions you granted them using the permission manager. GrapheneOS doesn’t grant any extra privileges, and you can remove the Play services app at any time. Read more at https://grapheneos.org/features#sandboxed-google-play
Thanks for the detailed response. Creating/interacting between new users is a serious opportunity for permission bypass. Content of the file won’t load for some reason, but still :)
I am still not sure if sandbox is completely disabled for system applications. No comments with real arguments. But thank you, guys :)
I’d like to know what it sends if you disable play services
