I'm glad this is still being maintained. It's a really great way to still run popular apps without having to go the entire F-Droid/OSS only route.
My current phone no longer charges and I've already replaced so much stuff on it (back, camera, etc.) that I'm deciding to go the KDE Plasma route, starting with a new old-stock Nexus 5X.
I hope the Purism 5 and Pinephone get released as well. I really want to go the Plasma route. If there is tooling I need that's missing, I hope it will force me to write and contribute apps that can help myself and others.
We need a real open source mobile operating system, not Google's cripple-ware.
Watch out for the 5x, I've seen 3 in addition to mine die the same way. They start rebooting randomly then boot loop. It's an acknowledged problem with the chipset. You can sort of fix it if you are able to load an alternative kernel [0] on it that disabled the big cores and that bought me another few months before it totally died. If you're willing to risk it you can get a higher RAM version of the motherboard on aliexpress where they may have used better solder.
Mine started to boot loop a couple years back and it was out of warranty by then. I sent LG a mobile device repair request and the rep sent a prepaid label. So I wiped it, removed the sim and mailed it to their US repair center.
I got it back about ~2 weeks later in working condition, at no cost. LG is repairing any Nexus 5X for the bootloop issue outside warranty. Apparently it's due to incomplete contact of the heatsink with the CPU.
It was a great phone otherwise but eventually the core patch started boot looping which a reflow fixed for a few weeks before it finally completely died. Ended up getting a OnePlus 6 and it's been fine but I wish I had the 5x as a travel / backup phone. Still rocking my old Galaxy Nexus for that purpose with a custom rom. [0]
I know people, who microwave their phones for a few secs to get them replaced by the carrier with a newer model, still not sure if you're joking or not.
Solder melts at >180°C. This idea that putting electronics in an oven will reflow internal components is a commonly repeated meme[1].
In reality, putting electronics in an oven usually has the effect of heating up some chips which are heat-sensitive and might temporarily give them new life.
The RattlesnakeOS instructions for unlocking my Pixel 1 were pretty straight-forward to me... except for figuring out that the "Zip: unable to allocate space for file to ...: No space left on device" error message from flash-all.sh/`fastboot flash` wasn't referring to anything on the phone, but to $TMPDIR on my laptop. I gave my $TMPDIR more space, and the whole process went smoothly.
MicroG is a fantastic project! I wouldn't know what to do without it! (×)
For anyone who wants a really easy way to install and use LineageOS with MicroG, consider going for the MicroG-infused version of LineageOS: https://lineage.microg.org/ It's basically pure LineageOS with a small patch that allows MicroG to spoof the Google services' signatures. The ROM supports all the devices regularly supported by LineageOS and even gets weekly OTA updates, too.
There's also the main Bountysource page: https://www.bountysource.com/teams/microg for donating to specific issues. If you're not ready to use this yet because it doesn't work well with X app, there's probably an issue tracking something that would make it work which you can donate to!
> Why do we need a custom build of LineageOS to have microG? Can't I install microG on the official LineageOS?
> MicroG requires a patch called "signature spoofing", which allows the microG's apps to spoof themselves as Google Apps. LineageOS' developers refused (multiple times) to include the patch, forcing us to fork their project.
> Wait, on their FAQ page I see that they don't want to include the patch for security reasons. Is this ROM unsafe?
> No. LineageOS' developers decided not to include this patch for various reasons. The signature spoofing could be an unsafe feature only if the user blindly gives any permission to any app, as this permission can't be obtained automatically by the apps. Moreover, to further strengthen the security of our ROM, we modified the signature spoofing permission so that only system privileged apps can obtain it, and no security threat is posed to our users.
Signature spoof require specific permission and it's only available for system apps. So there is no way any app can abuse it unless you specifically allow it.
Typing this on my Poco F1, 6 may ROM and now upgrading to 13 may version. Battery is great (2,5 days), it is very stable and the speed is also good. Yesterday I've tested navigation by downloading Google Maps. Couldn't find places by typing. When I enabled advanced location via WiFi and Bluetooth it worked. Installed in November lineage manually with MicroG and had problems with finding location. Not anymore.
I also use Aurora store for the few apps that I'd like to use from play store such as banking. The sick thing about this combination is that it supports in app purchases as well.
Do you also get this annoying thing where the fingerprint sensor stops working sometimes and touch is too sensitive? The LineageOS beta worked great, the official version is buggy for me and is really annoying.
I also keep thinking about doing this on my Pocophone (F1) but how do I know what works and what doesn't? I really like the face unlock feature and I don't want to lose the good camera. It's not immediately obvious from their website what state everything is in.
I don't believe you can install the play store itself, but Spotify should work. You would have to manually side load it, or install the yalp store which will manage fetching and updating play store apps for you.
Yalp store has default credentials for Play, and it has difficulty loading "split" APKs. I have Chrome installed, and I use Yalp's manual download to get updates for it, then trigger the updates from my downloads folder. If I were using Webview instead, this wouldn't be required.
LineageOS really should find a way of making Webview available for people who do not load Play/gapps - MicroG is the only way to run an up to date webview if gapps is not present.
There are also two versions of the "Aurora Store" in F-Droid. These require your Google account at startup, and they supposedly handle the split APKs.
Yalp does warn that using your own credentials is a violation of Google's terms of service. Because of this, I have never given these credentials to Aurora.
Aurora does not require using your own credentials; there's an "anonymous" button on the login page. It does support split APKs, and has completely replaced Yalp for my uses.
> Does this mean I can use the Play store and apps such as Spotify without much issue?
Yes! (I used to have the Play Store installed on my phone with MicroG and it worked just as you would expect. As for Spotify, I use it on a daily basis.)
UPDATE: I should point out that I have since replaced the Play Store with Yalp/Aurora Store because the Play Store still needs to be installed as system-privileged app which I didn't like.
What's the difference between using this and sideloading Gapps on LOS? Will I still be able to use Maps, for example? I'm not sure what the benefit is.
Running Gapps on your device (in particular, the Google Services Framework) means that Google will basically have root access to your phone. MicroG prevents that while still allowing you to run certain Google apps like Maps, use Google Cloud Messaging and so on.
There's also /e/ - another, more opinionated Android distro also using MicroG (and LineageOS...)[1], along with freemium Nextcloud hosting. I threw it on an old Nexus 5, seems interesting, if a little still-in-alpha.
I don't think it's fair to categorize them as 'shady', at least yet. Most of the issues described could be attributed to the fact they are very early stage and just wanted to release something working quick. I realize that's not always the best approach, though. Time will tell if they are a standup organization or not, I suppose.
The very reason for /e/ to exist is expressly to provide users with privacy...so some of the shortcuts they took are inexcusable (using APKs from APKPure, leaking personal data, etc).
So "shady" might not be the right term..."untrustworthy" might be a better one, until they prove otherwise.
To be sure of the integrity of a binary and what it does, one must build it from source code that one has verified.
Making strong claims about privacy and then bundling pre-built binaries found on the internet (no matter what the site) does not inspire confidence in me about the team or its supposed dedication to privacy.
Most of the proprietary Google apps on Android are actually just frontends to their proprietary network services like play, maps, gmail, gms, firebase, etc. Giving a replacement that deserves the name means that you have to re-create the associated network services which is the actually hard part because you won't just get shop owners to upload their opening hours to your service as well as google maps. That's an immense competitive moat that Google has built. It's on the territory where they are strongest, providing network services. And it's part of the reason why they could open source the Android OS in the first place: no competitor manages to replicate all of those network services.
> You won't just get shop owners to upload their opening hours to your service as well as google maps
Over the last couple of years, I have noticed some shop owners (mainly chains, but also individual proprietors) adding their opening hours to OpenStreetMap themselves. Certainly more needs to be done to compete with Google, but OSM is still a libre alternative with some level of uptake. Plus, anyone walking past an establishment can add its opening hours from what the sign on the door says.
I add opening hours to establishments I frequent. Since next time, I can easily answer the question "Is X open right now?" without needing to be online to do so.
OSM is fantastic. At least if you live in an area where people maintain it. The level of detail that OSM has on Artis, the Amsterdam Zoo, is astounding. On Google Maps it's hard to see which parts are inside and which are outside the zoo. Google Maps also very reliably sucks on bicycle routes in and around Amsterdam.
etc? Or even on-page microformats. Google used to do this until they got big enough that they didn't have to anymore. This would probably be the only way we could chip away at that moat, and ensure we don't fall into that trap again.
The semantic web failed due to HTML being a format for humans. Where humans need to enter for them unnecessary extra data so the machines could understand what the humans already understood. There should be a (URL maybe?) scheme for machines generated by machines with standard properties like open hours, site category, etc.
There's still some attempt being made, for example with json-ld[1].
Ultimately any kind of microdata has the same problems that OpenGraph or ye olde meta keywords etc. tags did, GOOG and Co. need to parse the human-readable content to confirm any extra data for bots is not a trick. Which tends to encourage them to just ignore it, at best it's a slightly more structured version of what they're scraping from the page, at worst it's a lie.
There are other reasons why an open source implementation is useful even if it relies on some proprietary backend stuff (like being able to review the code running directly on your device).
And I think it's more interesting in the context of the recent Huewai/Android story.
And with good reason. While singletons of those are indeed trivial and not protected, once collected into a huge database, that database earns protection.
I don't agree. There should be no copyright claim or other legal protection status possible on public domain information. That is not the same as saying Google should be forced to hand it over. I'm talking about crawling their website.
I recently looked at this while reviving a trusty old Samsung S4, but ultimately just went with Enhanced LOS and no gapps. F-Droid has pretty much everything I really need. It’s kind of amazing how well supported this stuff is by the community, I am tempted to move away from the Apple ecosystem for my regular phone.
The big things F-Droid is missing are apps based on services. Social media, banking, communication apps, commerce apps, media streaming apps. For most people, these are most of the things they use their primary mobile devices for. APKMirror can get you some of those, but some have been pulled and others require Google Services (which is where MicroG comes in).
>APKMirror can get you some of those, but some have been pulled and others require Google Services (which is where MicroG comes in).
IME F-Droid usually has a working play store alternative/wrapper for those cases. Currently, "Yalp Store" has been reliable for my Play store needs over the past year. My bank keeps locking out old apk versions so Yalp Store comes in handy.
That's fair. That is most of what is on my regular phone, but I also think sometimes about how very little I use those things. My primary apps are Firefox, Mail, SeaFile, KeePass, HERE We Go, and Telegram. Those account for surely 95% of my app usage and I think HERE We Go is the only one not supported in that list.
It varies by person; I use them all the time and that's why I gave up on using LineageOS to forego Google. I couldn't listen to my Pandora stations, I couldn't get Slack notifications from work, I couldn't check my bank account. I once had to return some headphones because they required an app and it wouldn't work. My phone basically became nothing but a web browser and... a phone.
The choice is basically:
1. Privacy
2. Freedom of customization
3. Full participation in modern society
Pick two.
I had 1 and 2, and ended up resigning myself to 1 and 3 and getting an iPhone.
What I want is not to block certain permissions, but to fake them. Let it think it's got access to my contacts, but it's only going to see a few fake contacts.
In my experience (running Lineage + microG for a month or so now) the main issue is with in-app purchases like "Pro" versions of things or subscriptions.
There are various workarounds to make it happen, but I haven't had any success. I've tried using the NanoDroid patched Phonesky apk but no luck on my Pixel.
Some apps attempt to check their license via PlayStore on startup and won't acknowledge your license otherwise (e.g. TitaniumBackup, DarkSky)
Others require play services to download additional stuff and refuse to function without it - e.g. Monument Valley.
Some work fine when the pro version is restored via TitaniumBackup, though - Solid Explorer is one example.
I haven't run in to any problems, but I also haven't been using the phone exclusively so my experience is very limited. It would be interesting to know exactly which apps are affected by that though...
Google requires a comprehensive privacy policy for apps and there are plenty of policy generators, but they don't make their own library specific privacy policies easy to find in my experience. Just using Google Play has privacy implications and it's a mess trying to track down and link proper policies without seeming like your app is stealing users social security numbers. It's possible I just have no idea what I'm doing, but I shouldn't need to hire a lawyer for an app that collects zero data by itself.
A downside to MicroG is that it relieves some of the demand coming from people averse to Google snooping, so there's less demand for a genuine alternative.
Running MicroG makes you still under Google's thumb.
Additionally, Google can pull the rug out from under you at any time (by breaking MicroG with technical changes, or ToS).
(Personally, I've temporarily switched to a dumbphone for essential voice/SMS, while PostmarketOS gets developed for various Web/app purposes, and am also looking at the Librem 5 work.)
I'm using this on a HTC 10 for 9 to 12 months now (on an inofficial LineageOS build). Only major quality of life issue is the lack of system-wide weather data (e.g. Garmin Connect is unable to display weather on my fitness tracker). Minor annoyances are the absence of the pretty good Google Maps (though I've heard good things about Here Maps on HN) and that Volvo on Call seems to have some trouble with rendering the replacement OSM map data; but I only installed VoC recently, so I could not check this on a Google-infected Android, plus that feature is not that important (and if I'll ever be too drunk to find my car that's probably a good thing after all).
Two friends of mine migrated from Windows Phone directly to Samsung Galaxy S... uhm, not sure, 8 or 7 I think... with LineageOS+MicroG, and are quite happy as well.
> Minor annoyances are the absence of the pretty good Google Maps
I don't understand. What prevents you from installing Google Maps on your phone? It works perfectly fine on mine. (I'm running the MicroG-infused version of LineageOS. [1])
I think there's two different use cases for Lineage + MicroG: remove all ties to Google, and make sure they can't track you, no matter what convenience and functionality you sacrifice; and remove as many ties to Google as possible without sacrificing significant convenience and functionality.
The latter of course rewards Google for their sleaziest, most locked-down services that everybody still needs. The former punishes the user for the same thing.
So you're not using Google search, either, I assume? Just curious because while I absolutely understand your aversion torwards Google, I do think it's more sensible sometimes to strike a good balance between privacy concerns and comfort/laziness than to completely sacrifice one for the other.
Not the person you're replying to but hopefully useful information: I stopped using Google services incrementally over the past year or so. I started with this distro on my 5x (but had difficulty getting updates to work) and eventually moved to an iPhone. In the last few months I've switched to DuckDuckGo for search, Firefox for browsing and offline Open Street Maps for navigation. I still have a gmail account but I only check it about once per month, if that. I suspect I'll export my data from it soon and close it.
It was tricky in places and fiddly in others, but overall I'm happy that I'm doing a reasonable amount to keep Google out of my life without being inconvenienced now. A piecemeal approach certainly worked for me, so I'd certainly recommend that to minimise impact for anyone thinking of doing the same.
"Aversion" is such a strong word... I mean, yes, I try to avoid Google due to privacy concerns. That means no more Chrome, no Google-Search-as-default and not logging in via Google.
OTOH, you're totally right about striking a balance: If I'm sitting at work, looking something up and DuckDuckGo doesn't yield the expected results I'm quick to prepend a "!g" - which gets me the desired information in about 90% of the cases. Or if I plan a trip in advance I use Google Maps so I can get a good estimate of the travel time for a specific time of day.
Also: My SO and I have a shared Google Calendar, which I sync to my device via DAV.
I just stopped indiscriminately streaming all my personal information to Google, instead I gained some more control about what data the company gets.
Search is the easiest to replace. There are plenty of other search engines available, and Google Search really isn't all that good anymore. They're mostly good if you're looking for big sites, news sites, or commercial stuff. Anything obscure they don't seem to know anymore.
Replacing gmail is possible, but annoying, because I've got way too many site subscriptions tied to it. I really need to start using email addresses on my own domain for everything from now on. That way, in the future it's painless to switch email providers.
Android is one of the hardest, because of all the Android apps that rely on Google services. I'll definitely be checking out Lineage + microG.
It's a pity that I skipped the HTC 10 and transitioned directly from the HTC One M9 to the Galaxy S8. It seems to be a well-supported LOS device, and I could probably still be using it happily. I still love the way it looks--I have no idea why everyone moved away from the metal back to glass when half of them don't even support wireless charging.
OK but my HTC 10 would die after an hour and charge extremely slowly after a year of use. The battery was clearly physically degraded and MicroG would not have fixed it.
Ah, don't take the post as an ad for the HTC 10. I only got it for the great headphone amp (I have Sennheiser HD 650 headphones with 300R impedance). I think there are better supported LOS devices. Especially with other users warning about the battery.
What are - if any - the security implications of the signature spoofing that MicroG requires? I've considered trying to squeeze MicroG into GrapheneOS, but GrapheneOS currently doesn't support signature spoofing. LineageOS does, but unfortunately my device isn't supported by LineageOS.
If an app has the permission to spoof signatures (which must be specified in its manifest - I.e. it's not a permission that's grantable with `pm` ) it can spoof itself as being any other app, if my understanding is correct. This opens the door to sketchy apps pretending to be system apps, then man-in-the-middling your data, potentially leaking sensitive info, etc.
Generally the signatures are there as a tamper-proofing mechanism. Some builds (e.g. official-ish LineageOS for MicroG ROMs) have a hardcoded notification that's shown for the signature spoof permission so it can't happen in the background, though.
The possibility of widening the attack surface just triggers security paranoia in those of us ditching Big G for privacy reasons - that's why there's controversy over it at all.
The microg lineageOS builds only allow system apps to spoof signatures so it should be fine. And even if any app could do it its still only bad if you get apps from an untrusted source.
- MicroG felt somewhat unmaintained, it took months for my bugfix PR to get merged. Maybe it's better now? idk... Nanodroid's fork was more active at the time, but idk if it's trustworthy or still active.
- Getting SafetyNet to pass on Lineage-MicroG required installing the pirate/ad-remover app Lucky Patcher (which comes with some questionable adware) and using it to patch away APK installation signature checks. Lineage-MicroG's built in spoofing doesn't work.
- Hangouts would crash at launch unless you disabled some https/pinning/etc. I heard it was fixed.
Something I've wondered- does this allow you to totally forego Google's web APIs? I.e., sending any data to Google at all? Or is it just that the local code is open source?
AFAIK MicroG doesn't send any data to Google unless you explicitly tell it to. Here are some situations where you might want to do that:
- You might want to enable the Google Cloud Messaging feature inside MicroG, so that your apps can receive push notifications just like they would on a regular Google phone.
- SafetyNet. If you want some app to work that requires Google SafetyNet, your phone will necessarily have to communicate with the Google servers. MicroG provides functionality to do that. (Though, if you're worried about your phone's security, I strongly advise against using this feature because SafetyNet essentially requires the phone to download and run a binary blob from the Google servers.)
- If you want to install apps from the Play Store you will have to install the Google Play Store app or at least some open-source alternative like YalpStore or Aurora Store both of which will obviously download the .apks from and therefore connect to the Google servers. However, this has nothing to do with MicroG per se.
Anyway, you decide all this for yourself. If you don't want your phone to connect to Google at all, that's perfectly possible.
UPDATE: Indeed, I just checked and found a setting in MicroG saying "Allow connecting to Google servers. If disabled, all connections to Google servers usually done by microG will be denied. This overrides service-specific settings."
One of the key benefits to MicroG is that you can turn on/off Google Cloud Messaging for every single app that uses it. As far as I'm aware, this fine-grained permission is not available on Google Play Services.
This is just a local code replacement. It still uses Google services, and it wouldn't work any other way, since many Google APIs that Play Services interacts with connect to Google accounts.
The site does claim that you can more readily monitor and restrict what data is sent to Google with microG compared to Play Services though.
Since many of the google services are for generic things like notifications and location, I've heard it can spoof at least some of those. I was more asking whether it can work as a wholesale boycott, or only partial.
The challenge is that "notifications" tend to be treated like a service now. Push notifications delivered "from an app" actually come from Google services to your device. Which is why sometimes you get a notification "from an app", and open the app, and it still has to sync before it shows what you were notified of already. To replace Google in this transaction, the app developer would need to pipe their notification pushes to your alternative server.
Amazon and Microsoft have both played with replacing Google's location API, basically by using their own location service but formatting it like a response from Google though. On the Fire Phone/Kindle line, and Microsoft's Android layer they built and abandoned for Windows Phone respectively.
MicroG still talks to Google servers in some cases - e.g. their push notification module will keep a long-polling connection to Google infrastructure to receive notifications.
This worked great when I had an android (I replaced with an iPhone since I wanted easy privacy).
Worked for most things, the maps and location part was most dodgy though. Uber was almost impossible to use and Grindr stopped working. Other than that, things like G/FCM worked perfectly.
Can I just comment how contradictory this is? I understand "privacy" means different things to people, but when used like this it's diluted to an arbitrary buzzword. What I mean is:
Uber has user route history, payment history, etc, and law enforcement is readily utilizing this data, e.g. in the recent Jussie Smollet fiasco, in cases. Even if you're not worried about that, Uber had a massive data breach, which they were investigated for and fined.
A lot of people have problems with some privacy violations but not with others. Until recently, I trusted Google with my data but not Facebook, because I felt I knew how Google operated.
Since then, Google has lost my trust, and now I'd like to restrict their access to my data.
The thing is, I wanted to use an open source OS that doesn't track me. I understand that to be able to use certain services on top I must accept closed source software and the privacy issues but that's a trade off I'm happy to make. My phone pinging some server every 5 minutes with my location and to download more ads doesn't benefit me however.
Firefox for Android also lets you opt in to help improve Mozilla Location Services whenever Firefox makes a location request. This is equivalent to using the Stumbler app (and you should check its battery/RAM usage to make sure this setting is acceptable for you):
It may just be a matter of data disparity - who really has more info to correlate multiple data points and triangulate you? Big G or one offline data provider?
That said, I've actually (anecdotally, I guess) seen an improvement in the speed with which my device can locate me with LineageOS + microG. I've been using Unified NLP with the GSM location backend that you can find on F-Droid.
Not sure how well this would work out if I, say, road tripped through an area without cell service - not sure if it uses ANY carrier's tower it can find (that your baseband supports) or just your carrier's towers. Waze finds me much faster on launch, though.
Maybe. Google could probably find a way to block it if they tried. A lot of this custom android stuff only works because Google put no effort in to stop it.
I know, so why is the comment talking about Apple's app store? Something that is so different from the Play Store, on devices with such a different license, that talking about Play Store practices make no sense?
There _are_ no legitimate alternatives. Not by Huawei, not by any western company, not by anyone. There's only one, and Apple has it on lock-down; it has zero bearing on anything not-Apple.
Google around for a project called NanoDroid (I'm not affiliated)
That guy has released a ROM patcher for most AOSP ROMs that can add in signature spoofing support. IIRC there was also flashable tooling for removing GApps from your device.
You'd need a custom recovery, though. Just flash your stock vendor image, remove GApps, flash the patcher, then flash microG. I'm simplifying a bit, but it might be possible.
The version of the Linux kernel used in Android implements a custom IPC mechanism called Binder that userspace services and apps use, which I think (though I could be wrong) is based on some kind of also custom-made shared memory facility.
would be awesome to be able 'play services' implementation like you select launcher, without the need to rely on Google (and one woild select microG, which works great... and push is optional)
Can anyone comment on Dutch attitudes in this respect? The Dutch I have worked with could come across as very confident - even when very obviously wrong. I’ve found it a little confusing: they sound like they’re right, but what they’re saying is incorrect! In Anglo culture people tend to be a little more circumspect when there is the potential to be wrong.
I had a Dutch boss, who once said, “you never put forward something as your opinion, you always state a secondary source. Why?”. I said it was to give credence to what I was saying, because I myself am only one data source. His answer was, “oh, that is very honest”. I never really understood that.
You might need to explain what "Anglo" culture means in this context - is it just "British", or short for "Anglo-American"? In my personal experience, Americans can come off (to non-Americans) pretty much as you described your Dutch boss.
My current phone no longer charges and I've already replaced so much stuff on it (back, camera, etc.) that I'm deciding to go the KDE Plasma route, starting with a new old-stock Nexus 5X.
I hope the Purism 5 and Pinephone get released as well. I really want to go the Plasma route. If there is tooling I need that's missing, I hope it will force me to write and contribute apps that can help myself and others.
We need a real open source mobile operating system, not Google's cripple-ware.