NewUser
I understand that MicroG is less secure than Google play services because of the spoofing signature requirement. But I made a small experience.
It's less secure because it doesn't implement the same security checks. Spoofing it being Google Play is only a problem because of that and is bypassing a security check while not preserving the security checks which that check is meant to uphold.
Google translate is not working offline on Divestos with MicroG( this is a new Google egoistic policy). But it's working in GOS with Google play services with internet permission revoked.
microG provides much less functionality and therefore much less app compatibility than sandboxed Google Play in general. Unfortunately, some of the missing functionality are missing security checks.
I also noticed that some apps are showing ads in GOS even when internet permission is denied. In Divestos this doesn't happen.
It's not implemented. It would be trivial to block with a toggle for sandboxed Google Play but our focus has been app compatibility not providing a bunch of toggles for which features are available.
My conclusion was that Google play services gives apps the possibility to use internet even when it's denied. I may be wrong.
It's completely wrong.
But I just concluded that Google play services are more invasive than MicroG.
They're regular sandboxed apps on GrapheneOS. Any regular sandboxed apps within the same profile can communicate with mutual consent. Sandboxed Google Play has no special privileges on GrapheneOS, unlike microG even on DivestOS where it has the special privileged to pretend to be Google Play.
That's why I suggested GOS team members to allow users to choose between MicroG and play services. For people who just needed Google push notifications MicroG is enough.
It's less secure and even that tiny part of the functionality doesn't work reliability.
We already made a proper reimplementation of the Google Play location API, unlike microG, and we're completely capable of doing the same thing with other portions of it or including having functionality which works without installed. That's not going to involve using an insecure project with an untrustworthy development team.
On GOS, I revoked internet access to Signal. I called my account from another mobile. My Signal app sent me a notification "you may receive messages...". The same thing didn't happen in Divestos.
You're wrong, that works fine with microG too. Also, Signal is a perfect example where the app works fine without Google Play including with push but will not work correctly in a setup you proposed in the other thread of using it with FCM disabled. That breaks the app and it won't get calls or push notifications anymore, unlike using it in a profile without Google Play.