GrapheneOS with microg (or somehow with GSF enabled)

flier8252

Hey there, is it possible to (properly) use Grapheneos with microg without requiring much extra setup? I'll be getting a pixel for my next phone and want to use Aurora services (with Store & Droid), GSF apps to work properly and Google's location provider without giving them much data, is that possible at all without messing with the system files or flashing anything, possibly through the UI without exiting the system?

akc3n

Hi flier8252

... microg (or somehow with GSF enabled)

The short answer (provided by @matchboxbananasynergy):

vast majority of the little functionality it provides requires it to be privileged, and not a regular app, so it wouldn't be very useful for you

For a detailed explanation, please read:
https://discuss.grapheneos.org/d/4290-sandboxed-microg/11

Also, a friendly FYI, this has been discussed numerous times on our forum and similar threads can be found using the search feature.

DeletedUser28

I would love to see this in GrapheneOS. Like DivestOS has done:
https://divestos.org/pages/faq#microgNotes

It's one patch with ₁₀₀ lines changed to make it work as an unprivileged/sandboxed app, with signature spoofing for only MicroG:
https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Patches/LineageOS-20.0/android_frameworks_base/0036-Unprivileged_microG_Handling.patch

So the extra workload of adding this functionality shouldn't be that much in my opinion. Certainly less than working on sandboxed Play Services.

Why would I love to have it? Because I only need Play Services for the Cloud Messaging (push notifications) functionality. I don't care about Safetynet or Play Integrity, I don't want Google location services, I don't want the Play Store, I don't want to connect my Google account. Unprivileged MicroG to make push notifications work with minimal overhead and no Google binaries polluting my device, that's all I want. And you can even limit it to a second user profile, just like Sandboxed Play Services.

akc3n For a detailed explanation, please read:
https://discuss.grapheneos.org/d/4290-sandboxed-microg/11

Points taken, but if Signature Spoofing was allowed for MicroG, you would successfully get push notifications with MicroG installed as a normal unprivileged user app, right? And some other benefits like Maps API working, too.

[deleted]

DeletedUser28 but if Signature Spoofing was allowed for MicroG, you would successfully get push notifications with MicroG installed as a normal unprivileged user app

If an app has the permission for Signature spoofing, Its not unprivileged. An app being a normal user app doesn't automaticallly mean Its inherently unprivileged, as some Privileges (specifically development permissions) can be granted to user apps on Android (and hence GrapheneOS) too.

[deleted]

DeletedUser28 MicroG is not great at all for production use Operating Systems, as It can break at any time and doesn't support many APIs/important stuff. MicroG also does load code from Google. Giving privileges to and encouraging the use of MicroG is just not worth It.

matchboxbananasynergy

MicroG is not supported. You can install it if you want and it'll work to the extent that it can work as a regular app, but it will not receive any specific support or integration in the OS.

For OP who may not be aware, if you're not asking about MicroG specifically, but Google Play compatibility in general, GrapheneOS' approach is different, and detailed here:

https://grapheneos.org/features#sandboxed-google-play

DeletedUser28

[deleted]

It does not have to be privileged: "it can work in an unprivileged fashion on DivestOS 17.1 and higher after the July 2023 update." in the link I posted above

The most important features like Cloud Messaging and Maps API work in this unprivileged implementation. If that's all I need (I'd say the most important reason to get Play Services is the Cloud Messaging by far) then in my opinion it's clearly preferable to full-fat Google Play Services. For some users that might not be enough (e.g. if your banking app needs Safetynet) but I'm not suggesting to scrap work on sandboxed Play Services.

dgzeij

Half a century with string theory gave the scientific community many new tools, which they had to develop to be able to verify if string theory was even a possibility. What it didn't give was a solution to the problem.