FORUMS
Remove All Ads from XDA

[APP] microG GmsCore - lightweight free software clone of Google Play Services

496 posts
Thanks Meter: 2,244
 
By MaR-V-iN, Senior Member on 4th October 2015, 05:37 PM
Post Reply Email Thread
6th October 2015, 09:41 AM |#21  
Member
Thanks Meter: 16
 
More
Quote:
Originally Posted by MaR-V-iN


I tried this out yesterday after you posted it to verify your findings. I received some random play store error code.
When I wanted to do this again today, instead of the error message, a dialog popped up asking me to "renew" my account. I continued and skipped the payment details. After that I was able to download and install applications. Can you try this out on your device as well. If it does not work automatically, this might also be related to a second checkin. In this case, can you try dialing *#*#CHECKIN#*#* or on a tablet open a root shell and invoke `am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://2432546`. If this changes anything for you, please report back what you did.

Dialing *#*#CHECKIN#*#* got rid of that random error code but now the play store FCs after accepting permissions.
 
 
6th October 2015, 09:45 AM |#22  
emandt's Avatar
Senior Member
Thanks Meter: 355
 
More
Nice work but I don't that be Google will be happy to know the existence of this Suite of Apps.
Second: I think these new services/apps are using direct HTTP(S) calls to Google's WebServices ...so what will happen if G frequently change/add some code/parameter and/or add a crypted token to the communication? It will be not easy to follow all G updates in the next years.
Third: using an alternative GoogleServices leaves the credentials/data and all user informations in an unknown/untrusted group of people's hands. G could not be the most transparent "group of people" (about privacy and data retention), but......

I think G will force you to stop this project or (it's the most simple way) G will add special crypted tokens (not only the OAuth one) to all its WebService calls...or other things to prevent your framework to work.

I respect all projects but IMHO touching user's credentials, personal informations, payments and other critical things it's not a good thing that an user should trust on if not managed by someone trusted (I repeat: G could not be the most trusted "person" but at least it follows laws and be punished by them if G do illegal things with data/credential/payment....and I don't think it will be the same for the authors of this project).

I think this could be a big and great project but just for educational purpose to write "wrappers" around WebServices...but not a thing to be used in a real-life environment where real credential and payment data are sent, used and watched by these new Services...
6th October 2015, 10:33 AM |#23  
Member
Somewhere
Thanks Meter: 28
 
More
Well that's why it's open source - you can inspect the source code to ensure the alternative services aren't doing anything shady with your details.

And if you don't trust the precompiled APKs, you have the option of compiling the source code.
The Following 5 Users Say Thank You to rymate1234 For This Useful Post: [ View ] Gift rymate1234 Ad-Free
6th October 2015, 10:41 AM |#24  
Member
Thanks Meter: 16
 
More
Forget what I said earlier. Works fine after installing play store in /system/priv-app
6th October 2015, 11:14 AM |#25  
emandt's Avatar
Senior Member
Thanks Meter: 355
 
More
Quote:
Originally Posted by rymate1234

Well that's why it's open source - you can inspect the source code to ensure the alternative services aren't doing anything shady with your details

Sure, the same we can do with Linux...but who can inspect millions of rows of source code? I don't know anyone that had compiled Linux/Android/App before installing it...so having OpenSource do not means nothing most of the times.

However when Google will know about this project I suppose something will change or stop. They could be not interested to provide a service for an insecure framework that could ruins user's experience with its Services and let the user to think G services are not working well...and about the payment the discussion could became more times delicate.

Sorry for my "bad" opinion but if I would be in Google I will not allow this project to grow up in any way.
6th October 2015, 11:24 AM |#26  
Koloses's Avatar
Senior Member
Flag Zielona Góra
Thanks Meter: 1,086
 
Donate to Me
More
Well i guess somebody has to be "that guy", who doubts in everything. You have the source, do the audit yourself or simply don't use the thing if you are so afraid. Stop trying to scare people.
Quote:
Originally Posted by emandt

could ruins user's experience with its Services and let the user to think G services are not working well...and about the payment the discussion could became more times delicate..

This project was made*, because google play services itself is ruining android experience altogether with it's bugs, battery drainage, performance impact, storage eating and data harvesting (original gmscore eating 120 MB of storage on my mobile, that is unacceptable, while microg gms takes only 9 MB).


*- probably that's the one of the reasons
The Following 7 Users Say Thank You to Koloses For This Useful Post: [ View ] Gift Koloses Ad-Free
6th October 2015, 11:30 AM |#27  
Senior Member
Thanks Meter: 313
 
More
Say what you will about this project and it's developers but I honestly trust them a whole lot more than google.
The Following 7 Users Say Thank You to Could Be Anyone For This Useful Post: [ View ] Gift Could Be Anyone Ad-Free
6th October 2015, 12:40 PM |#28  
Member
Somewhere
Thanks Meter: 28
 
More
Quote:
Originally Posted by emandt

Sure, the same we can do with Linux...but who can inspect millions of rows of source code? I don't know anyone that had compiled Linux/Android/App before installing it...so having OpenSource do not means nothing most of the times.

However when Google will know about this project I suppose something will change or stop. They could be not interested to provide a service for an insecure framework that could ruins user's experience with its Services and let the user to think G services are not working well...and about the payment the discussion could became more times delicate.

Well from what I can see the checkin is actually done over https https://github.com/microg/android_pa...lient.java#L49

Looks like the auth is also done over https https://github.com/microg/android_pa...quest.java#L33

I also haven't seen anything in the relevant source files that appear to send this information to anywhere else but Google.

Your point about the quality of the framework ruining the users experience is correct - there's a lot of things that are unimplemented as of yet. Then again, it's still in alpha, and isn't anywhere near complete. But at least it doesn't drain my batter like Play Services does.
The Following 3 Users Say Thank You to rymate1234 For This Useful Post: [ View ] Gift rymate1234 Ad-Free
6th October 2015, 12:59 PM |#29  
Ultramanoid's Avatar
Senior Member
日本
Thanks Meter: 4,058
 
More
Quote:
Originally Posted by emandt

Sure, the same we can do with Linux...but who can inspect millions of rows of source code? I don't know anyone that had compiled Linux/Android/App before installing it...so having OpenSource do not means nothing most of the times.

However when Google will know about this project I suppose something will change or stop. They could be not interested to provide a service for an insecure framework that could ruins user's experience with its Services and let the user to think G services are not working well...and about the payment the discussion could became more times delicate.

Sorry for my "bad" opinion but if I would be in Google I will not allow this project to grow up in any way.

Point one : your post is written in such a way that can be considered trolling. Be careful and don't start a flame war.

Point two, as mentioned above : the source code is available, and your response to that is also terribly inflammatory.

Point three : Google KNOWS about everything that's going on in XDA, it is a public forum for one thing, and on occasion Google employees even participate in threads.

Point four : there are a BILLION+ Android users. The number of those who root a device is negligible, the number of rooted devices that use a project like this is even smaller, infinitesimal in the scale of Android's market. Basically, much as it can hurt XDA users' pride, and again, against the backdrop of the big picture, chances are, no one gives a crap about this.

Edit : and we can't have enough alternatives to Google's iron grip over Android. In case the above makes anyone think I'm dissing this project, just the opposite. Just giving some needed perspective to emandt.
The Following 9 Users Say Thank You to Ultramanoid For This Useful Post: [ View ] Gift Ultramanoid Ad-Free
6th October 2015, 01:28 PM |#30  
emandt's Avatar
Senior Member
Thanks Meter: 355
 
More
Quote:
Originally Posted by Koloses

Stop trying to scare people

Well, someone has to be "the guy who reads all thousand of open source files" and some other one has to be "the guy who tell the risks of installing this framework" and "scares" a bit all users.
No any warning/advice about privacy, credential or critical actions was wrote in the first page of this thread, so users are not well informed about the possibility of stole data or privacy issues.

Most of the people doesn't know nothing about programming and doesn't know nothing about what an App can do when it is running.
When I advised friends about the risk of installing unknown Apps on their phones, they told me "what? an App could get all my contacts/messages/files and send them via Internet? wtf!"...this shows you how much people knows about programming...

Quote:
Originally Posted by KolosesThis

original gmscore eating 120 MB of storage on my mobile, that is unacceptable, while microg gms takes only 9 MB

Well, this MicroG has 10% of working features of original PlayService, so they aren't comparable at this stage of work. It is supposedly that at the end of work this project could take 90MB if all interfaces/GUI will be implemented.
However an installed app AWAYS takes twice the original space when installed: I saw my App: it is 4MB of APK but after installed it occupies 10MB...so the problem it's outside the App.

Quote:
Originally Posted by rymate1234

I also haven't seen anything in the relevant source files that appear to send this information to anywhere else but Google.

Well, source code at beginning is not much so usually it works as expected and doesn't do something hidden because it could be easy to find the hidden procedure.

Quote:
Originally Posted by rymate1234

Your point about the quality of the framework ruining the users experience is correct - I'm currently having an issue whereby apps are no longer detecting play services installed, despite them working before. Then again, it's still in alpha, and isn't anywhere near complete. But at least it doesn't drain my batter like Play Services does.

I was not talking about this.
Those are "only bugs".
But think about a bug that sends to Google's Payment service the wrong 10x amount...or (I'm sure most of you will agree with this) returns "yes the App is paid" even if the payment was not done for it and good developers doesn't receive money for their work.
Many other "ruined experience" could occurs when using a framework like that.

Google will not accept a framework like this to use their services...I'm not sure about it but the chance is high for reasons I just exposed and many others.
6th October 2015, 01:41 PM |#31  
Member
Somewhere
Thanks Meter: 28
 
More
Quote:
Originally Posted by emandt

No any warning/advice about privacy, credential or critical actions was wrote in the first page of this thread, so users are not well informed about the possibility of stole data or privacy issues.

*snip*

Well, source code at beginning is not much so usually it works as expected and doesn't do something hidden because it could be easy to find the hidden procedure.

I was not talking about this.
Those are "only bugs".
But think about a bug that sends to Google's Payment service the wrong 10x amount...or (I'm sure most of you will agree with this) returns "yes the App is paid" even if the payment was not done for it and good developers doesn't receive money for their work.
Many other "ruined experience" could occurs when using a framework like that.

Google will not accept a framework like this to use their services...I'm not sure about it but the chance is high for reasons I just exposed and many others.

What are the possibilities of stolen data? What are the possibilities of privacy issues? As far as I can tell, it doesn't send the data anywhere else but google servers when it auths a user. It sends it over https, so it'll be encrypted on the way to google's servers. If you look though the source files I linked, the url at the top of the file is the only one mentioned in those files. No other URLs are mentioned.

Also for payment issues: all payments are processed on Google's servers, using a unique ID for the IAP or application - this means the price for the application is set on Google's servers, not the device. The actual payment request occurs using the Google Play Store app, not the play services, so unless you're using a 3rd party application for the store there should be no issues. Google probably also has server side checks as to whether an app is purchased or not, so the second issue on payment should never occur. And if it isn't done server side, then this could occur with a patched play store apk, rather than a 3rd party implementation of google play services.

Of course, if you have any proof of your accusations against this framework, I'll be glad to hear them.
The Following 2 Users Say Thank You to rymate1234 For This Useful Post: [ View ] Gift rymate1234 Ad-Free
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes