[ROM][OPEN SOURCE][SECURITY][APPS][microG] Best Security ROM and Apps 2022

Search This thread

xXxGeek

Senior Member
Dec 3, 2012
97
95
Beer Capital

The Best Advanced Privacy ROM/w MicroG

I tested e/OS ROM on my OnePlus 5T for over a year, e/OS supports more than 269 devices


Fully "deGoogled" Open Source Mobile Ecosystem

The operating system

/e/ is a “deGoogled” version of Android OS. It has an open-source Android OS core, with no Google apps or Google services accessing your personal data. It is compatible with all your favorite Android apps.

With /e/ you’ll find a set of carefully selected apps to cover your most common needs, personal and professional: get you email, plan your week ahead, chat with your friends and coworkers, browse the web, check the weather, check your itinerary for your next meeting…

All the apps are based on open source bricks. We improve their design and experience to make them look stellar and easy to use daily.


Advanced Privacy

Table of Contents Link

Advanced Privacy lets you manage in app trackers, IP address and location. It’s available as a widget and within the operating system settings.

advanced_privacy_homepage.jpg


Advanced Privacy is a specific tool developed to limit your data exposure once you have installed third party apps.

When an application snoops in the background, it will use trackers to log your activity even if you are not using the app. It will also collect the IP address, so it can potentially link internet activity to a specific device and to a persona, and finally it will try to pinpoint your exact location.


ONEPLUS 5T - ROM - ROOT - TWRP - "INSTALLATION GUIDE" LINK BELOW
  1. "Installation Link" Method #1 Easy Installation (TOOL ALL IN ONE)
  2. "Installation Link" Method #2 Install via command line (for advanced users)

IS PLAY STORE NEEDED?

As it turns out, giving up Google is possible, and the experience isn't nearly as bad as you might think, plus my battery life is amazing now. If you care about privacy, better battery life, or want a smoother running phone, take the plunge and find a Rom that doesn't have Gapps installed.

Below are a few applications that I have tested without Gapps installed. I have also listed a few alternative store applications with there links. I exclusively use FLOSS, Free/Libre and Open Source Software, and because of this, I chose to install F-Droid.

What is "FLOSS and FOSS"
The two political camps in the free software community are the free software movement and open source. The free software movement is a campaign for computer users' freedom; we say that a nonfree program is an injustice to its users. The open source camp declines to see the issue as a matter of justice to the users, and bases its arguments on practical benefits only.

To emphasize that “free software” refers to freedom and not to price, we sometimes write or say “free (libre) software,” adding the French or Spanish word that means free in the sense of freedom. In some contexts, it works to use just “libre software.”

A researcher studying practices and methods used by developers in the free software community decided that these questions were independent of the developers' political views, so he used the term “FLOSS,” meaning “Free/Libre and Open Source Software,” to explicitly avoid a preference between the two political camps. If you wish to be neutral, this is a good way to do it, since this makes the names of the two camps equally prominent.

Others use the term “FOSS,” which stands for “Free and Open Source Software.” This is meant to mean the same thing as “FLOSS,” but it is less clear, since it fails to explain that “free” refers to freedom. It also makes “free software” less visible than “open source,” since it presents “open source” prominently but splits “free software” apart.

“Free and Open Source Software” is misleading in another way: it suggests that “free and open source” names a single point of view, rather than mentioning two different ones. This conceptualization of the field is an obstacle to understanding the fact that free software and open source are different political positions that disagree fundamentally.

Thus, if you want to be neutral between free software and open source, and clear about them, the way to achieve that is to say “FLOSS,” not “FOSS.”

We in the free software movement don't use either of these terms, because we don't want to be neutral on the political question. We stand for freedom, and we show it every time—by saying “free” and “libre”— or “free (libre)”. by Richard Stallman


If your running a Rom without Gapps, some applications like "Last Pass and Vimeo" will show a pop-up when you first start them that says, won't be able to run without Google Services, they might be able to run and some wont, unless you install microG, then you wont have this issue.

What is MicroG?
Actually, the microG is a free software clone of Google's proprietary center libraries and applications. To be more specific, it's a FLOSS (Free/Libre Open Source Software) frame to permit applications designed for Google Play Services to operate on programs, in which Play Services is not available. It provides all the needed APIs provided from the Google Play services so that the programs dependent on it may operate normally.

Telegram Links for microG Group Help
Update: I installed microG on my OnePlus 5T running Phoenix Rom. This Rom has signature spoofing already baked into it, so the installation is simpler, runs very smooth, better battery life and security. For detailed installation instruction, see post #5 below.

What is microG Signature Spoofing

To use all the neat features from the microG project, which allows you to use all features of your Android smartphone without proprietary battery-consuming Google blobs, your system is required to support signature spoofing. Currently only very few custom ROMs have built-in support for this feature, luckily you can use Xposed or a patching tool to add the feature to the systems that don’t have it.

But: What is all this about? Is signature spoofing a problem when not using microG? Will it influence my security?

About signature spoofing

On Android, all applications are signed (usually using SHA1 with RSA). The certificate/key-combinations used to sign apps are self-signed. This means there is no PKI / certificate authority to verify a key to be owned by a person/company/entity. Thus everyone can come up with a key that has a equally valid Google certificate as keys used by Google to publish their apps.

However, on Android signatures are not designed to serve the purpose of verifying ownership/source of a package. Signatures are used to verify integrity and to ensure same package author when updating apps. The second one is important, to verify that only one the author has access to the private storage of an app. A different author is not able to sign an app using the same key, because he does not have access to it, and thus can not provide an update to an application that will be granted access to the app private storage. For example, the Signal app provided by OpenWhisperSystems is signed by a key not available to third-parties and thus Signal can store chat history in the private app storage and don’t need to fear that a rogue update can access this data. This means that signatures are important to ensure the secrecy of the private app storage and thus is an essential part of the Android package managements security system.

Signature spoofing allows applications to behave like being signed by a third party. This means that whenever one application asks the operating system for the certificate used to sign an installed package and that package uses signature spoofing, instead of the certificate attached to the app, a spoofed certificate is returned. This certificate has to be announced in the AndroidManifest.xml and the app is required to request the android.permission.FAKE_SIGNATURE permission. This means that it is not only easy to detect that an application uses signature spoofing, the user also has to give its consent – before Android 6, this was done during installation time, since then the consent is even more explicit in a dedicated pop-up, and the user can decide not to grant the permission.

Of course only very few developers ever ask for the certificate used to sign an application. There are numerous reasons for that:

  • In most cases you only want to verify, that an app is signed with the same key as yours (e.g. the apps are from the same author). For this case, the package manager has a method checkSignatures which compares the certificates of two packages. Thus the app author is not required to mess with byte arrays returned when requesting the certificate – and verifying the author name of a certificate is completely useless as described above.
  • If you want to use any kind of security model, you are much more likely to introduce a custom permission. On Android every app can declare a new permission and decide which apps will be granted this permission. One option here is to restrict by signature, or you can also require explicit user consent. This again is a lot easier than working with certificates, even more flexible and can be used to allow third-parties to integrate with your app (on users decision). Nice!
  • Directly working with certificates is not considered a security feature and is not listed on the security tips article in the documentation, whereas the proper use of permissions is.
  • When using the package managers GET_SIGNATURES feature to directly access the certificate, the android lint tool (which is usually used during the compilation process) will print a high priority warning, as improper use of this feature can be a security risk and the proper use is rather complicated. So complicated, that Google themselves did it wrong once, resulting in a major Android security vulnerability (sometimes referred to as the Fake ID vulnerability).

So why does microG require signature spoofing?

Now that we know, that only very few use direct access to certificate, you might wonder why microG needs it for certain features. Well the fact is that although most developers don’t even now about it, their apps actually do direct certificate access. This is due to how Google Play Services works:

URL]


Applications that use Google Play Services use the Play Services client library. This library is directly embedded into the application, is delivered as part of it and finally runs in the security context of that app. And this library actually uses direct certificate access to ensure that the Play Services app installed on the device is singed by a specific private key. It also verifies that the Play Store is installed (and signed using the same key), although it is not required for Play Services to run. This is the reason for the development of the microG FakeStore app.

There is one other popular use case I’d like to stress: DRM. Some developers use direct certificate access to verify that the application itself is signed by them. The reason for this is simple: If you modify an application you need to sign it (the previous signature is broken, if your system is not vulnerable to the “Android Master Key” vulnerability). As you don’t have the private key of the original developer you will not be able to create a valid signature that has the same certificate. This means you can’t modify the application without the original developer knowing about it. (Well, you could modify the checking code itself, …). With signature spoofing you can easily bypass these restrictions – as long as the app does not contain code to detect signature spoofing. by ~larma/blog


If your Rom does not support Signature Spoofing, take a look at this link.

 
Last edited:

xXxGeek

Senior Member
Dec 3, 2012
97
95
Beer Capital
No Gapps Setup Guides

Helpful links to setting up no Gapps

Signature Spoofing

[INDEX] How to get the signature spoofing patch

microG unofficial installer simplify the installation of microG

MicroG, gapps in only 11mb

NanoDroid By Setialpha, XDA Ad-Free Senior Member

microG By MaR-V-iN, XDA Senior Member

[MOD][FLASHABLE] microG unofficial installer

microG/Android Packages apps GmsCore

{FIRE Gapps-Go™+Tweaks™ for OREO}*{*Micro-G™*}*{FIRE Audio™ For LP-Oreo}

If you are using microG as a replacement for the Google Play Services, the ROM that you install needs to have support for signature spoofing. In short, this allows microG to pretend to be the official Google Play Services, otherwise the system and other apps won’t listen to it. If you have the Xposed Framework installed, the following module will enable signature spoofing: FakeGApps by thermatk. You can find more on the microG wiki

Telegram Links for microG Group Help

 
Last edited:

xXxGeek

Senior Member
Dec 3, 2012
97
95
Beer Capital
A Few Rom's That Supports Signature Spoofing

I have listed several microG Rom's that are pre-built or compatible with microG. if you have tested either one of these or used any other microG builds, please let us know :eek: I'm currently running Phoenix Rom on my OnePlus 5T without Gapps installed. All these Rom's grants signature spoofing permissions, this is needed for any Rom to be able to run microG.

 
Last edited:

xXxGeek

Senior Member
Dec 3, 2012
97
95
Beer Capital
INSTALLATION OF microG

This post will show you how to install microG.

First you must have a Rom that doesn't have Gapps installed, next if your Rom supports signature spoofing, go to the first step, If your Rom doesn't support signature spoofing, go to this link to patch your Rom (How to get the signature spoofing patch) then come back for installation of microG.

If your not sure if your Rom supports microG, just go threw the first step below, open microG Settings app, then "Self-Check" it should look like attached picture at bottom of this page, if not, you need to patch your Rom.

FIRST STEP:
1. Must unlock boot-loader and have TWRP installed. Download bellow app to PC and follow instructions, if your phone is unlocked and TWRP installed, skip this step.
If you already have your device unlocked and TWRP installed, do a recovery backup in TWRP, then copy it to your pc, I normally just copy all my files from my phone to my pc or external device.

You must do a fresh install in order to have microG working properly, I use "ALL IN ONE TOOL", this is my steps from the ALL IN ONE TOOL app, "Reboot Bootloader" and select "Erase All Data / Decrypt Internal Storage", next click on "Recovery Flasher" and choose, "Select recovery", TWRP 3.2.1 Universal (Your Device), then select "Only boot it" and "FLASH"

2. From PC, download firmware (if needed), Rom and microG, this is for the Phoenix Rom. If you are using a different Rom, your installation might be different, just flash microG after flashing your Rom.


3. From recovery, move downloads onto phone. Install Rom then microG, reboot system.

SECOND STEP:
1. Downloads to PC.
  • Magisk & Magisk Manager If you want Root. For the Phoenix Rom, install Magisk v14.0 first, then upgrade to v15.3 after first reboot, known to boot loop otherwise.
  • F-Droid
2. Move all download to phone, boot into recovery, install Magisk and No GApps Package, reboot.
3. Open your Files app, navigate to folder you put apk's, Install Magisk Manager.apk and F-Droid.apk/unless you flashed No GApps Packages.

THIRD STEP:
  1. In phone, navigate to System Setting, Location, Mode and change it to High accuracy.
  2. Go to UnifiedNip Settings and enable Network based Geo-location and Address lookup.
  3. Open F-Droid Store and swipe down on screen to update repositories, now install Mozilla Stumbler from F-Droid Store and start.
  4. Open microG Settings app, go to UnifiedNip Settings, make sure every thing is checked for Address lookup and Network based Geolocation.
  5. Now go to main page of microG Settings, then Self-Check, check box, System grants signature spoofing permission, grant access, Allow.

Access your paid applications from play store

1. Install a PlayStore APK
  • If you have BlankStore installed, continue with the next step.
  • If you want to be able to access the Play Store, install BlankStore from the XDA thread. It is not a requirement that you set it up correctly and this is not covered by this instructions. If you need help, ask in the BlankStore original thread.
  • If you don't care about Play Store access, Install FakeStore.zip.
2. Open the microG Settings
which are available in the launcher now. If you want to use any Google services (Log-In, Cloud Messaging), tick both checkboxes for background services. This is the only supported setup, but you are free to disable them if you like playing with fire. You can also open the UnifiedNlp settings to enable the location backends of your choice. If you don't have any yet, check out F-Droid. For further questions and concerns regarding UnifiedNlp, use its corresponding GitHub repo or XDA thread.​
3. Reboot your device
If you skip this step, everything unwanted is possible.​
4. Disable Battery Optimization
if you use Android 6 (Marshmallow) or above. Ensure that it is disabled for microG Services Core in System Settings > Battery > Menu > Battery optimization. Note that this is the case for the original Play Services, as it is required to keep a stable background connection.​

Note: On Android 7 (or later) an additional patch is needed to make location work, or alternatively, you can install GmsCore.apk in the /system/priv-app folder. This can be done by using adb push.

Testing
  • You can test Google Cloud Messaging using this test application*. Push notifications do not require account registration.
  • You can add an account through the system settings. Some applications might ask you to do so, if you don't.
  • Apps that use Cloud Messaging must be installed after GmsCore, or else they will not work. Some applications that can run with microG GmsCore is installed in the correct order: TextSecure/Signal, Play Music, YouTube
  • If you are using AdAway, make sure to put mtalk.google.com on your whitelist, or else problems are likely to occur when using Google Cloud Messaging. Thanks @benstyle1 on XDA for the hint.


Telegram Links for microG Group Help

 
Last edited:

mi3x

Senior Member
Aug 16, 2010
408
33
Bucharest
Awesome thread, thank you very much for your efforts. I followed the nogapps tutorial to the letter, still having problem with Signal app.
It wouldn't register my phone number. Can you maybe check it also? https://www.signal.org/android/apk/
LE: NVM, solved it by enabling GCM in MicroG settings and register Signal in MicroG GCM settings.
Another question, how much time should I keep Mozilla Stumbler from F-Droid Store scanning, and is it required?
Thanks again.
 
Last edited:
  • Like
Reactions: xXxGeek

xXxGeek

Senior Member
Dec 3, 2012
97
95
Beer Capital
Awesome thread, thank you very much for your efforts. I followed the nogapps tutorial to the letter, still having problem with Signal app.
It wouldn't register my phone number. Can you maybe check it also? https://www.signal.org/android/apk/
LE: NVM, solved it by enabling GCM in MicroG settings and register Signal in MicroG GCM settings.
Another question, how much time should I keep Mozilla Stumbler from F-Droid Store scanning, and is it required?
Thanks again.

Thanks for the post, this has been a learning experience for me, I just wanted to share my procedure with any one interested in installing microG. I use Signal as well, glad you figured it out, and as for Mozilla Stumbler, there is no need for it to be scanning after you have accessed the Play Store. I'm assuming that your using the OP5T phone with the Liquid Remix Rom, if so, I have updated the installation process, now there is no need to use Xposed framework.
 
  • Like
Reactions: mi3x

mi3x

Senior Member
Aug 16, 2010
408
33
Bucharest
I really appreciate it, you saved me from a lot of work, nicely gathering them all into this special thread. Fortunately enough, I use a different rom, Unofficial LineageOS 14.1 with custom kernel and it works perfectly as well.
I followed your steps in post 5, everything went smoothly.
Many thanks once again, for me this is a gem, just migrated from iOS and slowly moving away from google and trying to replace most of my apps, just setup my davDroid with my nextcloud server, it'll take some time but I'll get there eventually.

Now a question about playstore, did I misunderstand, or why would I access it anyway? The other non FOSS apps which I need at the moment, I install from yalp. Please adivse a bit on this angle.

Have a good one.
 
Last edited:
  • Like
Reactions: xXxGeek

vagkoun83

Senior Member
Jan 18, 2014
194
60
Athens
Excellent thread. I use microg 2 years, with lg g2 and now with op5t about 1,5 month at stock ROM. I am also try to de-google my self as much as i can.
Fdroid has excellent apps and you can find everything. I prefer lightweight apps with less permissions and ram/mb ie New pipe is an excellent YouTube replacement. I Subscribe to this thread. Keep it GOOGLESS

Sent from my ONEPLUS 5T
 
  • Like
Reactions: xXxGeek

MsuatafaKhatab

Senior Member
Sep 15, 2013
552
23
Xiaomi Poco F3
OnePlus 10 Pro
Excellent thread. I use microg 2 years, with lg g2 and now with op5t about 1,5 month at stock ROM. I am also try to de-google my self as much as i can.
Fdroid has excellent apps and you can find everything. I prefer lightweight apps with less permissions and ram/mb ie New pipe is an excellent YouTube replacement. I Subscribe to this thread. Keep it GOOGLESS

Sent from my ONEPLUS 5T
Pro can you tell me how you debloat Google apks without problem

Sent from my ONEPLUS A5010 using Tapatalk
 

vagkoun83

Senior Member
Jan 18, 2014
194
60
Athens
Microg unofficial installer delete conflict apps.
The rest apps uninstall with apps like titanium
 
Last edited:

xXxGeek

Senior Member
Dec 3, 2012
97
95
Beer Capital
I really appreciate it, you saved me from a lot of work, nicely gathering them all into this special thread. Fortunately enough, I use a different rom, Unofficial LineageOS 14.1 with custom kernel and it works perfectly as well.
I followed your steps in post 5, everything went smoothly.
Many thanks once again, for me this is a gem, just migrated from iOS and slowly moving away from google and trying to replace most of my apps, just setup my davDroid with my nextcloud server, it'll take some time but I'll get there eventually.

Now a question about playstore, did I misunderstand, or why would I access it anyway? The other non FOSS apps which I need at the moment, I install from yalp. Please adivse a bit on this angle.

Have a good one.

Good Day, Personally I don't need access to the play store, however, I receive a number of request from people that enjoy running microG, but want access to Play Store for there purchased applications, and others like to try out new Rom's, flashing many times a week, unfortunately Gapps has issues with the Play Store breaking when flashing Rom's multiple times, as for microG and the Yalp Store, they don't have this problem.

If you haven't already join Telegram, I recommend trying it out. Below I have listed your Rom link and several microG Groups as well.

Telegram Links
 
Last edited:

xXxGeek

Senior Member
Dec 3, 2012
97
95
Beer Capital
Pro can you tell me how you debloat Google apks without problem

Sent from my ONEPLUS A5010 using Tapatalk

I'm not really sure what your asking, but I will try. I see that you have the OnePlus 5T, and the best way I have found to do this is, install a Rom that doesn't have Gapps installed.

I have the same phone, and found that the Liquid Remix Rom is a good choice, it also supports signature spoofing. I will list a few links below that help with the OP5T phone.

Update: Phoenix Rom I'm using now, much smoother and supports signature spoofing.

Setting Up Your OP5T
 
Last edited:
  • Like
Reactions: MsuatafaKhatab

xXxGeek

Senior Member
Dec 3, 2012
97
95
Beer Capital
Protect Your Data

Google doesn’t have a camera in every home, but it does have phone's in millions of pockets.

Google's tracking explained. On two phones, without SIM, no data during travel, and one even in airplane mode. Watch this short video, you might be amazed.

YouTube Link: How much info is Google getting from your phone?
YouTube Alternative App: NewPipe

Your Data
Google wants you to understand what data they collect and use.

Google Services Contract
When you use Google services, you trust us with your data. It is our responsibility to be clear about what we collect and how we use it to make our services work better for you.

Here are the three main types of data we collect:

Things you do

When you use our services — for example, do a search on Google, get directions on Google Maps, or watch a video on YouTube — we collect data to make these services work for you. This can include:

  • Things you search for
  • Websites you visit
  • Videos you watch
  • Ads you click on or tap
  • Your location
  • Device information
  • IP address and cookie data

Things you create

If you are signed in with your Google Account, we store and protect what you create using our services. This can include:

  • Emails you send and receive on Gmail
  • Contacts you add
  • Calendar events
  • Photos and videos you upload
  • Docs, Sheets, and Slides on Drive

Things that make you “you”

When you sign up for a Google account, we keep the basic information that you give us. This can include your:

  • Name
  • Email address and password
  • Birthday
  • Gender
  • Phone number
  • Country

Protect Your Data with XPrivacyLua
XprivacyLua protects your privacy by feeding applications fake data or no data at all, or by restricting applications from accessing data categories such as contacts and location. It doesn’t revoke or block applications’ permissions (with the exception of internet and storage access), so most apps don’t misbehave or crash when they’re denied access. And it shows handy icons when applications request permissions, connect to the internet, or attempt to access sensitive data. If you value your privacy, please consider to support this project with a donation or by purchasing pro features.

Post your favorite Rom or application's you are using for privacy.
 
Last edited:
  • Like
Reactions: mi3x

Listerine

Senior Member
Aug 11, 2011
64
3
I'm not really sure what your asking, but I will try. I see that you have the OnePlus 5T, and the best way I have found to do this is, install a Rom that doesn't have Gapps installed.

I have the same phone, and found that the Liquid Remix Rom is a good choice, it also supports signature spoofing. I will list a few links below that help with the OP5T phone.

Update: Phoenix Rom I'm using now, much smoother and supports signature spoofing.

Setting Up Your OP5T

So I take it the Tool-all-in one works for the 5T even though it's not specifically mentioned in the link? (I only saw it said it works for 3T)

Now the best way to not use google is to use a rom that doesn't include it. However, what if the ROM you want to use doesn't have an official version/or if you want to use the stock ROM for one reason or another? Let's say I turn on the phone, never log on to any google services, disable as many google apps as I can -- (though one can only deny google play services permissions, but not disable the app) -- does that provide a good amount of privacy? Or does google still manage to track you somehow?
 

vagkoun83

Senior Member
Jan 18, 2014
194
60
Athens
So I take it the Tool-all-in one works for the 5T even though it's not specifically mentioned in the link? (I only saw it said it works for 3T)

Now the best way to not use google is to use a rom that doesn't include it. However, what if the ROM you want to use doesn't have an official version/or if you want to use the stock ROM for one reason or another? Let's say I turn on the phone, never log on to any google services, disable as many google apps as I can -- (though one can only deny google play services permissions, but not disable the app) -- does that provide a good amount of privacy? Or does google still manage to track you somehow?
Unofficial microg installer can uninstall conflict packages and deletes Google stuff. There is no reason to keep stuff you don't need. Especially Google stuff. I install microg unofficial installer on nougat and now on oreo without problem.

Sent from my ONEPLUS 5T
 
  • Like
Reactions: Listerine

Listerine

Senior Member
Aug 11, 2011
64
3
Unofficial microg installer can uninstall conflict packages and deletes Google stuff. There is no reason to keep stuff you don't need. Especially Google stuff. I install microg unofficial installer on nougat and now on oreo without problem.

Sent from my ONEPLUS 5T

Didn't know the other installers would uninstall conflict packages -- I guess I didn't see any reference to that. In the instructions, it says that it requires spoofing, but do you need spoofing only if you need to use the app store?

There are a lot of unofficial microg installers out there -- did you mean this one?
https://xdaforums.com/android/development/microg-unofficial-installer-t3432360

Anyways, what if you didn't want to deal with the hassle of rooting, installing ROMs and just wanted a simpler way to prevent google from data collection. Does the disabling method work or is it ineffective?
 
Last edited:

vagkoun83

Senior Member
Jan 18, 2014
194
60
Athens
Didn't know the other installers would uninstall conflict packages. I didn't see any reference to that.

There are a lot of unofficial microg installers out there -- did you mean this one?
https://xdaforums.com/android/development/microg-unofficial-installer-t3432360

-About doing these installers, I would need root, so that would prevent OTAs, wouldn't it?
-I also notice that it says it requires signature spoofing. That's only required if you buy or download stuff from the play store, correct?

Exactly this one. So for this you need custom recovery for flashing. When I want to update to a newer oxygen I just flash rom & magisk & microg unofficial installer via recovery.

I personally don't have signature spoofing and playstore works ok but the right way is to use sign. Spoofing. Yes you can download stuff from Google without problem.


Sent from my ONEPLUS 5T
 

Listerine

Senior Member
Aug 11, 2011
64
3
Exactly this one. So for this you need custom recovery for flashing. When I want to update to a newer oxygen I just flash rom & magisk & microg unofficial installer via recovery.

I personally don't have signature spoofing and playstore works ok but the right way is to use sign. Spoofing. Yes you can download stuff from Google without problem.


Sent from my ONEPLUS 5T

It has just occurred to me that the Chinese version of the OnePlus 5T has exactly the same hardware as the International version...but the Chinese version doesn't have any google apps installed.

So...wouldn't the easiest way to de-bloat from google just to install Hydrogen OS? You wouldn't even have to root for that.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 21

    The Best Advanced Privacy ROM/w MicroG

    I tested e/OS ROM on my OnePlus 5T for over a year, e/OS supports more than 269 devices


    Fully "deGoogled" Open Source Mobile Ecosystem

    The operating system

    /e/ is a “deGoogled” version of Android OS. It has an open-source Android OS core, with no Google apps or Google services accessing your personal data. It is compatible with all your favorite Android apps.

    With /e/ you’ll find a set of carefully selected apps to cover your most common needs, personal and professional: get you email, plan your week ahead, chat with your friends and coworkers, browse the web, check the weather, check your itinerary for your next meeting…

    All the apps are based on open source bricks. We improve their design and experience to make them look stellar and easy to use daily.


    Advanced Privacy

    Table of Contents Link

    Advanced Privacy lets you manage in app trackers, IP address and location. It’s available as a widget and within the operating system settings.

    advanced_privacy_homepage.jpg


    Advanced Privacy is a specific tool developed to limit your data exposure once you have installed third party apps.

    When an application snoops in the background, it will use trackers to log your activity even if you are not using the app. It will also collect the IP address, so it can potentially link internet activity to a specific device and to a persona, and finally it will try to pinpoint your exact location.


    ONEPLUS 5T - ROM - ROOT - TWRP - "INSTALLATION GUIDE" LINK BELOW
    1. "Installation Link" Method #1 Easy Installation (TOOL ALL IN ONE)
    2. "Installation Link" Method #2 Install via command line (for advanced users)

    IS PLAY STORE NEEDED?

    As it turns out, giving up Google is possible, and the experience isn't nearly as bad as you might think, plus my battery life is amazing now. If you care about privacy, better battery life, or want a smoother running phone, take the plunge and find a Rom that doesn't have Gapps installed.

    Below are a few applications that I have tested without Gapps installed. I have also listed a few alternative store applications with there links. I exclusively use FLOSS, Free/Libre and Open Source Software, and because of this, I chose to install F-Droid.

    What is "FLOSS and FOSS"
    The two political camps in the free software community are the free software movement and open source. The free software movement is a campaign for computer users' freedom; we say that a nonfree program is an injustice to its users. The open source camp declines to see the issue as a matter of justice to the users, and bases its arguments on practical benefits only.

    To emphasize that “free software” refers to freedom and not to price, we sometimes write or say “free (libre) software,” adding the French or Spanish word that means free in the sense of freedom. In some contexts, it works to use just “libre software.”

    A researcher studying practices and methods used by developers in the free software community decided that these questions were independent of the developers' political views, so he used the term “FLOSS,” meaning “Free/Libre and Open Source Software,” to explicitly avoid a preference between the two political camps. If you wish to be neutral, this is a good way to do it, since this makes the names of the two camps equally prominent.

    Others use the term “FOSS,” which stands for “Free and Open Source Software.” This is meant to mean the same thing as “FLOSS,” but it is less clear, since it fails to explain that “free” refers to freedom. It also makes “free software” less visible than “open source,” since it presents “open source” prominently but splits “free software” apart.

    “Free and Open Source Software” is misleading in another way: it suggests that “free and open source” names a single point of view, rather than mentioning two different ones. This conceptualization of the field is an obstacle to understanding the fact that free software and open source are different political positions that disagree fundamentally.

    Thus, if you want to be neutral between free software and open source, and clear about them, the way to achieve that is to say “FLOSS,” not “FOSS.”

    We in the free software movement don't use either of these terms, because we don't want to be neutral on the political question. We stand for freedom, and we show it every time—by saying “free” and “libre”— or “free (libre)”. by Richard Stallman


    If your running a Rom without Gapps, some applications like "Last Pass and Vimeo" will show a pop-up when you first start them that says, won't be able to run without Google Services, they might be able to run and some wont, unless you install microG, then you wont have this issue.

    What is MicroG?
    Actually, the microG is a free software clone of Google's proprietary center libraries and applications. To be more specific, it's a FLOSS (Free/Libre Open Source Software) frame to permit applications designed for Google Play Services to operate on programs, in which Play Services is not available. It provides all the needed APIs provided from the Google Play services so that the programs dependent on it may operate normally.

    Telegram Links for microG Group Help
    Update: I installed microG on my OnePlus 5T running Phoenix Rom. This Rom has signature spoofing already baked into it, so the installation is simpler, runs very smooth, better battery life and security. For detailed installation instruction, see post #5 below.

    What is microG Signature Spoofing

    To use all the neat features from the microG project, which allows you to use all features of your Android smartphone without proprietary battery-consuming Google blobs, your system is required to support signature spoofing. Currently only very few custom ROMs have built-in support for this feature, luckily you can use Xposed or a patching tool to add the feature to the systems that don’t have it.

    But: What is all this about? Is signature spoofing a problem when not using microG? Will it influence my security?

    About signature spoofing

    On Android, all applications are signed (usually using SHA1 with RSA). The certificate/key-combinations used to sign apps are self-signed. This means there is no PKI / certificate authority to verify a key to be owned by a person/company/entity. Thus everyone can come up with a key that has a equally valid Google certificate as keys used by Google to publish their apps.

    However, on Android signatures are not designed to serve the purpose of verifying ownership/source of a package. Signatures are used to verify integrity and to ensure same package author when updating apps. The second one is important, to verify that only one the author has access to the private storage of an app. A different author is not able to sign an app using the same key, because he does not have access to it, and thus can not provide an update to an application that will be granted access to the app private storage. For example, the Signal app provided by OpenWhisperSystems is signed by a key not available to third-parties and thus Signal can store chat history in the private app storage and don’t need to fear that a rogue update can access this data. This means that signatures are important to ensure the secrecy of the private app storage and thus is an essential part of the Android package managements security system.

    Signature spoofing allows applications to behave like being signed by a third party. This means that whenever one application asks the operating system for the certificate used to sign an installed package and that package uses signature spoofing, instead of the certificate attached to the app, a spoofed certificate is returned. This certificate has to be announced in the AndroidManifest.xml and the app is required to request the android.permission.FAKE_SIGNATURE permission. This means that it is not only easy to detect that an application uses signature spoofing, the user also has to give its consent – before Android 6, this was done during installation time, since then the consent is even more explicit in a dedicated pop-up, and the user can decide not to grant the permission.

    Of course only very few developers ever ask for the certificate used to sign an application. There are numerous reasons for that:

    • In most cases you only want to verify, that an app is signed with the same key as yours (e.g. the apps are from the same author). For this case, the package manager has a method checkSignatures which compares the certificates of two packages. Thus the app author is not required to mess with byte arrays returned when requesting the certificate – and verifying the author name of a certificate is completely useless as described above.
    • If you want to use any kind of security model, you are much more likely to introduce a custom permission. On Android every app can declare a new permission and decide which apps will be granted this permission. One option here is to restrict by signature, or you can also require explicit user consent. This again is a lot easier than working with certificates, even more flexible and can be used to allow third-parties to integrate with your app (on users decision). Nice!
    • Directly working with certificates is not considered a security feature and is not listed on the security tips article in the documentation, whereas the proper use of permissions is.
    • When using the package managers GET_SIGNATURES feature to directly access the certificate, the android lint tool (which is usually used during the compilation process) will print a high priority warning, as improper use of this feature can be a security risk and the proper use is rather complicated. So complicated, that Google themselves did it wrong once, resulting in a major Android security vulnerability (sometimes referred to as the Fake ID vulnerability).

    So why does microG require signature spoofing?

    Now that we know, that only very few use direct access to certificate, you might wonder why microG needs it for certain features. Well the fact is that although most developers don’t even now about it, their apps actually do direct certificate access. This is due to how Google Play Services works:

    URL]


    Applications that use Google Play Services use the Play Services client library. This library is directly embedded into the application, is delivered as part of it and finally runs in the security context of that app. And this library actually uses direct certificate access to ensure that the Play Services app installed on the device is singed by a specific private key. It also verifies that the Play Store is installed (and signed using the same key), although it is not required for Play Services to run. This is the reason for the development of the microG FakeStore app.

    There is one other popular use case I’d like to stress: DRM. Some developers use direct certificate access to verify that the application itself is signed by them. The reason for this is simple: If you modify an application you need to sign it (the previous signature is broken, if your system is not vulnerable to the “Android Master Key” vulnerability). As you don’t have the private key of the original developer you will not be able to create a valid signature that has the same certificate. This means you can’t modify the application without the original developer knowing about it. (Well, you could modify the checking code itself, …). With signature spoofing you can easily bypass these restrictions – as long as the app does not contain code to detect signature spoofing. by ~larma/blog


    If your Rom does not support Signature Spoofing, take a look at this link.

    12
    No Gapps Setup Guides

    Helpful links to setting up no Gapps

    Signature Spoofing

    [INDEX] How to get the signature spoofing patch

    microG unofficial installer simplify the installation of microG

    MicroG, gapps in only 11mb

    NanoDroid By Setialpha, XDA Ad-Free Senior Member

    microG By MaR-V-iN, XDA Senior Member

    [MOD][FLASHABLE] microG unofficial installer

    microG/Android Packages apps GmsCore

    {FIRE Gapps-Go™+Tweaks™ for OREO}*{*Micro-G™*}*{FIRE Audio™ For LP-Oreo}

    If you are using microG as a replacement for the Google Play Services, the ROM that you install needs to have support for signature spoofing. In short, this allows microG to pretend to be the official Google Play Services, otherwise the system and other apps won’t listen to it. If you have the Xposed Framework installed, the following module will enable signature spoofing: FakeGApps by thermatk. You can find more on the microG wiki

    Telegram Links for microG Group Help

    8
    A Few Rom's That Supports Signature Spoofing

    I have listed several microG Rom's that are pre-built or compatible with microG. if you have tested either one of these or used any other microG builds, please let us know :eek: I'm currently running Phoenix Rom on my OnePlus 5T without Gapps installed. All these Rom's grants signature spoofing permissions, this is needed for any Rom to be able to run microG.

    6
    INSTALLATION OF microG

    This post will show you how to install microG.

    First you must have a Rom that doesn't have Gapps installed, next if your Rom supports signature spoofing, go to the first step, If your Rom doesn't support signature spoofing, go to this link to patch your Rom (How to get the signature spoofing patch) then come back for installation of microG.

    If your not sure if your Rom supports microG, just go threw the first step below, open microG Settings app, then "Self-Check" it should look like attached picture at bottom of this page, if not, you need to patch your Rom.

    FIRST STEP:
    1. Must unlock boot-loader and have TWRP installed. Download bellow app to PC and follow instructions, if your phone is unlocked and TWRP installed, skip this step.
    If you already have your device unlocked and TWRP installed, do a recovery backup in TWRP, then copy it to your pc, I normally just copy all my files from my phone to my pc or external device.

    You must do a fresh install in order to have microG working properly, I use "ALL IN ONE TOOL", this is my steps from the ALL IN ONE TOOL app, "Reboot Bootloader" and select "Erase All Data / Decrypt Internal Storage", next click on "Recovery Flasher" and choose, "Select recovery", TWRP 3.2.1 Universal (Your Device), then select "Only boot it" and "FLASH"

    2. From PC, download firmware (if needed), Rom and microG, this is for the Phoenix Rom. If you are using a different Rom, your installation might be different, just flash microG after flashing your Rom.


    3. From recovery, move downloads onto phone. Install Rom then microG, reboot system.

    SECOND STEP:
    1. Downloads to PC.
    • Magisk & Magisk Manager If you want Root. For the Phoenix Rom, install Magisk v14.0 first, then upgrade to v15.3 after first reboot, known to boot loop otherwise.
    • F-Droid
    2. Move all download to phone, boot into recovery, install Magisk and No GApps Package, reboot.
    3. Open your Files app, navigate to folder you put apk's, Install Magisk Manager.apk and F-Droid.apk/unless you flashed No GApps Packages.

    THIRD STEP:
    1. In phone, navigate to System Setting, Location, Mode and change it to High accuracy.
    2. Go to UnifiedNip Settings and enable Network based Geo-location and Address lookup.
    3. Open F-Droid Store and swipe down on screen to update repositories, now install Mozilla Stumbler from F-Droid Store and start.
    4. Open microG Settings app, go to UnifiedNip Settings, make sure every thing is checked for Address lookup and Network based Geolocation.
    5. Now go to main page of microG Settings, then Self-Check, check box, System grants signature spoofing permission, grant access, Allow.

    Access your paid applications from play store

    1. Install a PlayStore APK
    • If you have BlankStore installed, continue with the next step.
    • If you want to be able to access the Play Store, install BlankStore from the XDA thread. It is not a requirement that you set it up correctly and this is not covered by this instructions. If you need help, ask in the BlankStore original thread.
    • If you don't care about Play Store access, Install FakeStore.zip.
    2. Open the microG Settings
    which are available in the launcher now. If you want to use any Google services (Log-In, Cloud Messaging), tick both checkboxes for background services. This is the only supported setup, but you are free to disable them if you like playing with fire. You can also open the UnifiedNlp settings to enable the location backends of your choice. If you don't have any yet, check out F-Droid. For further questions and concerns regarding UnifiedNlp, use its corresponding GitHub repo or XDA thread.​
    3. Reboot your device
    If you skip this step, everything unwanted is possible.​
    4. Disable Battery Optimization
    if you use Android 6 (Marshmallow) or above. Ensure that it is disabled for microG Services Core in System Settings > Battery > Menu > Battery optimization. Note that this is the case for the original Play Services, as it is required to keep a stable background connection.​

    Note: On Android 7 (or later) an additional patch is needed to make location work, or alternatively, you can install GmsCore.apk in the /system/priv-app folder. This can be done by using adb push.

    Testing
    • You can test Google Cloud Messaging using this test application*. Push notifications do not require account registration.
    • You can add an account through the system settings. Some applications might ask you to do so, if you don't.
    • Apps that use Cloud Messaging must be installed after GmsCore, or else they will not work. Some applications that can run with microG GmsCore is installed in the correct order: TextSecure/Signal, Play Music, YouTube
    • If you are using AdAway, make sure to put mtalk.google.com on your whitelist, or else problems are likely to occur when using Google Cloud Messaging. Thanks @benstyle1 on XDA for the hint.


    Telegram Links for microG Group Help