[APP] microG GmsCore - lightweight free software clone of Google Play Services

Search This thread

kurtn

Senior Member
microG: information & safety about SafetyNet/DroidGuard

Hi all,

I'm using microG because I don't want closed binaries running on my Android Device with privileged rights. In this context, I would like to get more information about SafetyNet and DroidGuard, but unfortunately I don't find anything relevant.

If I understood correctly, SafetyNet is a Google API that provides information for the other applications about the state of the device, concerning the security (like bootloader state and so on). In this system, DroidGuard is a closed binary tool that can perform signatures or check in the SafetyNet context.

As indicated in microG, the SafetyNet implementation is open source, but it depends of the DroidGuard binary to perform some operations.

So my question is: is it safe to enable SafetyNet into microG, due to the DroidGuard part? By safe I mean, no risk to see a closed binary doing some thing I don't want? Because, if the service is run as root, it could theoricaly do anything on the device, no?

I'm OK to use closed apps in a microG ROM due to the authorization isolation provided by Android, and I'm also OK to use some Google features. But I'm not OK to have closed binaries running without isolation on the device.

Thanks,
lama02.
Droid guard is sandboxed by microG. And running as system app is not equal to having root privileges.
 

lama02

Member
Nov 22, 2022
10
1
Droid guard is sandboxed by microG. And running as system app is not equal to having root privileges.
OK thank you for your reply. So it's perfectly safe to run DroidGuard through microG, nice to know.
But in this case what's the purpose to use a remote DroidGuard (we can configure that in the advanced menu)?
 

ale5000

Senior Member
Dec 24, 2013
1,253
1,142
OK thank you for your reply. So it's perfectly safe to run DroidGuard through microG, nice to know.
But in this case what's the purpose to use a remote DroidGuard (we can configure that in the advanced menu)?
This would probably be even more safe, but this would need a remote server that currently doesn't exist.
It isn't just that the server isn't up, the code for the server would also need to be implemented.
 

lama02

Member
Nov 22, 2022
10
1
I don't know. Is remote droid guard a left over from the times we had a separate droid guard helper app?
This would probably be even more safe, but this would need a remote server that currently doesn't exist.
It isn't just that the server isn't up, the code for the server would also need to be implemented.
Thank you - ideed I searched for this remote DroidGuard but found nothing.

What do you mean by "even more safe"? If the DroidGuard process is sandboxed, what are the risks?
 

ale5000

Senior Member
Dec 24, 2013
1,253
1,142
Thank you - ideed I searched for this remote DroidGuard but found nothing.

What do you mean by "even more safe"? If the DroidGuard process is sandboxed, what are the risks?
I wasn't talking about security but about privacy, it had to download a binary from a Google server so they at least know your IP.
It isn't like there is any problem but if you want to be completely anonymous a separate server would be better.
 
  • Like
Reactions: lama02

lama02

Member
Nov 22, 2022
10
1
I wasn't talking about security but about privacy, it had to download a binary from a Google server so they at least know your IP.
It isn't like there is any problem but if you want to be completely anonymous a separate server would be better.
Perfectly clear, so it's acceptable for me. I just don't want a non sandboxed closed binary running on my phone.
Thank you :)
 

wombatch

Member
Jan 18, 2012
44
2
I am trying to install microg on a rom that is pretty much still in beta but I was hoping far enough along that it would work. I built the rom and got it installed then tried to install microg using the "by hand method" ie. copy to /system/priv-app.
The first time i did this it boot looped i haven't installed by hand for years but it seems android x(no idea which x) introduced a requirement for a permissions file in /etc/permissions. I included one of those and got out of my boot loop but still I get the message from some products (let's take signal as an example) that Play services needs to be installed or updated.

I have the latest microg (latest -1 in priv-app) so i am wondering if somewhere there is something else (like the permissions xml file) which needs to be done in order to ensure it works properly? (I've tried blank-store and fake-store).
Another thought, maybe the permissions file should have a fixed name?
Thanks for any help.
 
Last edited:

kurtn

Senior Member
I am trying to install microg on a rom that is pretty much still in beta but I was hoping far enough along that it would work. I built the rom and got it installed then tried to install microg using the "by hand method" ie. copy to /system/priv-app.
The first time i did this it boot looped i haven't installed by hand for years but it seems android x(no idea which x) introduced a requirement for a permissions file in /etc/permissions. I included one of those and got out of my boot loop but still I get the message from some products (let's take signal as an example) that Play services needs to be installed or updated.

I have the latest microg (latest -1 in priv-app) so i am wondering if somewhere there is something else (like the permissions xml file) which needs to be done in order to ensure it works properly? (I've tried blank-store and fake-store).
Another thought, maybe the permissions file should have a fixed name?
Thanks for any help.
MicroG doesn't need to be a system app to be detected by signal. But it must spoof the signature of Google play services. Did you pick a spoofing patch for your build?
 

wombatch

Member
Jan 18, 2012
44
2

ale5000

Senior Member
Dec 24, 2013
1,253
1,142
You also need FakeStore and a proper sysconfig file to work rebliably.

To note: the installers exists because 9 time out of 10 people do errors when doing things at hand.
 
  • Like
Reactions: drnightshadow

wombatch

Member
Jan 18, 2012
44
2
You also need FakeStore and a proper sysconfig file to work rebliably.

To note: the installers exists because 9 time out of 10 people do errors when doing things at hand.
A proper sysconfig file? where is this documented?
Why would I want to use an installer that does a whole load of other things?
also I see that this patch "https://github.com/lineageos4microg...es/packages_apps_PermissionController-R.patch" exists too, do I need that as well?
 

ale5000

Senior Member
Dec 24, 2013
1,253
1,142
A proper sysconfig file? where is this documented?
Why would I want to use an installer that does a whole load of other things?
also I see that this patch "https://github.com/lineageos4microg...es/packages_apps_PermissionController-R.patch" exists too, do I need that as well?
They are a whole load of other needed things (in most cases).
If you are talking about additional apps, in most cases there are options to exclude them.
Also all installers that I know are open source.

You can see an example of the sysconfig here.
You can skip the parts about apps that you don't have installed.
The file come from real life use, I'm not sure if it is documented properly, it is just used to lift some limitation of newer Android versions.

The patch you linked is related to signature spoofing patch (and it isn't the complete one, the complete one is here), in most cases it is simpler to get a ROM that already include it.
 
Last edited:
  • Like
Reactions: drnightshadow

ale5000

Senior Member
Dec 24, 2013
1,253
1,142
Hi,
I have created a script to automatically generate a device profile (usable by microG) from a device connected via adb: https://github.com/micro5k/microg-unofficial-installer/blob/main/utils/profile-generator.sh
Only adb and a device are needed (on Windows you also need busybox to execute the script).

I would like a feedback from all interested people.

PS: It can create a profile from most devices and even emulators but it only make sense to create a profile from devices that pass SafetyNet.
 
  • Like
Reactions: goofwear

AnonVendetta

Senior Member
Apr 29, 2016
1,570
571
Hi,
I have created a script to automatically generate a device profile (usable by microG) from a device connected via adb: https://github.com/micro5k/microg-unofficial-installer/blob/main/utils/profile-generator.sh
Only adb and a device are needed (on Windows you also need busybox to execute the script).

I would like a feedback from all interested people.

PS: It can create a profile from most devices and even emulators but it only make sense to create a profile from devices that pass SafetyNet.
Where/how would I "feed" this profile to MicroG?
 

ale5000

Senior Member
Dec 24, 2013
1,253
1,142
- Connect that phone (that pass SafetyNet) that you want to profile to the pc
- Run this on the pc:
Code:
sh ./profile-generator.sh > profile-name.xml
- Transfer the file
Code:
profile-name.xml
to the phone
- Choose it from microG settings => Google device registration => Import custom profile
 

kurtn

Senior Member
- Connect that phone (that pass SafetyNet) that you want to profile to the pc
- Run this on the pc:
Code:
sh ./profile-generator.sh > profile-name.xml
- Transfer the file
Code:
profile-name.xml
to the phone
- Choose it from microG settings => Google device registration => Import custom profile
And that cheats safetynet attestation into a phone without GApps or magisk or ih8sn?
 
Last edited:

AnonVendetta

Senior Member
Apr 29, 2016
1,570
571
- Connect that phone (that pass SafetyNet) that you want to profile to the pc
- Run this on the pc:
Code:
sh ./profile-generator.sh > profile-name.xml
- Transfer the file
Code:
profile-name.xml
to the phone
- Choose it from microG settings => Google device registration => Import custom profile
Do you think the busybox package offered in Cygwin's repository, will work as well in place of/instead of what you linked?

Edit: Not sure if this will work on a Note 20 Ultra 5g/Tab S7 Plus 5g, that only has an unlocked bootloader, but is otherwise currently bone stock (not rooted, no custom recovery, etc). If both pass SN, I'll try the script. If not, I'll relock the bootloader to see if that changes anything. Knox is permanently tripped on both, that isn't reversible no matter what, not sure if it affects SN status.

Edit #2: Everything passes except CTS profile. I'm on the latest stock with no modifications, so it must be the bootloader.
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 566
    hXY4lcC.png

    Introduction
    microG GmsCore is a FLOSS (Free/Libre Open Source Software) framework to allow applications designed for Google Play Services to run on systems, where Play Services is not available. If you use your phone without GAPPS this might become a useful tool for you.
    microG GmsCore is one of the two core components of the microG project.
    More up-to-date descriptions and instructions might be available on the wiki

    Instructions
    Preparation:
    1. You need a 4/5/6 ROM that is GAPPS-free. Either don't install them or remove them, if your ROM ships them. Please note that microG GmsCore might run on a cleaned stock ROM, but it might also brick it or cause random bugs. Be aware that only latest Android versions (4.4+) are regularly tested and thus prioritized over older versions when issues occur.
    2. You need a ROM that supports signature faking. Some custom ROMs are patched to support signature faking out of the box, including all OmniROM-based ones. Stock CyanogenMod denied the inclusion, as the possibility of third-party play services implementations is considered a security issue (read here about why it's not). Please ask your ROM developer if unsure. The latest version of signature spoofing for Android < 6.0 has to be enabled at the bottom of the developer settings first. If your ROM does not support signature faking, but you use Xposed, you can grab a Xposed module here.
      If you are a ROM developer or just do custom builds for whatever reason, you can download and include the patch from here and here for Android 5.1 or here for Android 6.0.
    3. Remove UnifiedNlp. In case you installed it before. You can keep your backend modules installed, microG Services will be able to use them later and provide the same feature set (to be precise, microG Services includes UnifiedNlp).

    Installation:
    The installation does not require any modification of the /system partition. All installations should be done using the default app installer included with Android or using `adb install`. This means you need to enable third-party sources or developer mode first.
    1. Install GmsCore.apk as provided in the download section below.
    2. If you want to use Google Cloud Messaging ("Push-Notifications"), Install GsfProxy.apk as provided in the download section below. The GsfProxy version does not need to match the GmsCore.apk version.
      • If you have BlankStore installed, continue with the next step.
      • If you want to be able to access the Play Store, install BlankStore from its thread. It is not a requirement that you set it up correctly and this is not covered by this instructions. If you need help ask in the original thread.
      • If you don't care about Play Store access, Install FakeStore.apk as provided in the download section below.
    3. Open the microG Settings, which are available in the launcher now. If you want to use any Google services (Log-In, Cloud Messaging), tick both checkboxes for background services. This is the only supported setup, but you are free to disable them if you like playing with fire. You can also open the UnifiedNlp settings to enable the location backends of your choice. If you don't have any yet, check out F-Droid. For further questions and concerns regarding UnifiedNlp, use its corresponding thread.
    4. Reboot your device. If you skip this step, everything unwanted is possible.

    Using it:
    • You can test Google Cloud Messaging using this test application. Push notifications do not require account registration.
    • You can add an account through the system settings. Some applications might ask you to do so, if you don't.
    • Use your applications as you like. But note that apps that use Cloud Messaging must be installed after GmsCore, else they will not work. Some hint of applications that can run due to microG GmsCore: TextSecure/Signal, Play Music, YouTube
    • When using AdAway make sure to put mtalk.google.com on your whitelist, else problems are likely to occur when using Google Cloud Messaging. Thanks @benstyle1 for the hint.

    Downloads
    See this wiki page for Downloads. You can find details on the F-Droid repository on https://microg.org/fdroid/.

    Signing key
    The NOGAPPS and microG Project use a shared signing key. Apps and the F-Droid repository are signed using this key. You can verify app signatures using the Checkey app (not when signature spoofing is enabled) and the F-Droid key in F-Droid repository details.
    The SHA-256 hash of the key is:
    9B D0 67 27 E6 27 96 C0 13 0E B6 DA B3 9B 73 15 74 51 58 2C BD 13 8E 86 C4 68 AC C3 95 D1 41 65

    Current implementation progress
    Please check this wiki page for up to date implementation progress.

    Please report bugs
    This project is still rather unstable. Please report bugs as they occur. Whenever you report a bug, please tell us what application caused the bug, including its exact version. If you're the developer, name the play services library you are using. Please do not bother the original app author when it might be related to microG services. If the problem is related to geolocation with UnifiedNlp, report it in the UnifiedNlp thread, even if you're using it through GmsCore.

    Thanks
    Big thanks to everyone who continuously supported me doing this, by donating, pull-requests or just feedback.

    XDA:DevDB Information
    microG GmsCore, App for all devices (see above for details)

    Contributors
    MaR-V-iN
    Source Code: https://github.com/microg/android_packages_apps_GmsCore


    Version Information
    Status: Beta
    Current Beta Version: v0.2.13.203915
    Beta Release Date: 2020-10-19

    Created 2015-10-04
    Last Updated 2020-10-20
    56
    I am still alive, but just super busy.

    Starting end of February, I set aside 20 hours a week to work solely on microG.

    But please don't expect any update earlier than that, I have to ensure that there are no loose ends before I remove myself from some of the obligations I have right now, so probably will be even busier than before.

    Thanks for your ongoing support everyone.
    28
    Nice! Even original Play Store started to work with this! Not fully, but now you can login, search for apps and see already installed ones. Just download doesn't work yet. Keep up good work! Original GMSCore is android cancer.
    26
    Thanks for your feedback @emandt. I appreciate it, although it's impossible for me to not agree with @Ultramanoid that it feels like trolling. I will try to answer to all your concerns.

    It's true that Google API change. This project has some history and still uses some code from 2013. In the meantime, I saw some API changes, but most APIs stay stable. This is because not all play services users update directly and Google does not want important system features to break. I know that Google is aware of this project (or atleast some Google employees are) longer than you are and atleast one change in the web service implementation was targeting a third party software, with microG being the only one I know that fits into that. So yes, I agree that Google is unlikely to be happy with this project. But as Ingress players know, even the mighty Google is not able to block users out that really want to do something with their services. We will always find a way.

    This project is all about privacy. As mentioned above it existed long before I posted it here on XDA and it was reviewed by several people. I also know that at least one "Android company" is working with it. The source code is still fairly simple to follow, and if you want you can check every future commit (and those from the past) one-by-one. It should also be noted that I built privacy related tools for Android the last years, some of them being published here on XDA as well or being integrated in e.g. OmniROM.
    As I don't want users credentials to end up in wrong hands, microG GmsCore doesn't even safe or access your google account password, the login is done through Google's OAuth based website.

    You complained that not "any warning/advice about privacy, credential or critical actions" was stated on the first post. As you mentioned that you're a XDA user for ten years, this can only be trolling: I never saw a ROM or Patched WhatsApp or darkened Play Store or anything else on XDA state something like this in the first post. And most of them were not open source. I expect users to be able to think theirself that, if you enter confidential data, random things might happen with that. I actually pointed that out by mentioning that "This is currently alpha-grade Software. Don't use it if you're not aware of possible consequences." in red letters :)

    I agree that payments are crucial and it is important that they work fluidly. Until now I did not implement anything related to payments for that reason. Inside Play Store, payments are not directed through Play Services, so this is nothing to fear about (this is all about microG GmsCore now, not about a future implementation of the Play Store). On the other hand, as already pointed out by others, payments should be managed server side. It should NEVER be possible to pay more than needed.

    Reducing the enormous size and bloat in Play Services is one of the goals of the project. And I'm quiet sure that this will be possible, because some things inside Play Services just don't need to be there or can be made a lot simpler. The majority of the size until now actually do not really belong to the project (but is the map rendering library used in the backend and the android-support libraries). I did not use proguard until now, I have a single release for all major instruction set (play services use multiple) and 500KB of assets that can also be reduced in size. Although i did not try it yet, I am quiet sure the size final packages size will stay below 10MB. I am not going into details why play services is so huge here, if you're interested in that, ask me when we meet in person.

    And finally I wanted to point out that most Google applications do not user Play Services intensively. Play Store is using it primarily for Auth and checkin, as well as some smaller things like advertisement id. Only Google Plus related apps (Google+, Hangouts) use Play Services a lot. This is not really a surprise considering that Play Services was originally invented for Google+ and OAuth 2 APIs.

    Finally, I'd like to thank you for the insights in your feelings about this project. I guess these answers will not sufficiently satisfy you, but there is not a lot more I can do. Trust me or don't - it's up to you.

    Puh, what a post...
    26
    what is the best way to download this these days? little confused by all the different updates and forks.

    is f droid repo a good place to install from still?

    Here's what I know:

    NanoDroid is an app pack that contains, among other things, MicroG. It also replaces system apps and is compatible with Magisk overlays. It is configured with a text file that can be generated using a zip installer with Aroma. It is currently using @Setialpha's fork of microG. There are also basic subset packs for just MicroG or just system app replacements. It comes with a patched version of Play Store that allows for IAP, but can also install FakeStore.
    @ale5000's zip I think was the first of the unofficial zips and AFAIK just installs official MicroG and related dependencies, as well as removing conflicting apps (important for location services), which NanoDroid does as well. I'm not following the thread for this zip for some reason, and probably should find it so I can follow it. AFAIK, there is no simple configuration for this zip.

    My zips are built by downloading the latest MicroG apps by parsing the F-Droid repo's index file for URLs and thus only follows official releases. There are separate zips for installing with FakeStore, official Play Store, and the NanoDroid patched Play Store. There are also separate NoGapps packs that mirror OpenGapps but with apps from F-Droid (and no MicroG, as that's in a separate installer). Configuration is done at build time, but I provide my build tool and build recipes for easy modification.

    The NoGoolag installer I think is most similar to NanoDroid in that it installs its own fork of MicroG as well as F-Droid system app replacements. I'm least familiar with it, but it's in pretty active development, for what that's worth. I don't know much more about it than that, though.

    All of the above zips AFAIK will ensure best compatibility with your device by uninstalling system apps that will interfere, e.g. with location services; extracting libraries from apps that get installed to /system (Android generally can't find the libraries otherwise); and similar things. This tends to provide a better/easier experience than installing straight from F-Droid, though that is still a valid option. Also, if you use an installer that uses the official MicroG, you can get updates from that F-Droid repo.

    TL;DR: Which installer you use will depend on what you're looking for from it. I will almost always recommend mine, but I am opinionated on the subject. It may be worth you looking deeper into what each does and does not provide and if you need that thing, then make a decision. I would highly recommend using one of the zip installers though, even if it's not mine.