microG: Android (almost) without Google – our interview with the developer
The use of microG means that on smartphones, you can enjoy the comfort of Android without being spied on from front to back. It’s a sort of „castrated“ Android, where hardly any data are transferred to the Google servers. How does Google manage to enforce control over the mobile operating system Android with all its might? What does it take to stand up against Google? That and much more, we will find out in our interview with the inventor of microG, Marvin Wißfeld.
MicroG: a very promising alternative
Google is trying to enforce control over the mobile operating system Android with all its might. Despite all the convenience and quality of the vast Google ecosystem, there is one thing we should not forget: Google is and always will be one of the largest and most ever hungry data octopus existing.
Through clever marketing, the Internet giant has managed over the years to turn the Android Open-Source Project (AOSP) into a billion-dollar business. Google’s proprietary Android ecosystem is forced upon you virtually with every purchase of an Android smartphone. Marvin Wißfeld, the developer of microG, is determined to change that. An alternative was needed – microG was born.
Android without Google – our interview with the developer
With your help, a surprisingly large number of questions have come up for Marvin. But not only with us, in the forum of Tarnkappe.info, many questions arrived. Also, the readers on Reddit were very busy asking questions.
Tarnkappe.info: What made you start developing MicroG, Marvin?
Marvin Wißfeld: I had received an access code to the beta version of Ingress, one of the first AR games (AR = Augmented Reality). In order to play Ingress, it was initially necessary to log in on the Android device with a Google account. At that time I had already used a custom ROM (unofficial operating system) without Google services. So, actually playing Ingress would not have been possible for me. But of course I didn’t want to let that sit on me – and after a few weeks the first prototype of microG was ready. I had already played around with network-based positioning for Assisted GPS on Android before and therefore had a good overview of how these things work.
„I don’t think there’ll be a generic one-click installation of microG“
Tarnkappe.info: Marvin, a reader would like to know from you if there will be a simple „1-click installation“ at some point. For many androids there are already simple solutions to root the smartphone, i.e. to get full control over the device. Especially for users who don’t know that much, this would be a great help.
Marvin Wißfeld: A generic 1-click installation of microG seems unrealistic to me. Since you have to patch the ROM for signature spoofing, this cannot always work generically, i.e. cross-platform, since ROMs (and devices) are different. I would be happy if the problem would be solved eventually rather by having ROMs that already have microG with them or at least offer a possibility to install microG. Also, a ZIP that can be set up right after the actual installation, like the root add-on for LineageOS, would be a possibility here.
An alternative to the 1-click installation would of course be the 0-click installation, i.e. providing devices that come preinstalled with microG – that actually sounds much better to me.
Setting an example against the consumer and throwaway society
Tarnkappe.info: One of our readers would like to know why the latest smartphones are not supported by Lineage OS. Unfortunately there are only a few models for which this applies. He thinks you should develop such a 1-click install app where you can install MicroG like apps. Then it would be much easier for many users to install microG. If the installation is not simple, microG would be unsuccessful and remain a niche product. What do you as developer say to this?
Marvin Wißfeld: Of course, post-installed custom ROMs will always be behind the device manufacturers and will not directly support new devices. In my opinion, we have reached the point where newer smartphones are not so technically superior to older ones that you would need a new one every couple of years. I know people who still buy Nexus 5x or Pixel 2/3 devices (new or used) because they are well-supported and cheap. Anyone who buys an older smartphone from the second-hand market is also setting an example against the consumer and throwaway society.
An alternative to older devices already supported by LineageOS and others would be for hardware manufacturers to preinstall microG or offer an easier way to install it.
About Lineage OS and the „eFoundation
Tarnkappe.info: Is it perhaps already in planning or in development to bring microG as an independent OS (like e.g. LineageOS) on the market in the future?
Marvin Wißfeld: First of all, microG is only a little bit of software, not a complete OS or ROM. With LineageOS for microG, there is already a Lineage OS fork that microG brings with it, making it a full-fledged OS. There are also /e/ (= manufacturers of smartphones specialized in IT security) who provide a complete Google-free OS with microG and even sell devices that come preinstalled with it.
Of course, I’m watching the „market“ and if I see potential for this and can provide the necessary resources, I can certainly imagine providing an independent, full-fledged OS – but then surely only for a limited number of devices.
Tarnkappe.info: The so-called „e-foundation“ (/e/) promises us „We keep your personal data safe on your smartphone and in the cloud“. But the best way to find out is to see for yourself. More information on this topic is available either here or here. You can also check out GitHub or Reddit to see for yourself that many problems with /e/ have not yet been fully resolved.
The /e/ Android-Rom project wants to find the ideal and easiest way for the „normal“ consumer to get rid of the big data companies like Google on their smartphones. They also try to promote the FOSS culture and software. Whether they will actually succeed in all this, however, only the future can show.
MicroG – what it is and where the journey is leading to
What microG is exactly and how it works was explained in detail by Marvin at the SFScon conference in Bolzano. The talk is in English, but of course we don’t want to miss the opportunity to have a look.
Tarnkappe.info: You have been very responsive to many things with your talk on SFScon. But we still want to check out what your plans are with microG. What exactly are your plans for the future of microG?
Marvin Wißfeld: For this year, my main goal is to work on making microG truly productive, not only in controlled environments, but also for inexperienced end users where everything has to work. This includes the ability to configure microG without a „user interface“, so that ROMs can run with microG without the user noticing. Also, a lot of trial and error with real applications is on the agenda.
From good intentions and wishes of a developer
Marvin Wißfeld: To make it easier for (new) contributors, I’d also like to clean up the code as much as possible, structure it and then write some documentation about it. So far, the documentation has unfortunately always been a little too short. The new feature or bug fix simply had a higher priority. The bigger the project is, the more important the documentation becomes, so this has to happen sometime.
A „Side Project“ is also to get the GmsLib, the implementation of the client library, up to date. This would allow app developers to create an app instead of an open source and play store variant. And the advantages of the Play Store variant (for example Push) would then be directly in the open-source app. Oh, and the website that really needs to be done…
Eventually, I would like to see microG no longer needed, so that app developers no longer automatically use play services and expect users to have a googled device. Alternatively, it would also be ok if hardware manufacturers saw microG as a real alternative to Google Play and give the user the choice to use one or the other on their device. I’m honestly not sure what happens first.
How do you manage such a project alone? Can one still talk about a hobby?
Tarnkappe.info: Did the development of microG cause you great difficulties? Pressure from companies, excessive support requests from end users, etc?
Marvin Wißfeld: No. Actually, the development of microG has always just opened doors for me. There are not many support requests like this, it’s all publicly available through GitHub. I am not the only one who can help. I certainly can’t complain.
Tarnkappe.info: Do you develop microG as a hobby in your spare time? What do you do to avoid burnout? MicroG doesn’t seem to be just a simple piece of software. Doing things for your project often seems to be time-consuming and maybe more often frustrating.
Marvin Wißfeld: microG is „just“ a hobby, but it certainly takes a lot of time. Even answering these interview questions took over an hour again :).
I’ve given up microG just for fun (in addition to a normal full-time job). The workload was simply not manageable anymore and there was nothing left to do. Currently, I only do a paid job „from time to time“. Actually, I’m focusing on Open-Source projects now. This does not only include microG.
What tools do you use as a developer?
Tarnkappe.info: Which tools or programs do you use most? I assume that besides writing microG code you have a generous set of tools for decompiling/recompiling binaries etc. I guess you work with Android Studio?
Marvin Wißfeld: Yes, I actually write code with Android Studio. If you play around with binaries, apktool and dex2jar are the classic tools. Rather exotic, but what I really like to use is Enigma. Enigma is an „IDE“ for deobfuscating.
Clarification: To deobfuscate a program code means to convert a hard-to-understand program into a simple, understandable and straightforward program. There are tools like Enigma etc. for this. With intentionally difficult to understand code, different manufacturers want to achieve that other programmers do not understand their source code (keyword Reverse Engineering). Or cyber criminals want to protect their malware from detection.
As an end user, is there anything we can do to help with this project?
Tarnkappe.info: What exactly can we as users do to help with the development of microG?
Marvin Wißfeld: I think there’s a lot that could be done in the microG environment that would make sense, even if you can’t program at all. One of these is to systematically/structurally document which apps are causing problems with microG to record what those problems are. Also, which apps work well, where there are known workarounds etc. Currently, this information is not perfect, mostly in issues, on GitHub and in some forums.
It would also be interesting to have a mechanism to automatically test apps for compatibility with microG. This would probably also have a significant impact on development.
And to the developers among you: I don’t bite and I don’t want to be the sole ruler of this project. If you want to contribute code to microG or even have concrete ideas about what problem you could solve, please let me know.
About workflows and new features
Tarnkappe.info: Speaking of developing, how do you do that? What is the usual workflow when implementing a new feature? What is the most difficult part of it for you?
Marvin Wißfeld: I wouldn’t say there is a usual workflow. It always depends entirely on the feature. Usually I look at the developer documentation from Google first. If the feature has network communication, I record it a bit in the emulator. And of course I look at apps, how they use the feature and what actually happens under the hood. Reverse engineering is fortunately relatively easy with Java binaries. There are many good tools.
Tarnkappe.info: Do you actually have contact with the various phone manufacturers to get support (drivers) for the different hardware platforms?
Marvin Wißfeld: That’s about two layers lower than microG works. MicroG doesn’t need direct support for the hardware platform and controls hardware exclusively via the Android Framework/HAL. LineageOS for microG only uses what comes in from LineageOS for device support, so there is no contact with device manufacturers.
About security concerns and signature spoofing
Tarnkappe.info: Marvin, now and then security related questions come up regarding signature spoofing. What is your opinion about this?
Marvin Wißfeld: Concerns about the security of signature spoofing come up from time to time, especially from the LineageOS developers, who have even noted their dislike in their FAQ.
All patches for signature spoofing that I know of either require explicit user consent or require that the spoofing app (explanation: the app that pretends to be something else.) be installed on the /System partition.
If explicit consent is required from the user, it is technically no longer possible to speak of a security risk – at least the risk is not posed by signature spoofing, but by the user. Of course, it may be necessary to protect the user from himself. But even a custom ROM that grants root access or makes it easy to install cannot say it protects the user from himself. I will mention here, however, that there are exceptions, such as ROMs that use dm-verity to protect the system from improper modification by users, but this is rather the exception in the custom ROM world.
The „worst-case“ scenario
Marvin Wißfeld: The variant that requires the app to be in the /system is completely harmless anyway. In fact, Android does virtually no security checks for /System apps, so you can do something that comes close to signature spoofing anyway, but without the flexibility that it would take to have something like microG. So, signature spoofing doesn’t change the security, but only how easy it is to develop microG.
In terms of practical security risks, the „worst possible“ attack I can imagine is that an app – like microG – pretends to be play services. But this only works anyway if microG is not already installed and the hurdles described above must be overcome.
Of course, it could be that I am not aware of all possible security risks. Unfortunately, when I ask about security concerns, I usually don’t get much concrete information. Often security concerns were simply based on a misunderstanding of how signature spoofing works – but some people did not want to admit this publicly.
„Interesting conversations with Google employees have taken place…“
Tarnkappe.info: One last question Marvin, then we are done. Has Google ever sued you in the past for your work with microG?
Marvin Wißfeld: No. There were no legal problems with Google – and that is very unlikely due to the legal situation in the EU. However, interesting conversations with Google employees have taken place. :)
Tarnkappe.info: Marvin, thank you very much for taking the time for us and our readers to answer so many questions. We wish you all the best for your future projects.
The new microG Wiki – many answers to your questions
Finally, it is worth mentioning the new info page of microG. This revised wiki should serve as an unofficial guide for setting up an Android phone with microG. It’s definitely worth a look.
All we have left to do now is to thank our readers for the many questions. We hope that you enjoyed this interview as much as we did. With this in mind, we would like to thank everyone who asked Marvin a question in our Tarnkappe Forum or on Reddit.
Article picture from hackbeardmull, thx!