MicroG leaks personal data

I encountered this “leak” - if that is not a normal function of MicroG as I’m not very familiar with it - when trying to use the official TWRP app to update my recovery. It obviously makes a call to my Google account when I saw that MicroG popped up and asked me for permission to access my account. I had to go through the usual procedure of their two-factor authentification and then was returned to the TWRP app which then downloaded their latest version but didn’t do the essential, which was to update my recovery. I’ve since removed this app. But today I got a message from Google welcoming me to their service using a new device but also informing me that I haven’t got their apps installed and inviting me to install gapps. I can only surmise that MicroG either lets Google see what apps I have installed or some service of their double-checks to see if they get a response from my device. I thought from the Lineage description of MicroG that it “spoofs” Google apps which should mean that Google shouldn’t know what apps I have or have not. Does anyone know anything more about this?

Microg is a set of free software apps that let your phone communicate with G%§$e services, so this is very much expected behavior.

Thanks for the info @PaulaFairphone. I’ve done a little reading on the subject and it would appear that what we have in /e/ is just the core services but apparently “signature spoofing” only works if the OS has been patched for it. The normal lineage ROM doesn’t do this apparently for security reasons, though there is a fork - Lineage for microG - which does. I don’t know what the position of the /e/ developers is, but presumably there will be some clarification of their position once the definitive version comes out. In the meantime perhaps our messages may be useful to others who want to run apps which need Google Play Services.

Hi @Grendel wanted to clarify a few points
/e/ uses the same build process as LineageOS4MicroG and has been this way from the first beta version on wards. Both are built using Docker. So technically we are closer to LineagOS4Microg than the standard Lineage ROM build process. On the patching of the build please check the screenshot from a build for /e/ …if you check the line in the middle of the screenshot (just above the Setting “UNOFFICIAL”…) you will notice that the build process mentions applying the patch to the OS.

MicroG would simply not work with out the patch being applied. By a ‘working’ MicroG i mean if you look into the SelfCheck option in MicroG all the check boxes should be checked or check-able.


To add to the above, to use microG, any and all ROMs must support signature spoofing. Accomplished three ways…

1: Support built into ROM.
2: Patch the ROM (via PC or on-device with something like NanoDroid Patcher).
3: Use FakeGapps Xposed module.

When one adds a Google account one is obviously contacting Google. Me thinks during the setup they quickly check things out and send out that welcome email, encouraging the installation of their apps. They usually get my device wrong though because I always use Bromite webview which obfuscates a few thing.