microG - What you need to know, A conversation with its developer : Marvin Wißfeld

According to Statista, more than 3,5 billion people use a phone with Google’s Android operating system daily.

In just over than 10 years, Android has become the undisputed mobile operating system market leader with over 75% market share.


(source)

While Android has a core based on Open Source software, the conventional version of Android that you find on most smartphones also includes a set of proprietary libraries and APIs that are used by many mobile applications. This also locks users in the Google ecosystem.

Even if you aren’t using those apps on your Android phone or forgo adding a Google account , your device still engages with many of those Google services and Google powered features without your knowledge, in order to function correctly.

Most of these services are embedded in the apps you use daily right from the development phase. From receiving a notification from your banking app, to trying to locate where your taxi driver is while hailing a ride, the dependence on Google dominates the user experience.

Removing Google’s Play Store can result in the phone’s key functionality not working. This in turn would prevent popular apps from running and would distort the user experience . You could rightfully go down the route of doing without Google’s Services for example with a Linux phone. The downside is ending up with no apps at all. Another option is to use a custom ROM with an alternative app store like Fdroid that distributes only free and open source apps but you would be limited in terms of apps to choose from.

microG is a open source, free software re-implementation of Google’s proprietary libraries.

We’ve invited it’s creator and developer, Marvin Wißfeld , to explain more about the key implementation concepts behind microG.

Question: Can you tell us a bit more about you and your background?

Answer: I started programming when I was just 12 years old. I’ve been contributing to open-source projects since 2010. I finished my Master’s degree in Computer Science just two years ago. I very much enjoy tinkering with the Android operating system but am also involved in developments around the open IETF standard for instant messaging XMPP.


Q: How did the microG project start ?

I removed Google apps and services from my first smartphone in 2012. My main issue with CyanogenMod without Google services has been that the GPS was extremely slow, easily eating 2–3 percent of the battery time before being able to fix a location. To solve this issue I developed an alternative to Google’s network-based location component. A few months later I desperately wanted to play a game that required to log-in with a Google account — which required me to develop an alternative Google account manager component. These works laid the foundation of what microG is today, though it became a much larger project when Google started to provide the Play Services, an ever-growing collection of proprietary services.

Q: Do you work alone or do you have more developers on the project ?

I founded microG as an open-source project, accepting contributions from every interested developer. More than 50 individuals contributed code or translations. However, still more than 90% of the current codebase is written by myself.

Q: Please can you explain in layman terms how microG is able to simulate the Google services and get apps to run on Android smartphones?

The Android operating system allows developers to create apps that are not visible to end users but only act as a service that is accessed by other apps. The various Google services are provided through such service apps. When accessing those service apps, end-user applications do so via a special language that was pre-defined for this communication. microG looks and behaves exactly like the original Google service apps and understands the language that is spoken in such communication. This way it’s impossible for apps to find out if they run in a Google infrastructure or on a system using microG.

One key components of the “looking like Google” is the signature spoofing. All Android apps are cryptographically signed using the private key of their developer. Because private key signing the Google services is only in their hands, microG can not create a signature that looks like it’s from Google. Luckily, apps are not supposed to verify the cryptographic signature themselves, but only ask the operating system to do so. Thus, operating systems that support such signature spoofing, like /e/OS, can tell apps that they verified that microG is properly signed with a private key of Google, even if it isn’t.

Q: Recently microG added optional support for the COVID-19 contact tracing framework. Please can you share details as to how this contact tracing framework works.

The Exposure Notifications API used by COVID-19 contact tracing apps provides four features to those apps:

  • Bluetooth Advertising : Your phone persistently broadcasts a so called Rolling Proximity Identifier (RPI) via Bluetooth. Every 10 minutes, your device generates a new RPI to be published, to make it impossible to track you. The RPIs are derived from a private key that is generated randomly once per day by your device. This derivation cryptographically guarantees that RPIs can not be linked to each other, except if you shared the private key.
  • Bluetooth Scanning : About every 5 minutes your phone scans for nearby Bluetooth devices that broadcast RPIs and stores the RPI together with a timestamp in a local database.
  • Key Sharing : When you have been tested positive for COVID-19, you can ask your phone to share your private keys of the last 14 days with the COVID-19 contact tracing app. Only with this private key is it possible for others to see if they’ve been in contact with you for more than 10 minutes. The implementation of microG will make sure that this key sharing does not happen without explicit user consent.
  • Risk calculation : Based on the list of private keys shared by the companion app and the list of RPIs collected in the last 14 days, your phone checks if you have been in close contact with a person that reportedly was tested positive. Your phone computes a total risk score and provides information on the date and time, contact length, and signal strength of the exposure to the companion app. The companion app will not learn which keys or people were in close contact, neither will it get any insights on where the contact happened.

Before these features are enabled, microG asks the user for explicit consent. All of this happens locally on the device and no interaction with Google or Apple servers is required. Additionally, most governments agreed to make their companion app open-source so that they can be reviewed by the public that they do not include any unwanted data transmission beside the key sharing as described above.

Note from the /e/ Development team regarding the COVID-19 contact tracking framework:

The /e/OS microG implementation of the COVID-19 contact tracking framework will be released soon. Users will have to explicitly download it from the /e/ App Installer or also known as Apps. After installing it on the device, users will have to enable it. In addition, country specific contact tracking apps will have to be installed for the COVID-19 contact tracking framework to work. Please note the framework on its own does not send out data and is dependent on these additional user installed applications to work.

Q: A number of users on the /e/ forum keep checking with us on how safe microG is as they see references to Google in the code or file names. How would you answer that question?

There are mainly two reasons why Google appears in the microG source code:

  • As I described above, microG has to speak a special language with apps using the services it provides. This language often contains the word Google. If microG didn’t include the same words in the language, communication wouldn’t be possible.
  • Some services of microG require that your device connects to a server from Google. The most prominent of such services is the push notification service. This service would be entirely impossible without your device getting push notification from Google, and thus your device has to talk with Google servers. However, all services of microG that require connecting to Google services are optional and can be turned off without issues for those services that do not need to connect to Google. It is important to note that as long as you are not signed into a Google account with microG, these server connections remain anonymous.

Q: Any plans of future modifications and enhancements for microG?

microG has a lot of room for adding more features and improving on the existing ones. Currently I am focusing on adding full support for a service called “Firebase Authentication” which is used in many apps during the login or registration process — and thus if it’s missing, these applications fail when trying to log you in. The work on microG is never finished anyways: Google adds new proprietary services to Android every few months.

About the microG project: https://microg.org/

Regain your privacy! Adopt /e/ the unGoogled mobile OS and online servicesphone

46 Likes

Thanks for this interview, it is really interesting and shows again that if you trust /e/ (and it’s built-in microG-support) there is no reason to be afraid of Exposure Notification.
An interview like this could have saved a lot of fruitless discussion in the forum.

Unfortunately one very important information stays without an answer: when will it be implemented in /e/?

One more information could be valuable to some users like me who have switched to stock ROM or LOS in the meantime: is there a way to backup our database (maybe it is different if you use LOS with microG or stock ROM with Google Play Services) of the last days or weeks of collecting keys and restore them on a freshly installed /e/-device? I wouldn’t switch back to /e/ if I had to lose my stored keys.

3 Likes

Thank you /e/ team for the interview, indeed there was a lot of confusion and speculation as to whether using microG actually meant Google could still somehow access our phone’s data or not.
Keep it up Marvin!

Terrific interview. Clear, concise and informative. After reading the piece I couldn’t have asked for a more clear understanding of how MicroG works. Danka Marvin und merci to the /e/ team.

2 Likes

The reason behind the article was to help users understand how microG works and also give users a chance to meet the man behind its development Marvin Wißfeld.
As you may have noticed there is not much on the topic of microG and even less on Marvin on the net.
At /e/ we are indeed honored to officially support the development activities on microG and have Marvin assist us as a consultant in our microG implementation.
Now to the all important question of when is this implementation rolling out.
As you may be aware we are testing the builds and OTA’s on our servers. We expect to resume normal build cycles and this implementation to roll out by mid of November or next week.

10 Likes

Zerobase.io is a privacy based contact tracing app.

Thank you.
There is one more question for people like me who were forced to leave /e/ due to the missing Exposure Notification: is there a way to transfer stored keys from our current installation (LOS, stock or whatever) to a device with /e/ if we were willing to switch back to /e/? I guess the developer of microG would be the person who could answer this question best. :wink:

I like to know more about this, Since personal not anonymous push data is going through Google servers and your phone has to be adressed, so could be easy to link your “anonymous” id to you. Im also interested what kind of data exactly is send to and from Google servers.

5 Likes

Let me check on this and get back

3 Likes

Thanks a lot, very appreciated!

It is important to note that as long as you are not signed into a Google account with microG, these server connections remain anonymous.

Double up-vote for andrelam’s post. This is the heart of the issue and without more detail I have to say that on this particular topic i have not been presented with evidence that server connections remain anonymous.

Specifically what information is being sent to Google’s servers? GPS info? Phone ID info? AFAIK the only way to prevent Google from IDing you is if the request goes through an anonymous proxy or VPN and what information is sent cannot be joined by other information to statisitically unmask you . Obviously, therwise, they have your IP address and it’s game over given that same IP address is associated with your paid Netflix account / Hulu accout / non-anonymous-activity-of-your-choice.

This is not to knock microG in any way ! It’s a hard problem !!! But to confirm that microG is not de-anonymizing anyone’s phone in this one use case- connecting to Google’s actual servers- the dev would have to show that:

  1. no information which can be used by any known statisitical method to ID you is being sent to Google and

  2. any information which is sent is sent via an anonymizing VPN shared by everyone or else or assigned randomly.

That’s a tall order, I agree. I would love to see these specific issues taken up and addressed directly.

1 Like

I think you are in the wrong topic :thinking:

1 Like

Expect a response from Marvin on the way to transfer stored keys by Thursday

3 Likes

Apologies:( Misinterpreted @davidgrand’s post. I have withdrawn my post

I missed it :frowning: Was I involved in a brouhaha of some sort ? Nothing ever happens to me, and the one time it does, I miss it and then… it turns out to be just a misunderstanding !

NOT FAIR !

:joy: It was about the COVID implementation, @petefoth misinterpeted nothing spectacular. Some day you won’t miss the good stuff :grinning:

The Canadian COVID Alert app uses the Exposure Notifications API and claims not to know your location. But for some reason it requires location to be enabled in order to work. Does anyone know why?

Bluetooth scanning is only allowed if location access is granted up to Android 10 (your location could be determined by using BT beacons).

Longer, official answer: https://support.google.com/android/answer/9930236?hl=en

2 Likes

In Android BT and location are stupidly somehow coupled, but that doesn’t necessarily mean that the app has access to location. At least for the German App you can check permissions and see that the app itself doesn’t even ask for access to location. I guess that you can find something similar for the Canadian one, too.

@Ingo_FP_Angel gave a more precise answer even faster :wink: