> to an open source implementation of those APIs

Is this MicroG? https://microg.org/

No, microG is a partial reimplementation of some of the functionality in the Google Mobile Services (GMS) app. Unfortunately, this approach has significant drawbacks. In order to install microG, your version of Android OS needs support for spoofing the cryptographic signatures of apps. Some OSes like LineageOS and CalyxOS allow this. See [1] for some pointers about why this is considered harmful. There was also a recent fairly serious infoleak bug in microG [2] that in my opinion was caused by its broad scope.

The way it works in GrapheneOS is that the OS redirects Binder connections (an IPC mechanism in Android) to a trusted, bundled app (GmsCompat) which will only implement the Play services location API in the foreseeable future. The rest of the Google Play functionality is implemented by GMS itself.

[1] https://madaidans-insecurities.github.io/android.html#microg...

[2] https://github.com/microg/GmsCore/issues/1567

Speaking of signatures, google play now requires developers to submit the private keys we used to sign apps with. Without submitting a key I can't issue updates. Out of protest I stopped pushing updates to apps via Google Play.

Yes, that is fairly concerning. The last news I had about this was that using Google Play Signing (their key escrow and app signing service) was only mandatory for new apps as of August 2021. Not sure if that has changed recently. But everyone can see it coming a mile away, that Google will only continue tightening that grip.

To be honest, I understand the potentially good intentions behind Google's push to manage keys for app developers. It is not trivial to (1) keep private keys secure, and (2) not lose access to them over a long enough period of time. So Google can store them in HSMs in their datacenters and provide backups and access controls and such. But it also gives them the ability to deliver app updates with "extra stuff" for targeted individuals. See Figure 1 of [1]. That doesn't look very nice to me.

[1] https://developer.android.com/studio/publish/app-signing

The other reason is that they want to repackage your app for different target systems. Right now they are stripping assets and native libraries, but I hear they are going to start precompiling dex and shipping OAT directly in the APK.

I wonder if there's an internal fight between the Tools and Play teams, because all of this should be possible via the Gradle plugin, but understandably the Play team probably wouldn't see high adoption of APK splits if it required configuration via the morass of crap that is Gradle.

This can be solved in many different ways that don't require you to give them your keys.

It is pretty typical of Google to choose the most invasive solution.

That article may be overstating the danger somewhat, it will depend on the way the ROM chooses to implement it certainly but none of them give the permission automatically, some require you to enable it deep in the advanced app settings and some only enable it for system-level privileged apps (and if you can't trust those, then what can you trust?). See for instance LineageOS for MicroG's claims:

>The signature spoofing could be an unsafe feature only if the user blindly gives any permission to any app, as this permission can't be obtained automatically by the apps. Moreover, to further strengthen the security of our ROM, we modified the signature spoofing permission so that only system privileged apps can obtain it, and no security threat is posed to our users.

https://lineage.microg.org/#faq7

I wondered how long before google will have a reason for grapheneOS to suddenly stop being supoorted on the pixel. Now i know it will be soon and i get to tell everyone i told you so

They are creating custom silicon and a new operating system, wouldn't be surprised that will be the cutoff moment.

Google is moving all Android distributors to upstream Linux, so I guess it is us telling you so :).