If you look into the zip /system/system_ext/etc/permissions/privapp-permissions-google-system-ext.xml, you can see all the permissions given to it a system application.
android.permission.RECOVERY, android.permission.MANAGE_USERS, android.permission.INTERACT_ACROSS_USERS stand out the most. These permissions allow the phone to be started, arbitrary apps to be installed and users to be created with new permissions.
Google Services doesn’t need to have access to camera or any other component as it can install whatever it likes that has access to those.
Let’s not kid ourselves, if you have Google Services installed, you have a rootkit installed with a bunch of proprietary code.
Here’s the entire file for reference and you can look up each permission individually to see what access will be given.
Entirely.
On GrapheneOS, Google Play services run in the normal Android app sandbox, just like any other app you install. That way, they only have the permissions you granted them using the permission manager. GrapheneOS doesn’t grant any extra privileges, and you can remove the Play services app at any time. Read more at https://grapheneos.org/features#sandboxed-google-play
Thanks for the detailed response. Creating/interacting between new users is a serious opportunity for permission bypass. Content of the file won’t load for some reason, but still :)
In order to have google apps and google services on an android installation that doesn’t have them yet, you need to sideload them. LineageOS has a list of GApps zips and here’s an example of how to install them for a FairPhone running LineageOS.
If you look into the zip
/system/system_ext/etc/permissions/privapp-permissions-google-system-ext.xml
, you can see all the permissions given to it a system application.android.permission.RECOVERY, android.permission.MANAGE_USERS, android.permission.INTERACT_ACROSS_USERS stand out the most. These permissions allow the phone to be started, arbitrary apps to be installed and users to be created with new permissions.
Google Services doesn’t need to have access to camera or any other component as it can install whatever it likes that has access to those.
Let’s not kid ourselves, if you have Google Services installed, you have a rootkit installed with a bunch of proprietary code.
Here’s the entire file for reference and you can look up each permission individually to see what access will be given.
How well do you think Graphene’s sandboxed play services alleviates these concerns?
Entirely. On GrapheneOS, Google Play services run in the normal Android app sandbox, just like any other app you install. That way, they only have the permissions you granted them using the permission manager. GrapheneOS doesn’t grant any extra privileges, and you can remove the Play services app at any time. Read more at https://grapheneos.org/features#sandboxed-google-play
Thanks for the detailed response. Creating/interacting between new users is a serious opportunity for permission bypass. Content of the file won’t load for some reason, but still :)