Feuerfest

Just the private blog of a Linux sysadmin

What the G? Exploring the current state of Google Apps & Play alternatives for Android ROMs

Photo by Kyle Roxas: https://www.pexels.com/photo/crackers-cheese-and-fruits-2122278/

I use LineageOS on my OnePlus 8T. Sadly I still run it with Android 11 and LineageOS 18.1. Which is quite old in 2025. My plans to update the firmware and ROM got postponed again as non-surprisingly: I need my phone.

However one of the new year resolutions I choose is to finally update my mobile so I'm not lacking behind on Android security updates for several years. *ahem*

To de-google or to not de-google?

Along with this a long-standing idea surfaced again: I want to remove as many Google services as possible without having to give up needed tools/services.

Therefore, the first question regarding updating my mobile is: Do I still want to keep using the Google Apps? Or do I want to use another suite of alternative GApps that enhance privacy at the cost of some features? Or do I want to get rid of Google's apps altogether?

Depending on the choice, I can only use some (or all) Google Apps.

The rule of thumb is: The more functionality you need, the more you are paying with your data. The less privacy you have.

On a normal Android phone, the Google apps (YouTube, Maps, Wallet, etc.) are almost always pre-installed. Contrary custom ROMs often can't pre-install these, as a) Google doesn't allow this, and b) nowadays ROM developers know that users choose an alternative ROM to gain more control over their digital life and therefore explicitly want to disable some (or all) features related to Google's services and apps.

Alternative Google apps packages: The agony of choice

For this, several Google Apps packages exist. All vary in features and what they try to accomplish.

The big three in this field are:

MindTheGapps

Currently I am running LineageOS with MindTheGapps. Which is their current standard (LineageOS Wiki). MindTheGapps uses the proprietary Google services/packages. It just servers as an installer for the official Google packages. This means you can use the Google Play store, Google Maps, every method of authentication with Google Firebase (more relevant than you might think), and the SafetyNet (here is a good site with a presentation, whitepaper & lectures about SafetyNet - also known as DroidGuard) feature on which banking apps often rely. Among all other Google services.

The downside? Google happily leeching as much data from you as they do.
But helpful if you just want a custom ROM and no hassle with non-working apps.

MicroG

A viable alternative is MicroG. MicroG is, to quote the project itself, "A free-as-in-freedom re-implementation of Google’s proprietary Android user space apps and libraries." This means MicroG is a redevelopment to match the functionality while keeping privacy-harming features out. This also means that privacy-focused ROMs like CalyxOS include them and allow users to choose if they want to activate them.

There is an overview about the implementation status of each feature in the MicroG apps: https://github.com/microg/GmsCore/wiki/Implementation-Status. And it also serves as a good example: In MicroG, two Firebase authentication methods are currently not supported. This means if an app you use only uses these two methods, you won't be able to sign in. It's generally advisable to check your important apps if they work with MicroG or not.

The neat thing is that MicroG uses signature spoofing to present itself as the Google apps. Additionally, the long-standing issue with allowing signature spoofing in LineageOS has been fixed recently. This means that if MicroG is installed via F-Droid and the app package is signed with the signature from the MicroG development team, LineageOS allows MicroG to spoof the signatures. Which eliminates many long-standing issues.

The neat thing is: This allows us to simply install MicroG via F-Droid and be done with it. No more incorporating the MicroG image during the flash process.

Information about their F-Droid repository can be found here: https://microg.org/fdroid.html

Please, only install MicroG from their own repository. Don't install it from the PlayStore or other GitHub repositories. It's common to find Malware posing as the official MicroG package. One such example is documented in this Reddit-Thread: https://www.reddit.com/r/MicroG/comments/1icxc8h/malware/

And here is an interview with the MicroG developer about how it all came to be: https://community.e.foundation/t/microg-what-you-need-to-know-a-conversation-with-its-developer-marvin-wissfeld/22700

OpenGApps

Honestly, I still did know this project from when I first flashed my phone. And it was the first project I had a looked after. But sadly it seems that development is currently very slow.

The last news post is from August 23, 2019.
Android 11 is the last supported OS version, according to their homepage.
The last update in their SourceForge repository happened on May 3rd, 2022. Stating that support for Android 11 is, for most variants, still in the testing phase. According to their GitHub issues, some support for Android 12 should be there, but I didn't dig deeper into this.

In this GitHub issue, it's stated that they currently suffer from a lack of supporters/maintainers and have problems with their build server infrastructure, etc.

Therefore, I didn't look any deeper into this. If you want: Here is a link about what package contains which features: https://github.com/opengapps/opengapps/wiki/Advanced-Features-and-Options

Google Play store alternatives

Now that we have decided which package we want to use, we probably want to quit using the Google Play Store. After all, the more Google apps we replace, the less we are dependent on their services running on our phone.

Luckily, there are two app store alternatives that solve all our problems together.

F-Droid

F-Droid is the most commonly used alternative app store. It focuses on OpenSource software, rebuilding the .apk packages from the official repositories. Undesired features such as tracking, ads, or proprietary code are listed on the apps' site. However, due to hosting all files themselves and having a focus on privacy and OpenSource they have their own inclusion policy, which apps need to fulfill in order to be added to F-Droid. Hence, many commercial apps simply can't be added as they either directly use Google's Play services or other proprietary software to build their app. Or the company simply doesn't agree to being hosted on F-Droid.

This has the direct result that many popular apps will & can never be available on F-Droid. Which leads us to...

Aurora OSS

Aurora OSS is another Google Play store alternative. One that is even usable with and without Google services or even MicroG. As Aurora is directly accessing the Google Play store you can download all apps, even the ones you paid for - as long as you log in with your Google account.

For the rest. I recommend reading their project description: https://gitlab.com/AuroraOSS/AuroraStore. The "nicer" looking URL is https://auroraoss.com/; however, this is just to forward you to their GitLab project.

There is however a report that a freshly created Google account that solely used Aurora got deleted after just two hours: https://www.reddit.com/r/degoogle/comments/13td3iq/google_account_deleted_after_2_hours_of_aurora/ and https://news.ycombinator.com/item?id=36098970

But then again, this was the only big reporting on that matter. So I can't really tell what will happen to accounts which are also used for YouTube. Or that have paid apps in the Play store connected to their account.

This discussion on Reddit provides a little bit of insight as to why this could happen to an account.

Conclusion

Aurora combined with F-Droid means we have a solution to get any and all apps we need.

And even if you plan on flashing your Android device or not. Both app stores can be used on any phone. Allowing you to test them out prior to making any fundamental changes to your phone.

Side note: Vanishing developers

While doing my research for this article, I spent some time in the XDA developers forum, on GitHub, GitLab instances, and even SourceForge. And I noticed a constantly reoccurring pattern: many of the developers simply stopped being present in the last few years. No new posts in the XDA Developers forum. No activity on GitHub, etc.

Now it's not uncommon for OpenSource projects to lose contributors or even main project developers. After all, people do have a job, a family, a life. And somehow they need to earn money. Nothing surprising about that.

But I additionally noticed that many seem to be male and of Russian nationality. Given the fact that the Russian attack on Ukraine started in February 2022 and many developers went silent in the last 2-3 years, I have a bad feeling that many of them were conscripted into the Russian army.

Let's just hope that I am wrong...

Comments

GoAccess "Token 'host.somedomain.tld' doesn't match specifier '%h'"

Photo by Kevin Ku: https://www.pexels.com/photo/data-codes-through-eyeglasses-577585/

Just a short post if someone else stumbles about this.

I use GoAccess to view my Apache logfiles on the command line. Now I got an error which I never encountered before.

Token 'host.somedomain.tld' doesn't match specifier '%h'

Strange. I use the standard CustomLog format line from Apache. Also known as "NCSA Combined Log Format". Which is what I choose in GoAccess to open the logfile.

Long story short: If you run an older version there is a bug in GoAccess. If the first line in the logfile doesn't start with an IPv4 or IPv6 you will get the error above.

I got the error with version 1.4, updated to 1.7 and the error was gone. Most likely just a bad regular expression.

Comments

Blocking the competition

Photo by Erik Mclean: https://www.pexels.com/photo/a-room-with-black-and-white-seats-8266814/

Pixelfed's creator Daniel Supernault recently published an open letter addressed at Mark Zuckerberg. The reason being that posts containing links to Pixelfed are marked as Spam by Facebook/Meta and are deleted immediately (404 Media on the topic).

My opinion? The open letter is written exactly in the way it needs to written. Read it for yourself:

Dear Mark,

I hope this finds you well. I noticed something interesting today – it seems Instagram is blocking links to my little open-source project. You know, the one that lets people share photos without harvesting their personal data or forcing algorithmic feeds on them.

I have to admit, I’m flattered. Who would’ve thought a small team of volunteers could build something that would catch your attention? We’re just trying to give people a choice in how they share their memories online. No VCs, no surveillance capitalism, just code and community.

Remember when Facebook started? It was about connecting people, not maximizing engagement metrics. Our project might be tiny compared to Instagram, but we’re staying true to that original spirit of social media – giving people control over their online presence without turning them into products.

You could’ve ignored us. Instead, by blocking our links, you’ve given us the best endorsement we could ask for. You’ve confirmed what we’ve been saying all along – that big tech is more interested in protecting their walled gardens than fostering genuine innovation.

Every time you block a link to our platform, you remind people why we built it in the first place. Your action tells them there are alternatives worth exploring, ones that respect their privacy and agency. So thank you, Mark. You’ve turned our little project into a symbol of resistance against digital monopolies.

Perhaps one day you’ll remember what it felt like to be the underdog, building something because you believed in its potential to make the internet better. Our doors are always open if you want to remember what that feels like.

Best regards,

Daniel Supernault

P.S. Keep blocking those links. Every error message is just free advertising for the social web.

This again brought up a topic: How do I treat companies/social networks that literally block the competition?

Easy answer: I avoid them. Or migrate away from them. Then I delete all my data from their network and stay away from them. Sometimes even going so far as to add their domains to my DNS-Blocklist, so I never ever accidentally browse their site again.

Why?

I don't like being forced into a cage. The term "Internet" stands for interconnected networks. Attempting to create isolated "walled gardens" contradicts my core beliefs about how the Internet should function. If platforms like Facebook/Meta or Twitter/X try to oust the competition I'll gladly start using the competition - provided they uphold the principles of openness and connectivity.

There is a straightforward and logical rationale for this: The Internet is immense, and no single service can encompass everything - whether in terms of functionality or content. If a platform chooses to isolate itself in an effort to retain its users, it has every right to do so. However, it must also acknowledge the consequence of losing a few users along the process.

Comments

Switching Two-Factor Authentication Apps

Photo by Pixabay: https://www.pexels.com/photo/qr-code-on-screengrab-278430/

As I'm preparing to update the firmware on my mobile, updating the ROM and rooting it I'm currently in the "Backup, document and save everything" phase. This means I'm checking that I can backup and restore all my Two-Factor authentication codes (2FA) properly.

Partly because I didn't backup the enrolment QR-Codes for every service I signed up over the years. Documenting the otpauth:// URL and/or the initial QR-Code is still the best way. Then it doesn't even matter if all your devices get lost. You can just enter the information in your 2FA app use the code to sign in and then disable 2FA and re-enable it to invalidate the old secret. Locking out anyone else possibly using your devices/accounts.

As I played around a little bit with 2FA apps over the time I got three apps installed:

And here my problems are starting.

Google Authenticator: Only allows you to export your entries in a QR-Code. (Beside the Cloud sync, but whoever uses this hasn't properly understood 2FA in my personal opinion..)

Aegis Authenticator: Allows the export in un-/encrypted clear text. Even with proper otpauth:// URLs. Nice!

FreeOTP: Offers exporting your entries in an externalBackup.xml called file which contains JSON structured data!? Okay.. The secrets are encrypted with the password you chose when you installed the app. It cannot be changed or retrieved otherwise afterwards so I hope you remember it. 😉

There is a discussion on GitHub about how to decrypt that file, extract the secrets and build proper otpauth:// URLs, but that solution didn't work for me.

I only got the following error message:

user@host:~$ python3 freeotp.py
Traceback (most recent call last):
  File "/home/user/freeotp.py", line 26, in <module>
    tree = ET.parse("externalBackup.xml")
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/xml/etree/ElementTree.py", line 1218, in parse
    tree.parse(source, parser)
  File "/usr/lib/python3.11/xml/etree/ElementTree.py", line 580, in parse
    self._root = parser._parse_whole(source)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^
xml.etree.ElementTree.ParseError: not well-formed (invalid token): line 1, column 0

Anyway, after deleting myself from several services in the last years only two entries were still needed and it was easier and faster to just disable 2FA on these accounts. So that is what I did.

Using Aegis Authenticator to migrate to any 2FA app of choice

Regarding my entries in the Google Authenticator I generated the QR-Code and scanned that with Aegis Authenticator. Aegis properly imported all entries and the generated 2FA tokens were correct when I checked them against Google Authenticator.

As Aegis allows me to export everything in clear text I can use that to migrate to any 2FA app of my choice. But most likely I will stick to Aegis.

Yes, this clear text export is a potential security risk. I get it. But if it means I have a way to easily migrate 30+ 2FA accounts I'm willing to make that compromise. Yes, I mean.. Now that I have all my secrets and otpauth:// URLs that shouldn't be a concern anymore, right? Well, now I have everything. I'm pretty sure in the future I'm forgetting to properly document some 2FA codes again, hence this being the better choice.

Or are there other solutions I'm missing?

And what about the Microsoft Authenticator?

Honestly? I'm forced to use this by my employer as we don't allow any other form of 2FA for authentication in our company. As it also implements some sort of custom 2FA no other app supports I couldn't be bothered to search for a solution.

Hence there is only one account tied to it. So I did what was reasonable: I removed the app, deleted all settings and cached files, reinstalled the app and just enrolled my account again.

Yes, this required a ticket for our IT Helpdesk to remove the old Authenticator from my account, but I had no problem with that.

Comments

I made an Oopsie or: How to request a new Telegram BotToken

Photo by Antoni Shkraba: https://www.pexels.com/photo/man-in-green-hoodie-and-black-sunglasses-sitting-on-orange-chair-5475784/

While writing my script that notifies me when comments are pending approval (read: Development of a custom Telegram notification mechanism for new Isso blog comments), I made a mistake and committed the script to my public GitHub repository along with the BotToken.

Even though it was only up for about 20 minutes before I realised what I had done I considered it compromised. Therefore I needed a new BotToken for the Telegram HTTP API.

Luckily this is very easy, as Telegram keeps track of which account was used to create a BotAccount, I was able to do this in 2 minutes via Telegram Web (including googling the commands).

All I had to do was to ensure I message BotFather from the account I created the bot.:

  1. Search for @BotFather on Telegram
  2. Message @BotFather with the command: /revoke
  3. Provide @BotFather with the username of the bot: @SomeExampleBotBla
  4. @BotFather will reply with the new token
  5. Update your scripts and restart services such as Icinga2
  6. Test/verify that the new token is being used everywhere.

Done.

Cleaning Git

As you may know even deleted files along with their content stay in Git and are easily searchable. GitHub has a good article about the topic discussing some tools who make it easier to remove such files: https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository

I utilized git-filter-repo (Documentation: https://htmlpreview.github.io/?https://github.com/newren/git-filter-repo/blob/docs/html/git-filter-repo.html).

However keep in mind that git-filter-repo removes your configured remotes (git-filter-repo Documentation). You have to set them again if you plan on keep using the same repository.

And yes, while the BotToken is gone from the history of the script https://github.com/ChrLau/scripts/commits/master/check-isso-comments.sh you can still view it if you know the original commit ID.

Apparently deleting stuff from a Git repository completely is pretty hard.. Lesson learned..

Comments

Hypocrisy

Photo by Madison Inouye: https://www.pexels.com/photo/self-care-isn-t-selfish-signage-2821823/

One of the attributes which is used to describe me, and that I get to hear regularly, is, that I am critical. Sometimes this comes in the form of an accolades that I have good discernment or that I am brave enough to publicly speak out things which many dare not to. And sometimes in form of constructive feedback that I should focus more on the positive side of a certain task or project.

However I always try to not be a hypocrite. I regularly question myself if I am the one to blame. If I could have done better, missed a crucial piece of information or if my words contradict my actions. And if they do: Do I have a just reason for this? A cause that explains it in a comprehensible way?

Additionally I try to keep my emotions out. Yes, I do not succeed in this 100% of the time. After all I'm not a machine. Still manage in succeeding often enough to not look like a raging barbarian. Failing to think over the issue in a neutral way often leads to missing key points. And makes it hard to see it through the eyes of the other involved parties/stakeholders. This in turn causes inaccurate statements or incoherent lines of reasoning. Nothing of this helps to convince other people or to get to the root of the problem.

Therefore it shouldn't surprise anyone that I don't like hypocrisy. Especially so when it touches a topic I have first hand personal experience with and is important to me.

Mental Health Day

October the 10th is the international day of awareness for all topic related to Mental Health. Be it a proper Work-Life-Balance, the poor care for people suffering from diseases such as depression (and many others) or the sadly still existing prejudices against people who have suffered from - or still do - Mental Health issues.

A complicated & delicate topic

Mental Health issues are a tricky thing. In nearly all cases I got to know in detail the ones suffering from it are not the ones responsible, nor to blame. Some people crumble under all the injustice in this world. Shattering while trying to just make things right but were doomed from the start as a single person can't beat the company, yet alone the system.

Others experienced such malevolent acts, even without getting hurt physically, that it left them in ruins. Just think about the child which constantly experienced injustices from it parents. Never getting to know what the word family should mean.

Yet these very same people have to accumulate an immense amount of strength and pick up the fight for their own sanity. Just to live a happy life.

And then there are outsiders who make fun of them for that. Who belittle them. Who question their ability to ever regain their mental health. That they can ever be a productive person again.

These are the people I strongly recommend a therapy - or at least speaking with, for example, an recovered alcoholic or a rape survivor. As the immense lack of sympathy and humility they show is shocking. They can't even imagine what these people have been through and how much work therapy is. Yet, again, some people make fun of therapy as they think of it as "It's just singing in a circle and clapping with your hands." No, it's not.

A special place in hell

And then.. There are certain companies I know of. Posting on Linkedin, Twitter, Instagram and all those other social-media and business platform how "Mental Health aware" they are. How much they care to enable their employees to live a good work-life balance. Etc. And so on. Yada Yada.

All this while they engage in union-busting with the help of a specialised law-firm. And have absolutely no issues in threatening, admonishing or taking people to court over nonsense. Sometimes even utilizing their knowledge of the mental health issues of certain employees to even quicken the process of making them resign (or leaving with a severance package and a signed NDA). Effectively using it as a weapon against them. Just to reach their goal of preventing a union.

And the only thing these people did was trying to organize a union to get their rights and better their situation.

Yeah, I seriously hope those people get a special place in hell.

Comments