Feuerfest

Just the private blog of a Linux sysadmin

What the G? Exploring the current state of Google Apps & Play alternatives for Android ROMs

Photo by Kyle Roxas: https://www.pexels.com/photo/crackers-cheese-and-fruits-2122278/

I use LineageOS on my OnePlus 8T. Sadly I still run it with Android 11 and LineageOS 18.1. Which is quite old in 2025. My plans to update the firmware and ROM got postponed again as non-surprisingly: I need my phone.

However one of the new year resolutions I choose is to finally update my mobile so I'm not lacking behind on Android security updates for several years. *ahem*

To de-google or to not de-google?

Along with this a long-standing idea surfaced again: I want to remove as many Google services as possible without having to give up needed tools/services.

Therefore, the first question regarding updating my mobile is: Do I still want to keep using the Google Apps? Or do I want to use another suite of alternative GApps that enhance privacy at the cost of some features? Or do I want to get rid of Google's apps altogether?

Depending on the choice, I can only use some (or all) Google Apps.

The rule of thumb is: The more functionality you need, the more you are paying with your data. The less privacy you have.

On a normal Android phone, the Google apps (YouTube, Maps, Wallet, etc.) are almost always pre-installed. Contrary custom ROMs often can't pre-install these, as a) Google doesn't allow this, and b) nowadays ROM developers know that users choose an alternative ROM to gain more control over their digital life and therefore explicitly want to disable some (or all) features related to Google's services and apps.

Alternative Google apps packages: The agony of choice

For this, several Google Apps packages exist. All vary in features and what they try to accomplish.

The big three in this field are:

MindTheGapps

Currently I am running LineageOS with MindTheGapps. Which is their current standard (LineageOS Wiki). MindTheGapps uses the proprietary Google services/packages. It just servers as an installer for the official Google packages. This means you can use the Google Play store, Google Maps, every method of authentication with Google Firebase (more relevant than you might think), and the SafetyNet (here is a good site with a presentation, whitepaper & lectures about SafetyNet - also known as DroidGuard) feature on which banking apps often rely. Among all other Google services.

The downside? Google happily leeching as much data from you as they do.
But helpful if you just want a custom ROM and no hassle with non-working apps.

MicroG

A viable alternative is MicroG. MicroG is, to quote the project itself, "A free-as-in-freedom re-implementation of Google’s proprietary Android user space apps and libraries." This means MicroG is a redevelopment to match the functionality while keeping privacy-harming features out. This also means that privacy-focused ROMs like CalyxOS include them and allow users to choose if they want to activate them.

There is an overview about the implementation status of each feature in the MicroG apps: https://github.com/microg/GmsCore/wiki/Implementation-Status. And it also serves as a good example: In MicroG, two Firebase authentication methods are currently not supported. This means if an app you use only uses these two methods, you won't be able to sign in. It's generally advisable to check your important apps if they work with MicroG or not.

The neat thing is that MicroG uses signature spoofing to present itself as the Google apps. Additionally, the long-standing issue with allowing signature spoofing in LineageOS has been fixed recently. This means that if MicroG is installed via F-Droid and the app package is signed with the signature from the MicroG development team, LineageOS allows MicroG to spoof the signatures. Which eliminates many long-standing issues.

The neat thing is: This allows us to simply install MicroG via F-Droid and be done with it. No more incorporating the MicroG image during the flash process.

Information about their F-Droid repository can be found here: https://microg.org/fdroid.html

Please, only install MicroG from their own repository. Don't install it from the PlayStore or other GitHub repositories. It's common to find Malware posing as the official MicroG package. One such example is documented in this Reddit-Thread: https://www.reddit.com/r/MicroG/comments/1icxc8h/malware/

And here is an interview with the MicroG developer about how it all came to be: https://community.e.foundation/t/microg-what-you-need-to-know-a-conversation-with-its-developer-marvin-wissfeld/22700

OpenGApps

Honestly, I still did know this project from when I first flashed my phone. And it was the first project I had a looked after. But sadly it seems that development is currently very slow.

The last news post is from August 23, 2019.
Android 11 is the last supported OS version, according to their homepage.
The last update in their SourceForge repository happened on May 3rd, 2022. Stating that support for Android 11 is, for most variants, still in the testing phase. According to their GitHub issues, some support for Android 12 should be there, but I didn't dig deeper into this.

In this GitHub issue, it's stated that they currently suffer from a lack of supporters/maintainers and have problems with their build server infrastructure, etc.

Therefore, I didn't look any deeper into this. If you want: Here is a link about what package contains which features: https://github.com/opengapps/opengapps/wiki/Advanced-Features-and-Options

Google Play store alternatives

Now that we have decided which package we want to use, we probably want to quit using the Google Play Store. After all, the more Google apps we replace, the less we are dependent on their services running on our phone.

Luckily, there are two app store alternatives that solve all our problems together.

F-Droid

F-Droid is the most commonly used alternative app store. It focuses on OpenSource software, rebuilding the .apk packages from the official repositories. Undesired features such as tracking, ads, or proprietary code are listed on the apps' site. However, due to hosting all files themselves and having a focus on privacy and OpenSource they have their own inclusion policy, which apps need to fulfill in order to be added to F-Droid. Hence, many commercial apps simply can't be added as they either directly use Google's Play services or other proprietary software to build their app. Or the company simply doesn't agree to being hosted on F-Droid.

This has the direct result that many popular apps will & can never be available on F-Droid. Which leads us to...

Aurora OSS

Aurora OSS is another Google Play store alternative. One that is even usable with and without Google services or even MicroG. As Aurora is directly accessing the Google Play store you can download all apps, even the ones you paid for - as long as you log in with your Google account.

For the rest. I recommend reading their project description: https://gitlab.com/AuroraOSS/AuroraStore. The "nicer" looking URL is https://auroraoss.com/; however, this is just to forward you to their GitLab project.

There is however a report that a freshly created Google account that solely used Aurora got deleted after just two hours: https://www.reddit.com/r/degoogle/comments/13td3iq/google_account_deleted_after_2_hours_of_aurora/ and https://news.ycombinator.com/item?id=36098970

But then again, this was the only big reporting on that matter. So I can't really tell what will happen to accounts which are also used for YouTube. Or that have paid apps in the Play store connected to their account.

This discussion on Reddit provides a little bit of insight as to why this could happen to an account.

Conclusion

Aurora combined with F-Droid means we have a solution to get any and all apps we need.

And even if you plan on flashing your Android device or not. Both app stores can be used on any phone. Allowing you to test them out prior to making any fundamental changes to your phone.

Side note: Vanishing developers

While doing my research for this article, I spent some time in the XDA developers forum, on GitHub, GitLab instances, and even SourceForge. And I noticed a constantly reoccurring pattern: many of the developers simply stopped being present in the last few years. No new posts in the XDA Developers forum. No activity on GitHub, etc.

Now it's not uncommon for OpenSource projects to lose contributors or even main project developers. After all, people do have a job, a family, a life. And somehow they need to earn money. Nothing surprising about that.

But I additionally noticed that many seem to be male and of Russian nationality. Given the fact that the Russian attack on Ukraine started in February 2022 and many developers went silent in the last 2-3 years, I have a bad feeling that many of them were conscripted into the Russian army.

Let's just hope that I am wrong...

Comments

Switching Two-Factor Authentication Apps

Photo by Pixabay: https://www.pexels.com/photo/qr-code-on-screengrab-278430/

As I'm preparing to update the firmware on my mobile, updating the ROM and rooting it I'm currently in the "Backup, document and save everything" phase. This means I'm checking that I can backup and restore all my Two-Factor authentication codes (2FA) properly.

Partly because I didn't backup the enrolment QR-Codes for every service I signed up over the years. Documenting the otpauth:// URL and/or the initial QR-Code is still the best way. Then it doesn't even matter if all your devices get lost. You can just enter the information in your 2FA app use the code to sign in and then disable 2FA and re-enable it to invalidate the old secret. Locking out anyone else possibly using your devices/accounts.

As I played around a little bit with 2FA apps over the time I got three apps installed:

And here my problems are starting.

Google Authenticator: Only allows you to export your entries in a QR-Code. (Beside the Cloud sync, but whoever uses this hasn't properly understood 2FA in my personal opinion..)

Aegis Authenticator: Allows the export in un-/encrypted clear text. Even with proper otpauth:// URLs. Nice!

FreeOTP: Offers exporting your entries in an externalBackup.xml called file which contains JSON structured data!? Okay.. The secrets are encrypted with the password you chose when you installed the app. It cannot be changed or retrieved otherwise afterwards so I hope you remember it. 😉

There is a discussion on GitHub about how to decrypt that file, extract the secrets and build proper otpauth:// URLs, but that solution didn't work for me.

I only got the following error message:

user@host:~$ python3 freeotp.py
Traceback (most recent call last):
  File "/home/user/freeotp.py", line 26, in <module>
    tree = ET.parse("externalBackup.xml")
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/xml/etree/ElementTree.py", line 1218, in parse
    tree.parse(source, parser)
  File "/usr/lib/python3.11/xml/etree/ElementTree.py", line 580, in parse
    self._root = parser._parse_whole(source)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^
xml.etree.ElementTree.ParseError: not well-formed (invalid token): line 1, column 0

Anyway, after deleting myself from several services in the last years only two entries were still needed and it was easier and faster to just disable 2FA on these accounts. So that is what I did.

Using Aegis Authenticator to migrate to any 2FA app of choice

Regarding my entries in the Google Authenticator I generated the QR-Code and scanned that with Aegis Authenticator. Aegis properly imported all entries and the generated 2FA tokens were correct when I checked them against Google Authenticator.

As Aegis allows me to export everything in clear text I can use that to migrate to any 2FA app of my choice. But most likely I will stick to Aegis.

Yes, this clear text export is a potential security risk. I get it. But if it means I have a way to easily migrate 30+ 2FA accounts I'm willing to make that compromise. Yes, I mean.. Now that I have all my secrets and otpauth:// URLs that shouldn't be a concern anymore, right? Well, now I have everything. I'm pretty sure in the future I'm forgetting to properly document some 2FA codes again, hence this being the better choice.

Or are there other solutions I'm missing?

And what about the Microsoft Authenticator?

Honestly? I'm forced to use this by my employer as we don't allow any other form of 2FA for authentication in our company. As it also implements some sort of custom 2FA no other app supports I couldn't be bothered to search for a solution.

Hence there is only one account tied to it. So I did what was reasonable: I removed the app, deleted all settings and cached files, reinstalled the app and just enrolled my account again.

Yes, this required a ticket for our IT Helpdesk to remove the old Authenticator from my account, but I had no problem with that.

Comments

First release of the Thunderbird for Android app and a little bit of drama

Photo by Pixabay: https://www.pexels.com/photo/red-pencil-on-top-of-white-window-envelope-236713/

I had already forgotten that Mozilla bought K9-Mail in June 2022 in order to transform K9-Mail into Thunderbird on Android. Now I was reminded again as on October 30th 2024 the first Android version of Thunderbird was released.

However the initial beta releases were accompanied by a little bit of drama regarding the data privacy topic. As the first releases of the Thunderbird App contained telemetry trackers from Mozilla and those were enabled by default (Opt-Out instead of the more data privacy friendly Opt-In). Additionally the user wasn't made aware of this during the install and configuration process.

These facts became aware to many users through the following GitHub Issue: Thunderbird Issue 8199: Expose the ability to mange Telemetry settings on first-time use where the reporter just stated in a factual way that he expects these settings to be off initially.

However the first reply to that issue didn't make things better. Apparently a Senior Manager/Mobile Engineering at MZLA Technologies Corporation, the subsidiary of the Mozilla Corporation of which Thunderbird is now a part of, wrote the following as a reply:

Unfortunately we cannot make this type of data collection opt-in because the limited data from voluntary reports wouldn’t provide enough insights to make informed product decisions. Opt-in data would come from a small, biased subset, leading to flawed conclusions.

Knowing the Android ecosystem covers a vast range of hardware and form factors, we need to have a mechanism to make better decisions on how features are being used, and have information in which environments user might be having trouble.

In line with Mozilla’s data practices, the default data collected contains no personal information. This helps us understand how features are used and where issues may occur, while minimizing data points and retaining only what's necessary. When we decide on new probes, we actively consider if we really need the information, and if there are ways we could reduce the needed retention time or scope.

While I can't offer an opt-in at this time, I understand your concerns and genuinely appreciate that you're thinking critically about privacy. You might also be interested in a recent talk about our need for privacy respecting telemetry. https://blog.thunderbird.net/2024/08/thunderbird-goes-to-guadec-2024/

This again sparked a lot of comments who can be sorted into the following categories:

  1. Disappointment that an application developed by Mozilla uses such shady practises. Along with criticism that users are not informed about this and there are no information on what type of information is gathered and how it is used.
  2. Notices on the various laws forbidding such data collection (especially the GDPR from the EU).
  3. Sadness that while K9-Mail was tracker free, Thunderbird obviously won't. Which disappoints many data privacy focused users.

Or as someone, sarcastically, pointed out on Mastodon (Source):

How could K-9 be developed and become the best email app for Android, and even make ‘informed product decisions’ without a tracker? Sarcasm over.

With the 8.0b2 release that feature was removed and will, hopefully, be reworked in a more user-consenting way.

Personally I am also very disappointed and my anticipation has taken a huge blow. Mozilla once stood as a beacon of user-centred interests. And while I wholeheartedly agree that they should be able to get usage metrics I too want this to happen in an open and consenting way. Enabling the user to actually make a choice and inform me about the nature of the data being transmitted.

Other resources

There is an FAQ what will happen to K9-Mail and Thunderbird in the future: https://blog.thunderbird.net/2022/06/faq-thunderbird-mobile-and-k-9-mail/

The roadmap can be found here: https://developer.thunderbird.net/planning/android-roadmap

Comments

Protect against malicious AirTags (and some other tracking devices)

Photo by cottonbro studio: https://www.pexels.com/photo/man-observing-woman-through-doorway-8626372/

When Apple introduced the AirTag (see Wikipedia) it was primarily marketed as a "Find your device/stuff" product. Allowing you to locate the item to which the AirTag is attached, even when it's hundreds of meters (or kilometers) away. As long as there is some Apple device which receives the Bluetooth signal and forwards this to the Apple servers, you will have the location of the device. Of course, depending on time passed and location it can be inaccurate. But in our connected world it's likely that some device will pick up the signal again and you'll have up-to-date location information.

Additionally AirTags can produce a sound, so that you can get a audio hint on where the device is.

AirTags do have many useful cases. From tracking your stolen bike (if you hide some AirTag on/in it), to locating your lost luggage at an airport.. Even pets! Sure this is useful. But sadly.. The principle of dual usability is real and hence even in the beta phase Apple already rolled out a feature that allowed you to view all AirTags in your vicinity. As the potential for illegitimate usages was too high, to simply ignore it. After all.. Watch someone retrieving money at an ATM, occasionally bump into this person and put an AirTag into the jacked of that person. And then just follow and wait until this person is in some place where there are no cameras and/or eyewitnesses. Or think about the whole stalking and Online-Dating problem.

No, AirTags can be a security and privacy disaster. I'm sure many of you have read the story about Lilith Wittmann, who used an Apple AirTag to uncover an office of a secret german intelligence agency (article on appleinsider.com) or read the original german article, published by herself, here: Bundesservice Telekommunikation — enttarnt: Dieser Geheimdienst steckt dahinter.

Ok, so Apple has this feature included in iOS for it's phones/tablets, etc. - What about Android?

Good things first: Apple and Google recognized the threat and are working together towards an industry specification which aims to put an end to stalking via AirTag and similar devices. But, as this has just been announced in May 2023, it's still too early to have produced any meaningful results (sadly).

Apple press release: https://www.apple.com/newsroom/2023/05/apple-google-partner-on-an-industry-specification-to-address-unwanted-tracking/
Google blog post in their security blog: https://security.googleblog.com/2023/05/google-and-apple-lead-initiative-for.html 

Well, Android being the fragmented Android market it is, not every manufacturer has such an option included. I know that Google Pixel devices have such a feature. And I was told Samsung and OnePlus phones too. But there are many other Android versions around. And: What about custom ROMs? I use LineageOS on my OnePlus phone and wasn't able to find such a feature. That's why I searched for an app that does this for me, and was pleasantly surprised to find one.

AirGuard is even released for iOS and there it's also able to find trackers which Apples feature won't detect. So.. I guess this is a recommendation to install this app on iOS too.

Introducing AirGuard

AirGuard is an Android app, developed by the Secure Mobile Networking Lab (SEEMOO) which is part of the Technical University of Darmstadt - specifically their computer science department. You may have heard from them occasionally as they regularly find security vulnerabilities in Apple products and do a lot of research on Bluetooth and Bluetooth security. The neat point? AirGuard is OpenSource, it's code is being published on GitHub. This allows me to install the App using F-Droid (which only offers OpenSource apps).

The icing on the cake? It can not only track Apple AirTags, but Samsung SmartTags and Chipolo Tags too.

From here it's just a normal app installation. Allow the app to use Bluetooth, disable battery saving mechanisms (so it stays active while being executed in the background) and that's it.

As I own no AirTag or similar device I can't test it, but I will update this article when I was able to test this.

If you want to stay up-to-date with the development, there is a Twitter account for that: https://twitter.com/AirGuardAndroid

Comments