Do not really understand how Android sandboxing works for system apps.
Edit: guys, check comments in this tree below. there is solution to use gapps privately with permissions revoking through shizuku and it actually works, checked myself :D
Seems like it is true information but GServices have another way to bypass permission. Check this comment
The problem is that GServices can't work without these permissions, they crash. So the phone becomes mostly pointless.
sorry, what's the way to do it? manually editing config files? or some app? App Manager from GitHub f.e. can't do it.
Thank you so much. i tried it, all permissions were indeed revoked. checked on the camera app - it works. THANK YOU!!!
But I'm wondering if gapps doesn't make any changes to the system itself, maybe it creates new users to bypass broken permissions).
Nothing happened, permission resets itself and in AppOps, the camera just worked fine :)
Yes. I didn't disable the internet for services, SafetyNet goes through without a problem. Thank you for this information, it is invaluable to me. Now I will be able to use GApps again instead of microG without losing functionality and staying private ❤️
"Good" really depends on what you're after. Do not use CalyxOS if you care about security. They are significantly behind in implementing security patches, regularly. You are in some way more vulnerable with CalyxOS than regular android on a pixel because you would get security updates faster on pixel. Additionally, the network permission of GrapheneOS is a paramount security and privacy feature. Also, GrapheneOS takes over all location services requests even if you use google services, making sure that even if google services are installed, google only gets location info whenever the location request is for the google services, not all/any services or apps on your phone. There are additional points too, but CalyxOS, while I don't want to bash them, should not be considered a secure OS the same way GraphemeOS is.
What about DivestOS? Only option for a private system when you don't have a Pixel
Everyone talks about custom ROMs, it's so fucking annoying not a single one is supported on my Motorola g73. Next phone I'm getting is a fairphone, and I'll dual boot a custom Android ROM and postmarket OS.
I recommend checking this table out.
CalyxOS misses the mark imo. It does a couple things well (such as its improved Dialer app, and the ability for hotspots/tethered devices to be able to use the phone's VPN/Tor) that I hope to see other projects adopt, but beyond that, it just doesn't seem to stack up.
I'm not trying to bash them or anything because at the end of the day, they clearly have good intentions which I can respect, but I do hope they improve on a lot of things, because in its current state, CalyxOS just doesn't even compare to GrapheneOS or DivestOS.
The only thing which stop me to install Graphene is that I need some apps that I'm not sure will work with this os
GrapheneOS has pretty much perfect app compatibility. I don't think I've ever ran into an issue in around a year of using it as my daily driver.
Most apps function without Play Services, but you may lose some functionality like notifications, and a couple apps do very rarely genuinely break. But, that's where Sandboxed Play Services comes in, which you can even put in an entirely separate user profile if you want to, so that you can still safely use those apps.
But yeah, I've personally had no issues with app compatibility. Even my bank app works perfectly on Graphene (didn't even require Play Services either!).
In order to have google apps and google services on an android installation that doesn't have them yet, you need to sideload them. LineageOS has a list of GApps zips and here's an example of how to install them for a FairPhone running LineageOS.
If you look into the zip
/system/system_ext/etc/permissions/privapp-permissions-google-system-ext.xml, you can see all the permissions given to it a system application.android.permission.RECOVERY, android.permission.MANAGE_USERS, android.permission.INTERACT_ACROSS_USERS stand out the most. These permissions allow the phone to be started, arbitrary apps to be installed and users to be created with new permissions.
Google Services doesn't need to have access to camera or any other component as it can install whatever it likes that has access to those.
Let's not kid ourselves, if you have Google Services installed, you have a rootkit installed with a bunch of proprietary code.
Here's the entire file for reference and you can look up each permission individually to see what access will be given.lemmy doesn't handle XML in triple backticks well (at all).Thanks for the detailed response. Creating/interacting between new users is a serious opportunity for permission bypass. Content of the file won't load for some reason, but still :)
I am still not sure if sandbox is completely disabled for system applications. No comments with real arguments. But thank you, guys :)
