![]() ![]() It will also always be chasing a moving target while offering poorer security than the real thing if the focus is on simply getting things working without great care for doing it robustly and securely. That wouldn't ever be something users could rely upon. GrapheneOS won't take the shortcut of simply bundling a very incomplete and poorly secured third party reimplementation of Google services into the OS. > We aren't against users using Google services but it doesn't belong integrated into the OS in an invasive way. I fall into the latter, but I think a lot more work still needs to be done if we want to achieve this. In the hacker circles it seems there's two groups of people: those who think Android is a lost cause because it will always be controlled by Google, and think Linux phones are the only real alternative, and those who believe we can actually "steal" Android back from Google and make it into a true open source project. Modify Gotify, an open source self-hosted push server, to accept push notifications in the Web Push format. We could perhaps allow users to self-host their push service as well. ![]() Perhaps we could implement a Web Push compatible API, and reverse engineer Chrome's Firebase integration to implement it as an option from the get-go, hoping other providers show up over time. Providers could be installed as separate apps. It would probably be possible to offer an installable platform-agnostic push notification API that developers can use. ![]() push notifications) and developer documentation that provides instructions on how to switch from Google (ideally making the transition as easy as possible by emulating the Google API syntax). Perhaps the community should create their own open-source alternatives to the most commonly used APIs (e.g. Google owns `` and points developers towards using Play Services APIs wherever possible. We just need to convince them that they don't need Google. Each developer has the choice of whether to include Google or not within their app. I think sandboxed Play Services is the most sane approach the problem of Play dependencies the community has come up with so far, but I think if we want real change to happen, we need to target app developers. Community projects that enable it to do so, like microG, will always be a cat-and-mouse game with Google. My problem with Android is that it was not built to function without Play Services. This belief is shared by the GrapheneOS developers. I expect most users of custom ROMs to continue installing Play Services on top of them for a long time, if they want something as basic as push notifications to work.īy the way, while I personally have qualms with Google, I believe users should have the choice to use Google apps, if they are comfortable with the inherit privacy risks. But will we ever be able to fully decouple Google from Android? I'm not sure. Projects like GrapheneOS are really interesting because they are finally providing a real secure, private, de-Googled OS option, with excellent app compatibility thanks to sandboxed Play Services (which allows you to run Play Services without giving it root access to your device ). Another example is SafetyNet hardware-backed attestation. This is one of the many ways Google aims to maintain their monopolistic control over "open source" Android. This could have been done for Android, but that would have given Google much less control over the platform, so they decided to do it in a monopolistic way. ![]() And this isn't a security risk, because everything sent through the service is encrypted. But each provider's endpoint uses the same standardized API, so the backend doesn't have to care what the URL is. If you use Chrome, the domain will be ``, but on Firefox, it's ``. The Web Push API also works this way, but the returned endpoint can be for any provider. Google's push service works by providing an HTTP endpoint to apps that they can use on the backend to deliver notifications. It makes sense that push notifications should be consolidated to one provider - this way, your device only needs to maintain one 24/7 TCP connection to a server which it receives all notifications from all apps through, rather than having each app run its own notification service in the background, killing your data and battery life. The Web Push API is a great example of how a push API can be provider-agnostic. The correct solution here would have been a system-level, open source, provider-agnostic push notification API built into AOSP. But Google didn't have to lock users in to their own service to provide a good push notification system on Android. Restricting background apps by default is probably good. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |