Database Info

Official statement from Google regarding the Cyanogen controvery

I have no idea where this needs to be posted. There are a number of different threads regarding this topic, and I know at least one of them are locked. So mods, feel free to move, delete or merge this as you see fit.
Google, via the Android Developers Blog, issued a statement a short while back. Here it is ...
A Note on Google Apps for Android
Posted by Dan Morrill on 25 September 2009 at 2:31 PM
Lately we've been busy bees in Mountain View, as you can see from the recent release of Android 1.6 to the open-source tree, not to mention some devices we're working on with partners that we think you'll really like. Of course, the community isn't sitting around either, and we've been seeing some really cool and impressive things, such as the custom Android builds that are popular with many enthusiasts. Recently there's been some discussion about an exchange we had with the developer of one of those builds, and I've noticed some confusion around what is and isn't part of Android's open source code. I want to take a few moments to clear up some of those misconceptions, and explain how Google's apps for Android fit in.
Everyone knows that mobile is a big deal, but for a long time it was hard to be a mobile app developer. Competing interests and the slow pace of platform innovation made it hard to create innovative apps. For our part, Google offers a lot of services — such as Google Search, Google Maps, and so on — and we found delivering those services to users' phones to be a very frustrating experience. But we also found that we weren't alone, so we formed the Open Handset Alliance, a group of like-minded partners, and created Android to be the platform that we all wished we had. To encourage broad adoption, we arranged for Android to be open-source. Google also created and operates Android Market as a service for developers to distribute their apps to Android users. In other words, we created Android because the industry needed an injection of openness. Today, we're thrilled to see all the enthusiasm that developers, users, and others in the mobile industry have shown toward Android.
With a high-quality open platform in hand, we then returned to our goal of making our services available on users' phones. That's why we developed Android apps for many of our services like YouTube, Gmail, Google Voice, and so on. These apps are Google's way of benefiting from Android in the same way that any other developer can, but the apps are not part of the Android platform itself. We make some of these apps available to users of any Android-powered device via Android Market, and others are pre-installed on some phones through business deals. Either way, these apps aren't open source, and that's why they aren't included in the Android source code repository. Unauthorized distribution of this software harms us just like it would any other business, even if it's done with the best of intentions.
I hope that clears up some of the confusion around Google's apps for Android. We always love seeing novel uses of Android, including custom Android builds from developers who see a need. I look forward to seeing what comes next!
Click to expand...
Click to collapse
Source:
http://android-developers.blogspot.com/2009/09/note-on-google-apps-for-android.html

Yep, it's over.

We're still asking for community access to these applications that are almost essential to the current Android experience. I really doubt it's hurting their bottom line substantially enough to justify the killing of their distribution.
In other words, Mr. Morrill's post was pretty much a sugarcoated attempt to gain some of the PR they lost.
We always love seeing novel uses of Android, including custom Android builds from developers who see a need.
Click to expand...
Click to collapse
A "novel" use from a developer who "sees a need" is quite a way to describe a substantially improved version of your OS.

So what is the conclusion? A lot of the things could be replaced, but as mentioned before, the sync tools and so forth are tricky to get around. What is the next step from here?

cyanogen said:
Yep, it's over.
Click to expand...
Click to collapse
How so? What would be wrong with releasing the ROM without the google apps, but have a script or something that runs on first boot that installs the missing apps?

cyanogen said:
Yep, it's over.
Click to expand...
Click to collapse
So no more ROMs? Or no more ROMs with close-source apps?

AquaVita said:
How so? What would be wrong with releasing the ROM without the google apps, but have a script or something that runs on first boot that installs the missing apps?
Click to expand...
Click to collapse
It's still illegal. A clever trick to walk around the legal fine print. But in essence, it's illegal...

AquaVita said:
How so? What would be wrong with releasing the ROM without the google apps, but have a script or something that runs on first boot that installs the missing apps?
Click to expand...
Click to collapse
Without the basic function to sign into the device using your Google credentials, the ROM is useless. You can't just grab them from another build (as far as I know) because of the way they are tied in at compiling to the framework. So you would have to pull the ROM, grab the proprietary pieces from somewhere else, and compile the source yourself.
Right?
To touch on this in another way, what would it take for Cyanogen to become a licensed distributor of Google's Apps for Android? If there are really 30,000 users, couldn't legal fees be gathered from them? And, couldn't the business license be set up as a Not-For-Profit? Like the Association of Cyanogen Followers? If it were, wouldn't the required fees to license the distribution rights of the software be tax-free and operating expenses for the association? Meaning, any costs for running the business could be taken out of membership dues and donations? With the rest being tax write-offs?
Just a thought, as I would love to see this made legit, 4.0.4 is great, but I don't want this to stop here.... selfish I know, but it's the truth.

AquaVita said:
How so? What would be wrong with releasing the ROM without the google apps, but have a script or something that runs on first boot that installs the missing apps?
Click to expand...
Click to collapse
I guees thats no way. What if you have a wipe? No APNs or anything else? You cant dowmload "Market" als a single-app directly from google (as i know).

daveid said:
Without the basic function to sign into the device using your Google credentials, the ROM is useless. You can't just grab them from another build (as far as I know) because of the way they are tied in at compiling to the framework. So you would have to pull the ROM, grab the proprietary pieces from somewhere else, and compile the source yourself.
Right?
Click to expand...
Click to collapse
Then what the hell is google talking about "encouraging other ROM releases"? If that isn't possible without some pieces of Google software, then is it literally impossible to develop a custom ROM for android?
Thoughts, Cyanogen?

As soon as my contract is I am Too! I can predict a mass exit from android and google!

daveid said:
Without the basic function to sign into the device using your Google credentials, the ROM is useless. You can't just grab them from another build (as far as I know) because of the way they are tied in at compiling to the framework. So you would have to pull the ROM, grab the proprietary pieces from somewhere else, and compile the source yourself.
Right?
Click to expand...
Click to collapse
Is this true? If its proprietary how did CY compile them in the first place? In order to compile don't you need access to the source?

So just come up with replacements for those apps that are closed source and not available on the market...
Devs WILL find a way... I guarantee you
But yeah, Google SUCKS on this...They could have just given him limited licensing...

Without a doubt the most foolish decision I've seen Google make in terms of Android so far. This puts a major damper on a community that was helping make Android better in very real ways.
The only explanation I can come up with is that the closed apps use 3rd party licensed code that Google can't redistribute. Otherwise this is just completely boneheaded.

Google said:
With a high-quality open platform in hand, we then returned to our goal of making our services available on users' phones. That's why we developed Android apps for many of our services like YouTube, Gmail, Google Voice, and so on. These apps are Google's way of benefiting from Android in the same way that any other developer can, but the apps are not part of the Android platform itself. We make some of these apps available to users of any Android-powered device via Android Market, and others are pre-installed on some phones through business deals. Either way, these apps aren't open source, and that's why they aren't included in the Android source code repository. Unauthorized distribution of this software harms us just like it would any other business, even if it's done with the best of intentions.
Click to expand...
Click to collapse
They claim these apps (YouTube, Gmail, etc) are Googles way to benefiting from Android, but they are not distributed with all android phones? I understand that companies license these applications from Google, but how does it hurt them if they are installed on a device that would already have them?
Then they say "We make some of these apps available to users of any Android-powered device via Android Market", yet this entire thing came about because the Android Market is being distributed? How can any device get these if the market is one thing that can not be distributed?
I paid for the ADP1, which came with Gmail, YouTube and the other applications. The ADP1 feature was that I could flash any ROM I wanted to on the device, but now they are telling me that I can't put one on there if it contains their applications that my device had in the first place.
Hello Google, welcome to the the Dark side, so much for "Don't be evil"
I will help with anything I can on a project to replace the Google Products.

AquaVita said:
How so? What would be wrong with releasing the ROM without the google apps, but have a script or something that runs on first boot that installs the missing apps?
Click to expand...
Click to collapse
ya i was thinking the same .i mean if not ,how do we get gmail ,youtube,ect?do we have to download from market ? some are not in market like youtube.i use gmail all the time .

Do the current Roms have to pulled?

That shiny device with an Apple on it is looking mighty delicious

CyanogenMod officially done now:
http://twitter.com/cyanogen
"Sorry everyone, CyanogenMod in it's current state is done. I am violating Google's license by redistributing their applications."

dwang said:
Is this true? If its proprietary how did CY compile them in the first place? In order to compile don't you need access to the source?
Click to expand...
Click to collapse
I had assumed that they were "reverse-engineered" using something like baksmali, to gain access to the source.... I could be wrong.

READ ME: Clearing Misconceptions About CyanogenMod C&D

Lately a lot of threads have been popping up on this subforum and others with regard to the CyanogenMod C&D. A lot of these long threads seem to just be giant echo chambers filled with uninformed or ignorant end-users who don't understand the true nature of the situation. I am creating this thread to help clear up the misconceptions surrounding CyanogenMod, the AOSP, and Google's position in this matter.
Here are some common misconceptions and their clarifications:
"We should petition to keep Android open source!"
Click to expand...
Click to collapse
Google acquired Android, Inc. in 2005 and began investing time and manpower to develop the Android operating system into a fully fledged mobile operating system. The entire project was open sourced in October 2008 to coincide with the first public availability of the Dream hardware. Since then, the Android Open Source Project (which consists of all the source code required to build a working Android environment) has been completely open source. Period.
On top of the completely open source operating system, Google also bundled several useful applications into many stock builds of Android. These builds are commonly referred to as "Google Experience" builds, and the apps include things like the Market, GMail, Youtube, etc. These are NOT a part of the Android Open Source Project, they NEVER WERE a part, and it is unlikely that they ever will be. Many end users seem to have the misconception that these apps are and/or should be a part of the AOSP. They are not. Period.
"Google is trying to keep me from installing other ROMs [sic]!"
Click to expand...
Click to collapse
The C&D letter to Cyanogen was not meant to suppress users from using non-official builds ("ROMs"). The purpose of the cease and desist letter was to stop Cyanogen from continuing to redistribute without permission the proprietary Google-specific apps described above. This is completely within Google's right to do so.
Now to be fair, the work done on xda has often skirted the matter of unauthorized redistribution. In fact, without unauthorized redistribution, it would be difficult (but not impossible) to "cook ROMs". However, unauthorized redistribution has generally been viewed as an unspoken, ungranted privilege. If the company holding the rights to the related software issues a cease and desist letter, the community must respect that choice. To fail to do so would only serve to delegitimize what we do here and risk the survival of the os hacking community as a whole. Users with an overinflated sense of entitlement, you are not welcome here!
"I bought the phone, I should have a right to use the proprietary Google software however I like."
Click to expand...
Click to collapse
Generally, being legally licensed to run a software package does still impose limitations on your usage of it (e.g. you cannot make unauthorized copies or disassemble it). However, in this case, the violation is not in the end-user act of installing CyanogenMod, it is with Cyanogen distributing it. And by no means is this singling out Cyanogen; any "ROM cooker" that includes copyrighted proprietary software in the updater (which at this point is the majority of them) is potentially risking a legal letter.
"Google should not have waited until Cyanogen had worked so much to shut him down!"
Click to expand...
Click to collapse
As in #2, I have to emphasize that unauthorized redistribution is something of an unspoken tacit permission. "ROM cookers" therefore need to exercise good judgement. Back when builds were simply slightly modified versions of stock update.zip files, it was easy for Google to turn a blind eye. The latest CyanogenMod installer included a leaked pre-release version of the Android Market software. Now, I hope it's plainly obvious for even the most oblivious reader, but if you leak a company's unreleased proprietary software before their official release, chances are you will piss them off. Leaks like this have several potentially negative consequences for companies: 1) decreased perceived quality because the program had not been fully debugged, 2) ruining planned launch timelines, 3) causing server backend issues due to unrecognized clients logging in.
Bottom line is this: if you are a "ROM cooker" and you absolutely have to include proprietary copyrighted software in your build, DO NOT INCLUDE ANY UNRELEASED SOFTWARE. You will very likely get C&D'd.
"Google should appreciate Cyanogen's hard work!"
Click to expand...
Click to collapse
From the time you boot up your phone to when you run that first app, probably somewhere like only 1% of the code is written by the "ROM cook". The process of "cooking a ROM" is not, for the most part, programming.
If you want to give credit where credit is due, for the most part you would be thanking Linus Torvalds and the contributors of the Linux kernel, the Android Open Source Project team, and the folks who really did the groundbreaking work establishing root access on the Dream.

good post!

Agreed, very good post..

Maybe someone can clear something up for me (its been bugging me a little)
If i compile from source i need to add files that are pulled from my phone.
Does this mean that ALL roms are technically illegal, even if they dont include the google closed source programs.
Or are we ok to include these files as they are needed for the phone to work, so considered closed source but part of asop?
I have not seen this addressed and i am curious what the state of play is with these files.

Agreed ........ !

Thank you for taking the time to clear things up. Hopefully this will help folks gain some perspective and move toward productive directions.
If i compile from source i need to add files that are pulled from my phone.
Does this mean that ALL roms are technically illegal, even if they dont include the google closed source programs.
Or are we ok to include these files as they are needed for the phone to work, so considered closed source but part of aosp?
Click to expand...
Click to collapse
Good question. It certainly means the ROM is not purely open-source, at the least.
My sense is that those files are the property of HTC and we don't have a license to redistribute them.
Now I don't really expect HTC to serve anyone with a C&D anytime soon, for various reasons, but until a ROM cook gets a written license to redistribute those files from HTC, or until a fully open-source rewrite of those files is done, it's a gray area at the very least.

vixsandlee said:
Does this mean that ALL roms are technically illegal, even if they dont include the google closed source programs.
Click to expand...
Click to collapse
Speaking very technically: yes, because you do not have the express right to redistribute the binary drivers for things like the wifi module or the radio. In reality, these pieces of code are so tightly tied to the hardware that it is unlikely you will get a c&d for redistributing them. However, in the hardcore open source community, even these drivers will be left out, requiring the user to fetch them for him/herself. That would be the 100% license-compliant way.
I'm pleased to say though, there are already many people working on semi and full license compliance methods and "ROMs". Just take a look at the first two pages of this subforum.

vixsandlee said:
If i compile from source i need to add files that are pulled from my phone.
Does this mean that ALL roms are technically illegal, even if they dont include the google closed source programs.
Or are we ok to include these files as they are needed for the phone to work, so considered closed source but part of asop?
Click to expand...
Click to collapse
Read the post again. It's illegal to even copy the Google APKs files out of an original installation and import it into a custom ROM. The major issue was that all ROM creators were importing the Google Apps which are "closed-source" into their own legal open-source code.
I guess now, it'll be down to the individual to decide whether they want the Google Apps in their phone. That's why scripts have been created to give the user a choice on whether to do the illegal act of placing the Google Apps onto their phone.
Google are unlikely going to chase you the individual down rather than the ROM creator (like in Cyanogen's case with the C&D letter).
Hope this helps.

ok. so then all this is not because of the google propriatary crap, but because he released the market early, so google just USED this BS reason to stop that? in other words, had he not released it early, nothing would have happened?
if thats the case, i dont blame cyanogen, but i blame ALL those GREEDY users that MUST have EVERYTHING before everyone else because they feel they need to be the best. you greedy punks almost ruined it for everyone. from what i see cyanogen usually tries his best to do what the people want, had the people not wanted the market so early(its not even that great, just new colors "ooohhh wooow ive never seen colors before i must have that! and now!".. ridiculous.) then this wouldnt happen.
now from i see the latest and "greatest" usually comes in the experimental releases. i think, cyanogen should shut down the experimental releases, or only release them to certain people.. or make it a lot LESS public..that way he can keep testing the stuff till its good and then release it as stable when he sees fit. i mean come on, 4.0.4 is already awesome!! i love it! been using since forever. why couldnt everyone else just be happy with 4.0.4?
and like the post said, dont be stupid and release some leaked program. cause it doesnt just shut you down its gonna shut everyone down. unfortunately i see that soon some noob working on hero roms is gonna release something, and then HTC will be here next.
oh and add this in there:
My guess is that Google has known for some time what was going on, but probably thought 'best not to upset the apple cart' while Android was in its infancy, with only one or two devices from a single manufacturer available on a single carrier. Now that we are on the verge of Android devices being shipped from at least five hardware vendors with over half a dozen carriers, Google probably felt that they needed to get a handle on this. I sense they feared things getting out of control with modders doing willy-nilly ports of innovations from one vendor/carrier to another—e.g., Motoblur on HTC devices and HTC Sense on Motorola devices. I think Google's legal team had a strong part in what took place, and forced action.
Click to expand...
Click to collapse
and i just saw a rom that got some of the motoblur stuff mixed with hero and for the g1. how long do you think till motorola and HTC are here complaining about software on the g1 that isnt supposed to be?

Why don't Google offer these closed-source apps like they do for Google Maps? They could only benefit from more users having the 'Google Experience', even though their phones don't have them pre-installed.

TunsterX2 said:
I guess now, it'll be down to the individual to decide whether they want the Google Apps in their phone. That's why scripts have been created to give the user a choice on whether to do the illegal act of placing the Google Apps onto their phone.
Click to expand...
Click to collapse
If a user downloads a "ROM" without Google apps on it, downloads an official update.zip from google.com, and then copies the Google apps from the official update into the cooked "ROM", that completely mitigates the problem of unauthorized distribution and only leaves the much less sticky issue of unauthorized usage. Unauthorized usage is typically a lot less offensive to the interested companies and definitely a lot less enforceable. There are likely some EULAs somewhere governing the usage of the Google apps (GMail, Market, etc) and except for Market I would be surprised if they explicitly required the app to run on authorized distributions only. But again like I said, it would be difficult to detect, let alone enforce.

peshkata said:
Why don't Google offer these closed-source apps like they do for Google Maps? They could only benefit from more users having the 'Google Experience', even though their phones don't have them pre-installed.
Click to expand...
Click to collapse
That's a very good question, and one I sure would like the Android team at Google to answer. The only app I see being a problem would be Market, since it requires a secured app-private to function properly (which would not be guaranteed on a non-GE phone).

Your post nicely presents the legal aspects and rights of Google but IMHO misses the larger point. The open source community was believing in the ideals of open source and looking the other way at the control Google has over this platform. The pieces that Google controls are not easily (if ever practically) replaceable.
Google actions show that they are not that much different than Apple in trying to control the platform and the user experience. Don't be surprised to see Google behave more and more like Apple as the platform gets stronger and Google's need of an open community weakens.
The only bright spot is one that Google may have missed - that is their existing fight with Apple and AT&T regarding GoogleVoice. Their actions against Cyanogen gives Apple and AT&T ammunition in their arguments with the FCC, which is the last thing Google wants.
This is the only lever this community has over Google. Bring up the FCC and Google Voice case, and Google may back off.
For those who pray for Cyanogen to be hired by Google -- that is the last thing you want. We do not need Google having more control over him, but less.
For those who think that creating bypasses with clean roms and user-initiated backups will solve these problem -- these are short-term technical workarounds which Google could close too.

so with it being technically illegal its pointless (IMHO) being open source.
Its fine with taking from the community, but google seem unwilling to give anything back.
Roll on when full open source roms appear, It would be like a linux distro coming with everything but keyboard and mouse drivers.

This is all legally correct. But it misses the point of the uproar.
We did not expect Android to devolve into a squabble over closed source bits when the whole premise is open source. Goog has disappointed, plain and simple. Your sticky is an apologist's point of view since it doesn't address that fundamental issue.
edit: btw, if Goog was upset about the new Market app specifically, they could have blocked its access to the market using a client-check.

rbrahmson said:
This is the only lever this community has over Google. Bring up the FCC and Google Voice case, and Google may back off.QUOTE]
well think about it. where would google make more money, in allowing the deals it made with htc and motorola and stuff to fall apart because they allow none licensed people do distribute there apps, but keeping the community with them, and winning with google voice... OR in screw the community, keeping the deals on good grounds, and losing the google voice fight? seeing how apple is STILL WAY ahead of android in terms of users, its tough. because its basically, either google kills its own OS for phones, or starts letting go of the iphone ideas by starting with screwing the google voice. honestly, from what i can see, google is gonna come out losing either way lol
then again it is GOOGLE. they never loses anything =/ though with that BING thing growing.. the giant may go down some day. its getting attacked on all sides
Click to expand...
Click to collapse

vixsandlee said:
so with it being technically illegal its pointless (IMHO) being open source.
Click to expand...
Click to collapse
That depends on what your objective is. Open source has many benefits, and many of those are retained even if your distribution contains some closed-source elements. Another important aspect to remember is that while x86 PCs have had three decades to mature, smartphones have not had that same luxury. Given enough time, even hw drivers will become open sourced. So "pointless" is a bit hyperbolic.
Its fine with taking from the community, but google seem unwilling to give anything back.
Click to expand...
Click to collapse
The spirit of open source is the spirit of giving. In that vein, Google has invested considerable time building parts of the AOSP from scratch. To say that they are "unwilling to give anything back" is just a plain falsehood.
Roll on when full open source roms appear, It would be like a linux distro coming with everything but keyboard and mouse drivers.
Click to expand...
Click to collapse
Good luck finding an open source 3G radio driver.

If anyone has read any of the dialog between Steve (cyanogen) and some other Google employees about this issue (most notably JBQ), you would realize that the Google employees are trying to work with Steve.
There is dialog about making the AOSP able to be built and fully functional and distributable without infringing on anyone's rights. This includes investigating other avenues for users to acquire and legally install the Google applications.
The current belief is that Google's legal team sent the C&D letter to Steve, and that it was not done so at the request of the Android developers. They most likely would have liked to work with him quietly and amicably.
Also, please remember that the Market application is not a part of AOSP. The Market application is Google's proprietary code; it is not part of the Android base. Not all Android devices have Google's Market—that is why there are other markets and means of installing software.
I have no doubt that this "controversy" will ultimately be for the best. I believe that Steve, JBQ and the rest of Google/Android will find a middle ground that will work best for everyone. (JBQ has an excellent history of working with other developers and finding good solutions for all—I remember back when he was working at Be and how helpful he was to all of those writing applications for BeOS.)

ytj87 said:
We did not expect Android to devolve into a squabble over closed source bits when the whole premise is open source.
Click to expand...
Click to collapse
So what you're saying is you expected everything included in a Google Experience phone to be open source? I think the problem here is you (and the people you lump into "we") don't understand that Android isn't just built for users, it's also built for handset manufacturers. Quote from the OHA website:
Why did you pick the Apache v2 open source license?
Apache is a commercial-friendly open source license. The Apache license allows manufacturers and mobile operators to innovate using the platform without the requirement to contribute those innovations back to the open source community. Because these innovations and differentiated features can be kept proprietary, manufacturers and mobile operators are protected from the "viral infection" problem often associated with other licenses.
Click to expand...
Click to collapse
In light of that, I don't feel its necessary to dignify the rest of your post with a response.

peshkata said:
Why don't Google offer these closed-source apps like they do for Google Maps? They could only benefit from more users having the 'Google Experience', even though their phones don't have them pre-installed.
Click to expand...
Click to collapse
Because they charge companies like T-Mobile to offer the phone "With Google". If Google put them on the market, then, according to google, any android device would be able to get these applications. So why would T-Mobile pay to have them included. This how Google makes money off of android, this is why they bought it in the first place. They didn't develop android for the open source community, they are a publicly traded company, all their share holders want to know is "How is this going to make use money?". But it is great that the platform is open.
But that brings up Google's "response" where they state any android device can get applications via the Android Market. How can ANY android device get these applications from the market, if only "With Google" devices ship with the market...

[Q] Info on Android bug 8219321 (Android Master Keys)?

Hi All,
Has anyone gotten any details of Android bug 8219321 being discussed in the media? That's the Android master key talk coming up at Black Hat. AOSP bugs reporter is not showing any information (http://code.google.com/p/android/issues/list).
I'm wondering if the platform builders are using the default keys. Marko Gargenta discusses the four default keys briefly in http://www.youtube.com/watch?v=NS46492qyJ8. (Excellent video, btw).
Are there any controls we can place to mitigate the possible threats (assuming they are threats)?
Jeff

noloader said:
Hi All,
Has anyone gotten any details of Android bug 8219321 being discussed in the media? That's the Android master key talk coming up at Black Hat. AOSP bugs reporter is not showing any information (http://code.google.com/p/android/issues/list).
I'm wondering if the platform builders are using the default keys. Marko Gargenta discusses the four default keys briefly in http://www.youtube.com/watch?v=NS46492qyJ8. (Excellent video, btw).
Are there any controls we can place to mitigate the possible threats (assuming they are threats)?
Jeff
Click to expand...
Click to collapse
From everything I have read, this 'bug' won't really affect anyone unless somebody manages to get malicious code onto your Android device. Therefore, the best way to limit the risk is to only install reputable apps from the Play Store - don't use other dubious sites or .apk copies, don't install brand new, unproven apps etc.

SimonTS said:
From everything I have read, this 'bug' won't really affect anyone unless somebody manages to get malicious code onto your Android device. Therefore, the best way to limit the risk is to only install reputable apps from the Play Store - don't use other dubious sites or .apk copies, don't install brand new, unproven apps etc.
Click to expand...
Click to collapse
Thanks, I've been reading that stuff too. From http://bluebox.com/corporate-blog/bluebox-uncovers-android-master-key/:
Device owners should be extra cautious in identifying the publisher of the app they want to download.
Enterprises with BYOD implementations should use this news to prompt all users to update their devices, and to highlight the importance of keeping their devices updated.
IT should see this vulnerability as another driver to move beyond just device management to focus on deep device integrity checking and securing corporate data.
This advice is useless. For example, "device owners should be extra cautious in identifying the publishers [sic]." The code signing model using self signed certificates does not lend itself to identifying anyone. The relationship that exists is between Google and the publisher; and does not extend to the user. The only thing self-signed certificates ensures is that an app can only be updated by the same author. Even Apple or Microsoft's PKI and code signing model do not make those guarantees (read their CPS'es some time).
Below is from Nikolay Elenkov in an off-list reply. Nikolay does excellent work with Android security (http://nelenkov.blogspot.com/), and can be often found hanging out on Android Security Discussions (https://groups.google.com/forum/#!forum/android-security-discuss).
They are using the 'master key' phrase to hype this up, but this has nothing to do with keys. This is related to the way Android verifies APK (JAR) signatures. A specially crafted APK can be repackaged without invalidating the original signature....
Click to expand...
Click to collapse
Jeff

Alternatives to download official apps

Hi,
The vast majority of my apps come from F-droid and Github but a few ones can only be downloaded on the Google Play Store.
I don't have Google services on my device so I'm looking for a reliable tool/website to update those apps. I know Raccoon but a PC is required and I don't have one during the week.
I found APKpure a few weeks ago. Apparently all apps have to pass a signature verification so they guarantee safe downloads. It seems legit and I did compare the SHA1 of their apk and the one downloaded from Google Play. The apk hasn't been altered. One positive result doesn't mean that we can't have negative ones though
I don't like "mirror websites". The owner of apkpure, apkupdate and apkplz seems to be the same so it's more complicated for me to trust those sources. Why do they need all these websites? I didn't find any legal information BTW...
No paid apps can be downloaded on these websites so my only suspicion is that they could add malwares into some (famous) apps. Of course, original apps can also have malwares on Google Play.
For the record, I uploaded the few apks I downloaded to VirusToral and nothing has been detected.
Last but not least, Apkpure provides a dedicated app to install and update apps, which is great even if they suggest me new versions that aren't officially available yet. (probably related to a region restriction or a delay from Google to push the app update for all countries).
What do you think about these websites? Do you know a safer way?

I don't have google apps also, using apk pure for now, everything is well.

BlankStore should work for most free apps.
http://forum.xda-developers.com/showthread.php?t=1715375

Wakamatsu said:
BlankStore should work for most free apps.
http://forum.xda-developers.com/showthread.php?t=1715375
Click to expand...
Click to collapse
Yes, I know but it uses Gmail IDs (with a connection to Google servers). Last but not least, the project is discontinued for several months.
I was going to give a try to Blankstore this weekend and it doesn't seem to be a reliable alternative in the medium term.

Primokorn said:
Yes, I know but it uses Gmail IDs (with a connection to Google servers). Last but not least, the project is discontinued for several months.
I was going to give a try to Blankstore this weekend and it doesn't seem to be a reliable alternative in the medium term.
Click to expand...
Click to collapse
@Primokorn ,
what about its alternative.
http://forum.xda-developers.com/showthread.php?t=3217616
would really be interested in your opinion (if you look into it and dont mind ).
"err on the side of kindness"

Primokorn said:
Yes, I know but it uses Gmail IDs (with a connection to Google servers).
Click to expand...
Click to collapse
I created a throwaway gmail account for this but I get your point.
Primokorn said:
Last but not least, the project is discontinued for several months.
I was going to give a try to Blankstore this weekend and it doesn't seem to be a reliable alternative in the medium term.
Click to expand...
Click to collapse
It's discontinued in the sense that he will not move further with that particular project in favour of another but he will still make fixes when a Google update breaks BlankStore function. It's been "discontinued" since version 0.7.1.

I have a old device just for this purpose.
It has no info on it
Everything possible has been removed that's not needed
(Like calender and contacts etc)
All it does is connect to Wi-Fi to get apps from Google play
Even paid apps.
And I harp non stop to developers and leave feedback on apps that don't support offline use.
(Is in app purchases, online verification, etc things that can be stored on device over getting from internet every time)
I don't see the point of getting apps elsewhere when they will do the same thing to you as Google..But with less oversight.
Virus checkers are pointless when apps are Trojans..
Or have them built in.
I consider any software that mines any thing from your device, without declaring exactly what it is doing every time, nothing other than a Trojan.
Google and it's partners will always push for a proprietary distribution system claiming it will keep you secure
When I'm truth what it does is you your money going to them
When I've had to I've gotten my apks from some very unusual places.
But then you can get some very bad software from very official places.

mrrocketdog said:
@Primokorn ,
what about its alternative.
http://forum.xda-developers.com/showthread.php?t=3217616
would really be interested in your opinion (if you look into it and dont mind ).
"err on the side of kindness"
Click to expand...
Click to collapse
I use microG framework for several weeks now
Wakamatsu said:
It's discontinued in the sense that he will not move further with that particular project in favour of another but he will still make fixes when a Google update breaks BlankStore function. It's been "discontinued" since version 0.7.1.
Click to expand...
Click to collapse
I didn't know that. Thanks for the heads-up! I wanted to give a try this weekend but I had serious with my laptop I keep that in mind for the next time.
nutpants said:
I have a old device just for this purpose.
Click to expand...
Click to collapse
What an expensive alternative! I'm used to sell my current device to buy a new one and that's not handy IMHO.
nutpants said:
And I harp non stop to developers and leave feedback on apps that don't support offline use.
(Is in app purchases, online verification, etc things that can be stored on device over getting from internet every time)
Click to expand...
Click to collapse
Solutions exist for devs to not use Google Play online verification but they want to use it to punish users who download warez. Even if I can understand this point of view, we wouldn't have warez with FLOSS softwares.
nutpants said:
Google and it's partners will always push for a proprietary distribution system claiming it will keep you secure
When I'm truth what it does is you your money going to them
Click to expand...
Click to collapse
I have done some fruitful research to prepare an article about GAFAM and other big companies. In addition, Google doesn't protect our freedom of speech (I noticed this many times with 'ordinary people').
Now that I clearly know what they did/do/will do, how could I still use their services?!? My next Android work will be published under GPL v3, I already stopped any operations on Google Play and I try to push devs to offer free/libre softwares. Marcel (M66B on XDA) is the perfect example of an awesome developer :good:

Primokorn said:
I use microG framework for several weeks now
What an expensive alternative! I'm used to sell my current device to buy a new one and that's not handy IMHO.
Solutions exist for devs to not use Google Play online verification but they want to use it to punish users who download warez. Even if I can understand this point of view, we wouldn't have warez with FLOSS softwares.
Click to expand...
Click to collapse
I rarely sell my devices, (i have 6 of 9 that I play with somewhat regularly sadly)honestly i keep the last one as a back up in case the new one has issues or a failure. And when I do think of it, it not worth the money to make it worth the time..
I still have my Windows mobile 2003 Siemens sx66
(Not that is have been turned on in years)
But really it's an investment in my security.
(And I no longer get the hottest newest devices asap anymore, that's a zero sum game that has few benefits beyond bragging rights)
My tablet dual boots between Google play only rom and everything else internet rom also.
I have yet to hear of a protection scheme that had not been broken in hours. I think bluray was the last major public disaster. If the time spent on protection was spent on quality assurance I think it would be a different landscape in the digital world.
Even with floss you have warez.. just in different forms. Mods,hacks, cracks, custom roms It all just words that describe one developer modifying others work without permission for features that are not present, either added or removed.
It's point of view.like anything.
Myself, I stand back and promote security,offline abilities and operation and open source.
It's where my money goes, my time and my vote. Every chance I get.

XDA: Focus on making independence accessible to android users!
@Primokorn: Thanks a zillion for starting this crucial discussion. I don't know how often i pointed out these issues.
Of course, i also have some aesthetic preferences. But diving through endless reefs of startup animation replacements, battery monitor alternatives and half-baked theme studies is not what i expected xda-developers.com to end up, 12 years after i started being around.
In my eyes, the whole aftermarket ado should be concentrated on maintaining the independency of the most popular mobile operating system of the universe by it's users. Crucial topics be
Liberating the app distribution architecture
Optimizing the permission restriction system
There are great approaches like the Aroma Installer, that have been employed to supply user friendly means for debloating and debranding. Have a look at the Screenshots of stockymod.
@nutpants:
And I harp non stop to developers and leave feedback on apps that don't support offline use.
Click to expand...
Click to collapse
I do the same thing to official institutions when they release apps. If i wasn't in that hyper-busy age around 40, i'd start a little riot about publicly funded software that ends up being published behind the wellknown golden cages exclusively. The necessity to change this in a grassroot movement is obvious.

Apkmirror.com

Did not know these existed, going to check this out!

Why isn't there custom opensource bootloaders like custom recoveries for android phones ?

This may be stupid, but I couldn't find any resources regarding this. We have custom recoveries for android devices but why isn't there custom bootloaders like there is for PCs ? Like in the PC space we have the likes of reFind and gnu grub.
Thanks

There are some instances of alternate bootloader projects. Just that they are not popular,
[Bootloader] LK for Xperia T
LK for Xperia T LT30p Only - Unlocked Bootloader Required WARNING 1: This modification makes changes to the devices partition table. I (lilstevie) am not responsible for any damage to your device or data loss that may occur. WARNING 2: ICS...
forum.xda-developers.com
EFIDroid
EFIDroid is a easy to use, powerful 2ndstage-bootloader based on EDKII(UEFI). It can be installed one-click with the EFIDroidManager app. You can add/remove/edit multiboot ROM's. There's no special support needed by ROM's or RecoveryTools(no...
forum.xda-developers.com
The developer of EFIdroid stopped developing in 2019.
efidroid on Android 9 and 10 devices ? · Issue #152 · efidroid/projectmanagement
Hi, I just want to know if efidroid supports devices with 6 GB RAM and 64/128 GB Storage devices running Android 9 and Android 10 ? thanks.
github.com

Not to mention you would need OEM's to cooperate....

Thanks @karandpr for that github comment a lot of info there. Thanks @galaxys too. So a quick summary would be that the reason is that for the bootloader to work smoothly there has to be support from the kernel too, which the OEMs should do and probably would not. But I didn't think about the support in the kernel was an issue. That does seem to be a lot of work and I see the reason now.

al_l_en said:
Thanks @karandpr for that github comment a lot of info there. Thanks @galaxys too. So a quick summary would be that the reason is that for the bootloader to work smoothly there has to be support from the kernel too, which the OEMs should do and probably would not. But I didn't think about the support in the kernel was an issue. That does seem to be a lot of work and I see the reason now.
Click to expand...
Click to collapse
I don't think Google intends to open up android anymore. They want restrictions like iOS but pretend to be open source for the "goodwill". What's the use of AOSP if you cant effectively install it on a device or your important apps don't work?
I believe PinePhones are the ones that can have truly open-source compatible hardware. The specs are underwhelming but the community is really good.
You can get spares easily and the battery is removable.
Only thing is they are mostly out of stock.

karandpr said:
I don't think Google intends to open up android anymore. They want restrictions like iOS but pretend to be open source for the "goodwill". What's the use of AOSP if you cant effectively install it on a device or your important apps don't work?
I believe PinePhones are the ones that can have truly open-source compatible hardware. The specs are underwhelming but the community is really good.
You can get spares easily and the battery is removable.
Only thing is they are mostly out of stock.
Click to expand...
Click to collapse
Yeah those are great but the problem is that they are not usable for "normies" which will prevent mass adoption and hence cannot have a sustainable business model.
But I think google is not the only one to blame, like couldn't the OEMs actually provide bootloaders that can boot signed os images. Or is there any technical or security difficuties in doing that.

al_l_en said:
Yeah those are great but the problem is that they are not usable for "normies" which will prevent mass adoption and hence cannot have a sustainable business model.
But I think google is not the only one to blame, like couldn't the OEMs actually provide bootloaders that can boot signed os images. Or is there any technical or security difficuties in doing that.
Click to expand...
Click to collapse
Normies are afraid to change the default browser, so bootloader is really out of their leagues.
Phone tinkering is a hobby, not a necessity. Phone tinkering itself is not a sustainable model.
Google is to blame primarily. Because they have a stringent list of requirements for devices to pass CTS. You can read the bootloader requirement and judge yourself.
Android 11 Compatibility Definition | Android Open Source Project
source.android.com
Without passing CTS, devices cannot use Google apps, they cannot get push notifications and they cannot pass SafetyNet checks used by most banking apps.
At the end of the day do I want to spend 100s of hours to bring a feature to an android phone which will probably be used by 10 users and deprecated by the time I finish doing it?
or do I want to buy a phone which will allow me to tinker freely in a community and ecosystem which allows modification?
For our tinkering pleasures, Pinephone is the way to go for now. They have support from Manjaro, Debian and KDE. Which is a big thing IMO.
Or else there you can roll your thing in RaspberryPi?

While going through related details I found an article about google probably switching to hardware based safetynet checks which could be ending google play compatibility on custom roms.
It really seems like google is using security as an excuse to make sure that there are no competitors in their business space.
Maybe this is because I have been only doing web development and only started learning app dev, but the reasons google use for CTS like for enforcing DRM, is also handled on websites while allowing openness and being neutral (or maybe the web is not as secure as something like this, so forgive me if I am wrong). Android could really take pages off the web ecosystem for being a neutral platform.
I really appreciate the patience for hearing out and also the references(and the rabbit holes that it was followed by) really taught me a lot about general android architecture.

al_l_en said:
While going through related details I found an article about google probably switching to hardware based safetynet checks which could be ending google play compatibility on custom roms.
It really seems like google is using security as an excuse to make sure that there are no competitors in their business space.
Maybe this is because I have been only doing web development and only started learning app dev, but the reasons google use for CTS like for enforcing DRM, is also handled on websites while allowing openness and being neutral (or maybe the web is not as secure as something like this, so forgive me if I am wrong). Android could really take pages off the web ecosystem for being a neutral platform.
I really appreciate the patience for hearing out and also the references(and the rabbit holes that it was followed by) really taught me a lot about general android architecture.
Click to expand...
Click to collapse
Theoretically, Google can end GPlay compatibility on Custom ROMs anytime they wish. It's just that lot of App Developers don't use SafetyNet the way it is intended and Google doesn't roll out its strict check. They do it once in a while.
They don't have any competitors in their business space. It's a very well-thought monopoly.
CTS restricts Google Play API access to vendor operating systems. So vendors like Samsung, OnePlus and others have to play by their rules. IIRC, the cost of Play API is around 15$ per device but it is subsidized for large quantities.
End users don't really care about Play API. But App Developers do.
Without Play services, there is no easy way to integrate push notifications, ads, maps, analytics, metrics, and so on. Rolling your own thing will take years to develop and won't work as seamlessly as the play service counterparts.
I don't think Google will ever cede their monetary interests for open collaboration.

karandpr said:
I don't think Google will ever cede their monetary interests for open collaboration.
Click to expand...
Click to collapse
Yeah that's for sure. The only way this monopoly can break is when an opensource alternative to google play services and other apis exist and while doing that it must be compatible with the existing google apis. And that is probably not going to happen in a long time. Although microg does solve this to some extent, but still it is a second citizen.
Some of the functionality is already there, like most of the google apps like docs and drive could replaced by nextcloud and then maps could be replaced by osmand. If some company, preferably an OEM, comes and integrates all of these into a package maybe there's hope. I think /e/ os tries to do this to some extent.

You might find this resource useful. As they have gone over a comprehensive set of bootloader software and tried to outline their primary features in detail. Hopefully, you’ll be able to determine the best one for your use case. https://www.ubuntupit.com/best-linux-bootloader-for-home-and-embedded-systems/