undefined | Better HN

0 pointspasserby14y ago0 comments

> stay as far away from MicroG as possible, it seriouly cripples the security of GrapheneOS by a lot.

Do you mind sharing some details on this? I did not hear strong statements like this one before.

0 comments

IIRC It requires allowing apps to mimic other app's signatures and pretend to be them, "signature spoofing". MicroG mimics the Google play services signature.

But that is really crippling, because apps can now spoof other apps signatures, essentially apps can pretend to be other apps. That opens a lot of opportunities for an attacker.

bnr4y ago

With the set of patches used eg in lineageos4microg, spoofing is restricted to the microG core app.

0xdeadb00f4y ago

You're still taking a risk. its a risk that I won't take but you're welcome to for the sake of convenience.

j / k navigate · click thread line to collapse

0 pointspasserby14y ago0 comments

> stay as far away from MicroG as possible, it seriouly cripples the security of GrapheneOS by a lot.

Do you mind sharing some details on this? I did not hear strong statements like this one before.

0 comments

0xdeadb00f4y ago

IIRC It requires allowing apps to mimic other app's signatures and pretend to be them, "signature spoofing". MicroG mimics the Google play services signature.

But that is really crippling, because apps can now spoof other apps signatures, essentially apps can pretend to be other apps. That opens a lot of opportunities for an attacker.

bnr4y ago

With the set of patches used eg in lineageos4microg, spoofing is restricted to the microG core app.

0xdeadb00f4y ago

You're still taking a risk. its a risk that I won't take but you're welcome to for the sake of convenience.

j / k navigate · click thread line to collapse