the answer is yes, unless you’re on GrapheneOS. Google Services is a privileged app and therefore it can bypass permissions as it sees fit.
GrapheneOS (optionally) installs it as a unprivileged app, which you can restrict permissions to. Still, I wouldn’t recommend installing it since they have extensive telemetry.
I wouldn’t be so sure about the possibility of a bypass. I’ve heard that system applications have more privileges, but sandboxing is still active and permissions work for them.
You can’t disable location permission for google services, so that’s obvious. But microphone/camera permissions can be disabled, that’s why I’m wondering.
I’m rooted with GSF, revoking some permissions forcibly from Play Services (most notably location access) causes the device to reboot, and the permission gets restored forcibly.
This never used to happen previously (the permission used to get revoked successfully, and things like Google Timeline would act as if your device had disappeared despite location being enabled). I assume a background update implemented this permission recovery mechanism - i’ve since disabled play store on my device and slowly been culling off my usage of other Google apps
There really should be no doubt that a system application can have unlimited and unrestricted access to everything, bypassing all security and sand boxing. That is the extent of the meaning of system app. It’s like having root privileges, admin access.
Whether Google makes use of it or not is something else, but it could be exploiting that privilege and with Google’s history and the fact that the distributed version of android which contains the google services pre installed is a custom version of android of which you’ll never see the source code, you really have to ask yourself.
That’s why GrapheneOS is so important: you are the user and you get to control how Android works: the way it actually should, where if you install google services (which is up to you!) it gets installed under your terms and with your permissions.
Would you care to put any weight behind your accusation?
The main issue I’m trying to expose is that any custom distribution by an OEM can implement any app/service the way they want. The android source code is available, any access and permission can be obtained depending on how you implement it in the source code. You can even weaken the security if you want. Any distribution by these OEMs is a secret sauce, you have no way of knowing what shenanigans they are pulling on your phone.
So yes, they can get root access if that’s what they want.
This is not to say they do. I’m just saying we have no way of knowing how things are implemented and hence why open source is so fundamental to security.
Edit: I concede that the strict definition of what considers a system app does not provide with these accesses. I’m saying any custom distribution with built in apps may have been customized to allow for these things to happen. Perhaps this is where we may have misunderstood each other.
It absolutely can. It took a screenshot of what I was doing without my permission. Only reason why I found out was cause it for a survey they were doing. So I wouldn’t be surprised if they’re doing it all the time without me knowing.
No, they meant that Google Play Services has telemetry.
Basically, GrapheneOS makes it much safer to use Google Play Services if you have to use it, though it still isn’t entirely safe and should generally be avoided where possible.
the answer is yes, unless you’re on GrapheneOS. Google Services is a privileged app and therefore it can bypass permissions as it sees fit.
GrapheneOS (optionally) installs it as a unprivileged app, which you can restrict permissions to. Still, I wouldn’t recommend installing it since they have extensive telemetry.
Isn’t the telemetry neutered by not giving GSF network permissions (on grapheneos)?
what’s the purpose of not giving it network permissions? you won’t be able to install apps, use push notifications or any other major functionality.
I could be missing something, of course.
Google services framework is a load of libraries for other apps to use; Google play store is something else on top.
Apps can depend on one or both.
I wouldn’t be so sure about the possibility of a bypass. I’ve heard that system applications have more privileges, but sandboxing is still active and permissions work for them.
Wasn’t there news a couple years ago that google tracked your location even if you had location turned off?
You can’t disable location permission for google services, so that’s obvious. But microphone/camera permissions can be disabled, that’s why I’m wondering.
You can even turn off sensors in Androids developer options, but your dialer app for example will still be able to use your microphone
As long as the hardware isn’t physically disconnected, you kinda have to assume it can be used and abused.
I’m rooted with GSF, revoking some permissions forcibly from Play Services (most notably location access) causes the device to reboot, and the permission gets restored forcibly.
This never used to happen previously (the permission used to get revoked successfully, and things like Google Timeline would act as if your device had disappeared despite location being enabled). I assume a background update implemented this permission recovery mechanism - i’ve since disabled play store on my device and slowly been culling off my usage of other Google apps
There really should be no doubt that a system application can have unlimited and unrestricted access to everything, bypassing all security and sand boxing. That is the extent of the meaning of system app. It’s like having root privileges, admin access.Whether Google makes use of it or not is something else, but it could be exploiting that privilege and with Google’s history and the fact that the distributed version of android which contains the google services pre installed is a custom version of android of which you’ll never see the source code, you really have to ask yourself.That’s why GrapheneOS is so important: you are the user and you get to control how Android works: the way it actually should, where if you install google services (which is up to you!) it gets installed under your terms and with your permissions.
Edit: correcting a misinformed message and the irrelevant followup. More clarification on system apps here: https://developer.android.com/guide/platform/
Removed by mod
Would you care to put any weight behind your accusation?
The main issue I’m trying to expose is that any custom distribution by an OEM can implement any app/service the way they want. The android source code is available, any access and permission can be obtained depending on how you implement it in the source code. You can even weaken the security if you want. Any distribution by these OEMs is a secret sauce, you have no way of knowing what shenanigans they are pulling on your phone.
So yes, they can get root access if that’s what they want.
This is not to say they do. I’m just saying we have no way of knowing how things are implemented and hence why open source is so fundamental to security.
Edit: I concede that the strict definition of what considers a system app does not provide with these accesses. I’m saying any custom distribution with built in apps may have been customized to allow for these things to happen. Perhaps this is where we may have misunderstood each other.
Removed by mod
It absolutely can. It took a screenshot of what I was doing without my permission. Only reason why I found out was cause it for a survey they were doing. So I wouldn’t be surprised if they’re doing it all the time without me knowing.
How did you catch it taking the screenshot?
Because it showed it to me.
I’m confused, I’ve never seen gpservices take a screenshot. Is there any reason/context I should be looking out for?
Wait, what? Do GrapheneOS have telemetry?
No, they meant that Google Play Services has telemetry.
Basically, GrapheneOS makes it much safer to use Google Play Services if you have to use it, though it still isn’t entirely safe and should generally be avoided where possible.
Aha. Phew :)
Removed by mod