Hello, I'm trying to build an app called Commotion Wireless from its source code - I didn't make this app myself, so it should be a simple case of following the instructions in the README, importing into Eclipse and exporting as a .apk. However, upon attempting to build, there are 3 errors: two saying "isIBSS cannot be resolved or is not a field" and the third with "frequency cannot be resolved or is not a field". The offending pieces of code are here:
github.com/opentechinstitute/commotion-android/blob/cm/src/net/commotionwireless/profiles/Profile.java - lines 201 and 202
github.com/opentechinstitute/commotion-android/blob/cm/src/net/commotionwireless/meshtether/NetworkStateChangeReceiver.java - line 92
Now as many of you know, stock versions of android don't seem to support ad-hoc networks, this is functionality that other custom firmware such as Cyanogenmod adds. As far as I can tell, this app is intended for cyanogenmod (as the devs state in URL1 below). Therefore I think that the definitions of "isIBSS" and "frequency" are not in the stock versions of andriod (URL2 is a patch somebody wrote that adds them), and the root of my problem is that I'm trying to build the app based upon the stock version of android that doesn't understand what "isIBSS" and "frequency" mean. I have never tried to build an android app before so have little experience, but my first instinct was that I needed to install a custom version of the android SDK for Cyanogenmod that would have the needed definitions in - however as far as I can tell, no such thing exists.
Does anyone here have any idea how I may resolve this issue? Your help is much appreciated
URL1: commotionwireless.net/developer/resources/commotion-android/
URL2: thinktube.com/files/android-ibss/patches/frameworks-base-0001-Wifi-Enable-Ad-Hoc-IBSS-network-configuration.patch
Hi guys,
with reference to this interesting thread:
Strategic Alliance: bundle F-Droid, add LineageOS repository, add microG
I think that LineageOS may effectively be the reference Android ROM for people looking for privacy and timely updates (which implies more security).
In this view, it would be extremely convenient to have a working instance of microG on LineageOS, as it would add the convenience of gapps without the need to sell you soul to Google.
The only practical option to have a working instance of microG in CM/LineageOS is using an Xposed module which spoof the signature of microG. The alternative is recompiling CM/LineageOS from scratch by patching it "by hand" before. While viable, these two solutions are far from convenient, as the former depends on Xposed (which is not available for Nougat at the moment, and nobody can really tell if it will ever be) and the second... Well, in my understanding it requires a fair share of knowledge and also computing power and it is probably impractical from the point of view of view of the end user.
My question here is:
given that LineageOS will ship a separate ZIP to allow root to be enabled for apps, would it be technically possible for LineageOS developers to create (and ship ) also a separate zip to enable signature spoofing for people knowing what they are doing?
In my "vision" this could only add a permission that would have still to be manually enabled only for selected apps (microg, specifically).
In the end, only people really interested in microg would manually install the "spoofing" zip. And in this cases it would not pose any additional security risk (if you consider that enabling root may be already dangerous enough).
Let me emphatize that I don't know if this is technically feasible, nor if the developers would ever accept to do that. But in my opinion this should at least be discussed.
Thanks for reading and have a nice day!
E.
enban said:
Hi guys,
with reference to this interesting thread:
Strategic Alliance: bundle F-Droid, add LineageOS repository, add microG
I think that LineageOS may effectively be the reference Android ROM for people looking for privacy and timely updates (which implies more security).
Click to expand...
Click to collapse
I really really like this idea! It is important to give users an easy way to get rid of the intrusiveness of google, if they want to. It's a matter of freedom of choice.
More and more people are scared about (or simply don't like) mass collection of personal data, it would be nice if Lineage OS could give to these people an alternative!
enban said:
My question here is:
given that LineageOS will ship a separate ZIP to allow root to be enabled for apps, would it be technically possible for LineageOS developers to create (and ship ) also a separate zip to enable signature spoofing for people knowing what they are doing?
Click to expand...
Click to collapse
Or maybe a .zip that directly installs microG? (I don't know if it is possible...)
lamp1 said:
Or maybe a .zip that directly installs microG? (I don't know if it is possible...)
Click to expand...
Click to collapse
Installing microG is not a problem. Another user, @wdevil12 , already create an AROMA zip to install microG.
The problem is that microG NEEDS the signature spoofing to be available (it needs that so apps "think" that it is the "real" Google Play Services).
CM/LineageOS never wanted to build this option in the ROM, so one has to rely on Xposed or make one's own build by patching the sources.
Having a flashable zip enabling spoofing signature directly from LineageOS developers would be a huge leap forward and could impulse the use of microG (which, in my opinion, is the best thing happened to Android in years).
My 2 cents.
enban said:
Installing microG is not a problem. Another user, @wdevil12 , already create an AROMA zip to install microG.
The problem is that microG NEEDS the signature spoofing to be available (it needs that so apps "think" that it is the "real" Google Play Services).
Click to expand...
Click to collapse
Thank you for the explanation.
enban said:
Having a flashable zip enabling spoofing signature directly from LineageOS developers would be a huge leap forward and could impulse the use of microG (which, in my opinion, is the best thing happened to Android in years).
Click to expand...
Click to collapse
I agree with you!
+1
Is the lineage browser chromium based?
Is there a purge and replace google from android os tutorial somewhere?
micrograms without xposed
Hi,
I just wanted to share a link with you:
gabsoftware.com/tips/how-to-use-microg-on-lineageos-or-cyanogenmod-without-xposed
I haven't followed these steps yet, but am going to in a few days
enban said:
given that LineageOS will ship a separate ZIP to allow root to be enabled for apps, would it be technically possible for LineageOS developers to create (and ship ) also a separate zip to enable signature spoofing for people knowing what they are doing?
Click to expand...
Click to collapse
I share your enthusiasm and also your frustration.
Here's the thing. Enabling signature spoofing is a patch, so you apply it before building the image. This means a zip would have to provide a drop-in replacement for the files affected by the patch, in this case I believe it's only 1 file: framework.jar. I have no idea how often framework.jar changes, but it would be useful to know – the more often it changes, the more often the zip will have to be updated and distributed again, and the less probable it is that someone will want to do that job.
So here is an approach I was thinking of:
1. Extend the microG patch to not blindly disable signature spoofing, but instead disable it conditionally when a certain flag is enabled in the settings (disabled by default, obviously). Don't provide any UI, just that test in the code.
2. Include that patch in mainstream LineageOS (and other ROMs). By default it's a no-op, so that's completely harmless. This is the key point.
3. Provide a zip (OP's idea) that surfaces the modification of that flag through a "Disable signature spoofing" option in the Developer Settings.
Ideally, 3 would also be baked into mainstream LineageOS, since Developer Settings are already fairly opt-in. However, in light of what happened recently to root access, I'm assuming 3 would have to follow the same approach and live as an external zip too, which is fair enough and would still represent a huge step forward, as OP pointed out.
Thoughts?
Official answer:
We will not be enabling signature spoofing. It's a huge security hole, and breaking android's security model (for any reason) is never acceptable.
Feel free to build it yourself (it is open source) if this is a feature you want, or use one of the plethora of other roms people have generated. Our main goal is to continue passing CTS and have a production-shippable OS available for anyone who wants to use it.
@elirada
I like the idea and, frankly, I'm less concerned about the method to achieve it than on actually having signature spoofing.
Unluckily, as you can see, the official response is "No, never". Now, while I'm grateful to LineageOS developers for their hard work, I feel that their position on this point is plainly wrong. Allowing root is a bigger security issue than allowing on-demand signature spoofing for *one single* app, which would offer much more privacy to LineageOS users.
enban said:
@elirada
I like the idea and, frankly, I'm less concerned about the method to achieve it than on actually having signature spoofing.
Unluckily, as you can see, the official response is "No, never". Now, while I'm grateful to LineageOS developers for their hard work, I feel that their position on this point is plainly wrong. Allowing root is a bigger security issue than allowing on-demand signature spoofing for *one single* app, which would offer much more privacy to LineageOS users.
Click to expand...
Click to collapse
As zifnab said, we most certainly will not open up security holes like this. It would be an incredible disservice to our users.
Opening attack vectors such as this on millions of devices is "plainly wrong" as you put it.
But hey, its OSS, so fork and do it yourself! :good:
invisiblek said:
As zifnab said, we most certainly will not open up security holes like this. It would be an incredible disservice to our users.
Opening attack vectors such as this on millions of devices is "plainly wrong" as you put it.
But hey, its OSS, so fork and do it yourself! :good:
Click to expand...
Click to collapse
What disservice? You clearly didn't read the OP. One should voluntarily flash a zip and then explicitly enable the feature. It's not something that would happen by chance and would be an explicit choice of each user. And frankly, while I certainly may learn how to get the source and compile it, I (and most people willing to use microG) have not the hardware resources and the time to compile each build. To call this solution impractical would be an euphemism.
enban said:
What disservice? You clearly didn't read the OP. One should voluntarily flash a zip and then explicitly enable the feature. It's not something that would happen by chance and would be an explicit choice of each user. And frankly, while I certainly may learn how to get the source and compile it, I (and most people willing to use microG) have not the hardware resources and the time to compile each build. To call this solution impractical would be an euphemism.
Click to expand...
Click to collapse
Even if its something we'd remotely consider, its not as simple as providing a zip with a su binary in it like the root addon. This stuff is in framework which makes it a lot more difficult to supply a "bolt on" zip to do this.
Here's the patch when it was put on gerrit. You can read the comments to see the stance and reasoning on it.
It's something that will not ever be accepted in this project.
hey guys, thanks for this discussion.
i easily patched the first lineageos-build (kenzo device) with tingle. this was possible because "pre-optimization" wasnt yet enabled when built. patching took only 1 minute.
would it be possible to make any second build (or once a month) without this "pre optimization"-flag?
This way security isnt touched and everyone who wants could easily patch it himself!
We will not shipped compromised builds. It doesn't matter about how much you think it convenient...we are trusted to keep users safe.
The moment you have to use the words "spoof", "make the system think it's something else" or anything if that nature, you are lying to the system about an app, which will compromise thebuser's trust in the system.
If you think for one second that "experienced people who know what they are doing" would be the only ones to flash whatever the heck is available, you have not been on this forum or working with Android for very long.
If you "are experienced and know what you are doing", build it yourself. That's the safest bet against users not harming themselves with our stamp (release-keys) on it.
tl;dr: Nope. Not even once.
zifnab06 said:
Official answer:
We will not be enabling signature spoofing. It's a huge security hole, and breaking android's security model (for any reason) is never acceptable.
Feel free to build it yourself (it is open source) if this is a feature you want, or use one of the plethora of other roms people have generated. Our main goal is to continue passing CTS and have a production-shippable OS available for anyone who wants to use it.
Click to expand...
Click to collapse
Fair enough. Signature verification is clearly an important component of Android's security model.
I think one should never have to choose between security and convenience. Give users the choice for long enough and they'll end up falling for the latter. The minute someone provides a poorly crafted yet job-doing image, everybody will start using it. The "I won't solve your problem" answer, rather than help people, will end up pushing them into randomness.
As someone mentioned, maybe there would be a way to allow the overriding of signature checking only for a given app, in favor of another given app? This is very from just disabling the whole thing, yet would let microG work.
That idea is just an arbitrary suggestion. Generally my point is that people are expressing a use case to solve and if nobody cares they will end up doing something silly,
eli
Hi, I've finally manage to enable signature spoofing using tingle. The procedure is straightforward and very easy to follow (download script, make sure you have all needed programs, connect to rooted phone, execute the script, boom - done).
After that I was able to install microg and with Mozilla location backend it's working very well. So currently I'm running lineageos without gapps on oneplus 3t and can install apps from play store.
If any of you want I can write short instruction but all needed information can be found easily.
@alkesander
Is the patch only for LineageOS? Need patch for OxygenOS 4.0.3.
About the security implications of signature spoofing
zifnab06 said:
Official answer:
We will not be enabling signature spoofing. It's a huge security hole, and breaking android's security model (for any reason) is never acceptable.
Click to expand...
Click to collapse
I'm wondering why no one pointed to microG Signature Spoofing and its Security Implications before.
Interesting, glad I found this thread, that link, and the responses from CM/Lineage devs. Seems pretty clear that user privacy is not a priority, probably been the case since that Microsoft money started flowing in 2015..
Time to start looking elsewhere I guess