not relying on google services to run

vigilliann
vigilliann
Community Member

Hi,

I’m sure that I’m going to ask you a lot but we need to put some perspective on that.
You are developping a cross platform password manager. So it’s all about security. Don’t you think that relying on android services is a bit contradictory? Counterproductive? ineffcient?

I understand that you had to implement an easy way for the consumer to pay for your product. But with all we know now whether it’s about google, facebook or other GAFAM, maybe it could be nice to implement it in another way than relying on google services? I don't even understand why you actually need so much to rely on google services where you could strip make a lighter version with all the google services stripped away and put it on f-droid. Especially since you wanted so badly with password 8 to put everyone on a subscription (so no need for google services actually sicne the user can easily do that on your website)....

I’ve just installed divestOS on my android phone and it’s impossible to link up your account (looping at the logging + the annoying message that your app can't run without google services. Since when android, even up to date is about security? Did you forget about pegasus maybe? Divest or lineage even without the MicroG is way more secure than anything out there on android so why don't you step up to actually really care about security?
So could you think about it?
Thanks


1Password Version: 7
Extension Version: Not Provided
OS Version: android 11 divestOS

Comments

  • [Deleted User]
    [Deleted User]
    Community Member
    edited November 2021

    There's no compelling reason to put 1Password on F-Droid as it's a closed source password manager. I goes against the F-Droid philosophy to me. If you run DivestOS, you have to accept that it is strongly geared towards FOSS as their website says. In that case, you can totally use another password manager like KeepassDX with Syncthing or Bitwarden.

    I noticed you used the word security, but in fact it seems you also mean privacy. flashing a custom rom on a phone that can't relock its bootloader if it's not the factory rom is actually less secure. Only exception I know is GrapheneOS on Pixel phones because you can relock the bootloader easily without bricking the phone. That's possibly the most secure and privacy oriented phone os. When you go this way, you can expect to only use FOSS apps. It would defeat the purpose of those privacy/security focused roms otherwise. That's my point of view at least.

    I run LineageOS for MicroG because I use some apps that require some form of Google services support even if it's not the official Google Services and I did it for privacy reasons, to get rid of my Google accounts for instance. 1Password does work there. Interestingly AuroraStore reports that 1Password has zero trackers, not so common for closed source apps.

  • vigilliann
    vigilliann
    Community Member

    JM I think you are mistaken since it's relockable on several models.
    And F-droid was just one example, it could be just an apk downloadable from the website so it's false debate about FSS since I was talking about the delivery system.
    Privacy and security are intricately linked whether you like it or not. So yeah I understand you are against FOSS, but jsut abotu what I would point to you the differents MITRE reports and the DOD reports and audit about opensource vs closed source. But since it was not my point i will leave to that.
    And as you pointed out yourself, and so you are demoting your own argument yourself, if there are no trackers then there is no need of google services to run the app and the core of the app can easily be replaced by something not related to a google services API at all.

    And I relocked my FP3 pretty easily under divestOS so.... please rethink your copy first.
    Thanks

  • vigilliann
    vigilliann
    Community Member

    and just to remind you the pegasus problem was mostly under whatsapp and the inhouse app from iOS and google which includes the SMS app and phone app too and so google hangouts.... So yeah here too privacy rimed with security

  • [Deleted User]
    [Deleted User]
    Community Member

    I think you're a tad quick to judge as I probably use 50% of open source software or more so saying I'm against it is rather exaggerated. On my phone it's mainly FOSS. I like both FOSS and closed source. If the app is good it is good for me regardless of the source. I'm not dogmatic.

    On phone relock : There are way more phones that can't be locked if the rom is not the oem one. If I do it on mine it will be bricked for sure.

    Anyway for a detailed staff answer : https://1password.community/discussion/124719/direct-download-apk

  • vigilliann
    vigilliann
    Community Member

    MITRE and the DOD audit plus countless other auditing is scientifical fact not up to debate. The interpretation that we can end up with those reality facts can totally be up to debate yes but not the facts in itself. So no it's not about being dogmatic or not and obviously you didn't read any of those audits which have begun their appearance in the public domaine around 2008? And it was certainly not a specific accusation against you, just to remind you the scientifical truth about FOSS.

    And to remind you, it's you who brought up the fact of relocking. To remind you too, it's you who brought the graphene example to the table. Graphene which is only available on pixel phone which is a ridiculous low amount of devices compared to other s distributions which gives the ability to relock the device. So sure it's maybe not available on your device, but that doesn't make a general rule does it? and the other way it's also true. But your dogmatic point was, since it's not relockable universally then it's not receivable.... Well that a problem in logical discourse...

    Thanks for repointing me to this thread that I was already aware of. So you would have like that I've answered to those more or less legitimate and illegitimate argument of the staff ?

    And again it's not about being FOSS or not the problem it's about the fact that there is out there API as efficient than google play services to implement, since I need to list them:
    QR code scanning (which is now integrate by default in every custom ROM)
    FIDO2 security key support (which yubico gives all the help needed to implement it since should I really say, other FOSS equivalent are using them and not through google play services)

    And the fact that the version needs to be up-to-date, come on are we really talking about that when there are dozens of implementation of those of update checking processes?

    All those problems doesn't need much more dev, there are out there and they are FOSS most of the time. The fact that they don't want to implement them that's another story. I'm going to give a little example. We are using every day the implementation of google of the Zeller congruence for what? 10 years now?, it's FOSS obviously and it doesn't bother anyone apparently. So when it's convenient they are ready to use the available ressources but not when it's for the common benefits. If that's not political or ideological beliefs, I don't know what it is.

  • [Deleted User]
    [Deleted User]
    Community Member
    edited November 2021

    It's just that right now, most Android phones ship with google so while they are aware of things like Huawei they don't see the reason to develop solutions for those users at the moment, since the majority of their users have the play services installed anyway.

    I didn't read all those audits you mention indeed. To be frank I was a network tech for a short time but I spend most of my free time learning about the wildlife, recognizing birds, learning about insects, cultivating vegetables, making my own seeds. I'm a carpenter now so I can build things. I also do audio restoration sometimes. I can tell you reading audits online is the least of my concerns nowadays (I did read about those from 1Password for fun).

    What I should have told you after you first message instead is : why taking that much time to vent out your frustration about not being able to use 1Password because of your choice of going "full de-googled" and not use that time to switch to another solution that will work, like KeePassDX (as recommended by DivestOS)?

  • Thanks for reaching out and for your feedback, @J.M and @vigilliann.

    While 1Password currently is only available for download through Google Play, we can certainly let our development team know you'd like a separate APK. That said, Google Play Services are required for some of 1Password's functionality, but the app should still be usable without them.

    I’ve just installed divestOS on my android phone and it’s impossible to link up your account (looping at the logging + the annoying message that your app can't run without google services.

    This is not the expected behavior. You'll need GPS to scan a Setup Code for signing in, but you should be able to enter your account credentials manually and sign in even without GPS installed. I'll go ahead and report this to our developers.

    ref: dev/android/onepassword-android#1379

    In the meantime, try signing into your account from a browser on the same Android device. From there, tap your name in the upper right hand corner, then tap Get the Apps, and then tap the Add your account directly button. Are you able to sign into your account from the app after entering your password now?

This discussion has been closed.