Location permissions in AOSP 10

[pgera]

In AOSP 10, the location backends for wifi/cell/local database lose their permissions intermittently. Unless the microg location settings page is open, they don't have permissions. To verify, use satstat a few times. Only gps provider (red) works consistently. The auxiliary ones (blue) don't work reliably. Similarly, the self-test for "unifiednlp does not have location to test geocoder" is unchecked unless you open the location backends page temporarily.

Logcat:

12-08 13:31:22.762  1281  8788 W ActivityManager: Appop Denial: Accessing service org.fitchfamily.android.dejavu/.BackendService from pid=16423, uid=10063 requires appop COARSE_LOCATION
12-08 13:31:22.764  1281  8788 W ActivityManager: Appop Denial: Accessing service org.microg.nlp.backend.apple/.BackendService from pid=16423, uid=10063 requires appop COARSE_LOCATION
12-08 13:31:22.767  1281  8788 W ActivityManager: Appop Denial: Accessing service org.microg.nlp.backend.ichnaea/.BackendService from pid=16423, uid=10063 requires appop COARSE_LOCATION
12-08 13:31:22.769  1281  8788 W ActivityManager: Appop Denial: Accessing service org.openbmap.unifiedNlp/.services.RadiocellsLocationService from pid=16423, uid=10063 requires appop COARSE_LOCATION

Microg is setup as it is in the lineage4microg repo with prebuilts and the following permissions:

<?xml version="1.0" encoding="utf-8"?>
<permissions>
    <privapp-permissions package="com.google.android.gms">
        <permission name="android.permission.FAKE_PACKAGE_SIGNATURE"/>
        <permission name="android.permission.INSTALL_LOCATION_PROVIDER"/>
        <permission name="android.permission.CHANGE_DEVICE_IDLE_TEMP_WHITELIST"/>
    </privapp-permissions>
</permissions>

[jpransxdev]

I can confirm. Experiencing the same on Havoc 3.0.

[kurt-by]

I think, the problem is: microG Service Core does only request location permission for "Allow only while using the app". You can't grant the "allways" bermission. not even with local terminal. Shouldn't we report this bug in nlp section?

[kyunal]

The permission in doubt is android.permission.ACCESS_BACKGROUND_LOCATION which GmsCore must request in order to access location in background.
ref developer.android.com

[mdibaiee]

I have the same issue on Havoc 3.0.
If I open up UnifiedNlp settings, click on "Configure location backends" and press "OK" with no changes (already enabled backends), then UnifiedNlp will try to find my location and it succeeds, I can see my location in my Map immediately after doing this.

But trying to run Map without doing this, I get no location, and I suspect it's because microG doesn't request to be able to request permission in the background. That's why if I manually run it and ask it for location it works.

[mdibaiee]

To verify this, I added the new permissions and built GmsCore myself and re-installed it. I had to give the permission manually though (it seems my changes are not sufficient to make the UI ask for "location permission all the time").

I just added this line:

    <uses-permission android:name="android.permission.ACCESS_BACKGROUND_LOCATION"/>

To these files:

• play-services-maps-core-mapbox/src/main/AndroidManifest.xml
• play-services-maps-core-vtm/src/main/AndroidManifest.xml
• unifiednlp-base/src/main/AndroidManifest.xml
• play-services-core/src/main/AndroidManifest.xml

I'm not sure if it's necessary to add these to all of these files, but I added the line wherever there was permission use of android.permission.ACCESS_COARSE_LOCATION or FINE.

Note that I had /system/etc/permissions/privapp-permissions-com.google.android.gms.xml file after systemizing MicroG which didn't contain the new permission that I had added in my custom build, so I had to rewrite that file by re-installing microg as a system app. I use App Systemizer (Magisk Module) to systemize my built APK.

Still, even though I see MicroG listed as "Allowed All The Time" in the Location settings now, it doesn't work in the background. So not sure if just adding the permission is a solution on its own.

One interesting thing is that the Android Settings shows microG as having access to location "All The Time", but AppOps shows it as having foreground-only access.

[mdibaiee]

Logs after adding ACCESS_BACKGROUND_LOCATION to microg componens as described above:

12-30 11:43:20.749 24308 24308 I LocationEnabler: Location mode has been changed
12-30 11:43:20.753 23196 24489 V NlpLocationProvider: onSetRequest: ProviderRequest[ON interval=+1d0h0m0s0ms] by WorkSource{1000 android}
12-30 11:43:20.753 23196 24489 V NlpLocationProvider: using autoUpdate=true autoTime=86400000
12-30 11:43:20.753 23196 24489 D NlpLocBackendHelper: Binding to: Intent { act=org.microg.nlp.LOCATION_BACKEND pkg=org.fitchfamily.android.dejavu cmp=org.fitchfamily.android.dejavu/.BackendService }
12-30 11:43:20.759  1850  2966 W ActivityManager: Appop Denial: Accessing service org.fitchfamily.android.dejavu/.BackendService from pid=23196, uid=10116 requires appop COARSE_LOCATION
12-30 11:43:20.759 23196 24489 D NlpLocBackendHelper: Binding to: Intent { act=org.microg.nlp.LOCATION_BACKEND pkg=org.fitchfamily.android.gsmlocation cmp=org.fitchfamily.android.gsmlocation/.GsmService_ }
12-30 11:43:20.762  1850  2966 W ActivityManager: Appop Denial: Accessing service org.fitchfamily.android.gsmlocation/.GsmService_ from pid=23196, uid=10116 requires appop COARSE_LOCATION
12-30 11:43:20.763 23196 24489 D NlpLocBackendHelper: Binding to: Intent { act=org.microg.nlp.LOCATION_BACKEND pkg=org.microg.nlp.backend.apple cmp=org.microg.nlp.backend.apple/.BackendService }
12-30 11:43:20.765  1850  2966 W ActivityManager: Appop Denial: Accessing service org.microg.nlp.backend.apple/.BackendService from pid=23196, uid=10116 requires appop COARSE_LOCATION
12-30 11:43:20.766 23196 24489 D NlpLocBackendHelper: Binding to: Intent { act=org.microg.nlp.LOCATION_BACKEND pkg=org.microg.nlp.backend.ichnaea cmp=org.microg.nlp.backend.ichnaea/.BackendService }
12-30 11:43:20.767  1850  2966 W ActivityManager: Appop Denial: Accessing service org.microg.nlp.backend.ichnaea/.BackendService from pid=23196, uid=10116 requires appop COARSE_LOCATION
12-30 11:43:20.768 23196 24489 D NlpLocBackendHelper: Binding to: Intent { act=org.microg.nlp.LOCATION_BACKEND pkg=org.openbmap.unifiedNlp cmp=org.openbmap.unifiedNlp/.services.RadiocellsLocationService }
12-30 11:43:20.773  1850  8036 W ActivityManager: Appop Denial: Accessing service org.openbmap.unifiedNlp/.services.RadiocellsLocationService from pid=23196, uid=10116 requires appop COARSE_LOCATION

[ArchangeGabriel]

@mdibaiee I suppose all Nlp providers also need a change in their location permissions.

[mdibaiee]

@ArchangeGabriel I was thinking the same. I actually tried adding

    <uses-permission android:name="android.permission.ACCESS_BACKGROUND_LOCATION"/>

To the Ichaea (Mozilla) backend, but it didn't work properly. The backends actually do ask whether you want to give them permission to use location "All The Time" even without this change.

But, I don't have experience developing Android, so take all my experiments with a grain of salt, it might be me messing up a part.

[Pant]

Guys I made it working.

This is an ugly and manual way of doing it - I am not a software developer - This is just a hacky way to make it work... Requires rebuilding of IchnaeaNlpBackend.apk...

I am running Havoc 3: Havoc-OS-v3.1-20200110-guacamole-Official.zip
Device: OnePlus 7 Pro (guacamole)

Steps:

Step 1: I did exactly what @mdibaiee said in this previous comment: #986 (comment)

• Installed it with modifying this repository: https://github.com/micro5k/microg-unofficial-installer

Step 2: I installed apktool

Step 3: Download IchnaeaNlpBackend.apk

Step 4: apktool d IchnaeaNlpBackend.apk

this creates a directory IchnaeaNlpBackend

Step 5: Edit AndroidManifest.xml and add this line under this line <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/>:

<uses-permission android:name="android.permission.ACCESS_BACKGROUND_LOCATION"/>

Step 6: Run apktool b IchnaeaNlpBackend/

This will create a new .apk file under ./IchnaeaNlpBackend/dist/IchnaeaNlpBackend.apk

Step 7: Create a keystore (self-signed), Run:

mkdir keystore
keytool -genkey -v -keystore ./keystore/IchnaeaNlpBackend.jks -alias IchnaeaNlpBackend -keyalg RSA -keysize 4096 -validity 10000

enter the info ... I entered only password and name .. this step is important

Step 8: copy the ./IchnaeaNlpBackend/dist/IchnaeaNlpBackend.apk to the android device and install it (simply as user app, not system app, works)

Hope this helps some have a working device until a better/more stable/nicer way comes up.

(I should make a fork of https://github.com/micro5k/microg-unofficial-installer with a working setup.. but I worry about someone trusting me to publish an edited IchnaeaNlpBackend.apk by me... This wouldn't be very nice... Anyway I will think about it...)

[vincentvidal]

I tried this solution (recompiled GmsCore with background permission, introduced it in nlp backends...) but it does not work: nlp backends work only after checking again in MicroG settings.

Indeed, it was not useful to introduce background permission! As stated here : https://developer.android.com/about/versions/10/privacy/changes

Access granted automatically when targeting Android 9 or lower

If your app runs on Android 10 or higher but targets Android 9 (API level 28) or lower, the platform applies the following behavior:

If your app declares a element for either ACCESS_FINE_LOCATION or ACCESS_COARSE_LOCATION, the system automatically adds a element for ACCESS_BACKGROUND_LOCATION during installation.
If your app requests either ACCESS_FINE_LOCATION or ACCESS_COARSE_LOCATION, the system automatically adds ACCESS_BACKGROUND_LOCATION to the request.

And this is the reason why we see the permission request "Always allow" when installing lnp backends... ACCESS_BACKGROUND_LOCATION has been automatically added...

[awman123]

I had the same experience and impression as @vincentvidal, adding the permission to backends was not necessary and didn't change anything.

[vincentvidal]

I tried many things, still no success. I then implemented a quick and very dirty fix in my custom lineage build for Xiaomi mi9 (https://forum.xda-developers.com/Mi-9/development/rom-lineageos-17-1-microg-unofficial-t4034757). In file frameworks/base/services/core/java/com/android/server/am/ActiveServices.java, I deactivate permission failure for microG (but still log warnings) :

if (opCode != AppOpsManager.OP_NONE && mAm.mAppOpsService.checkOperation(
        opCode, callingUid, callingPackage) != AppOpsManager.MODE_ALLOWED) {
    Slog.w(TAG, "Appop Denial: Accessing service " + r.shortInstanceName
                   + " from pid=" + callingPid
                   + ", uid=" + callingUid
                   + " requires appop " + AppOpsManager.opToName(opCode));
    if (callingPackage.compareTo("com.google.android.gms") != 0) return null;
}

And guess what? It works ;-)
But still I don't catch the problem...

[farfromrefug]

@vincentvidal is there somewhere we can chat? I would love to test your fix in my device tree. And i also have a question about your device tree setup for microg.
Thanks

[vincentvidal]

@vince31fr on telegram

[DjogaRo]

if (opCode != AppOpsManager.OP_NONE && mAm.mAppOpsService.checkOperation( opCode, callingUid, callingPackage) != AppOpsManager.MODE_ALLOWED) { Slog.w(TAG, "Appop Denial: Accessing service " + r.shortInstanceName + " from pid=" + callingPid + ", uid=" + callingUid + " requires appop " + AppOpsManager.opToName(opCode)); if (callingPackage.compareTo("com.google.android.gms") != 0) return null; }
@vincentvidal Why did you test for the special case here. From the looks of it checkOperation returns the wrong value and callingPackage is available there, too. Did you stop looking for the cause at this point?

[vincentvidal]

@vincentvidal Why did you test for the special case here. From the looks of it checkOperation returns the wrong value and callingPackage is available there, too. Did you stop looking for the cause at this point?

I just wanted to make it work in my rom, so I did not try to understand the exact reason (after trials with recompiling gmscore with background permission etc). Furthermore I takes time to recompile a rom, flash it etc, and it should take me too much time to climb up to the exact point where something goes wrong.
What can be concluded though, is that the problem is not in the NLP backends, and that at some point, com.google.android.gms does not have ACCESS_COARSE_LOCATION permission. So my hack (which is just the compareTo check) does not yield a permission failure in the specific case of gms. Maybe because of missing background location permission ?
I'm pretty sure that someone with enough understanding of permissions in android and gmscore code will find a clean solution.

[tragedypoet]

Yesterday I played around for a little bit and managed to make locations work again. Please note I am not a programmer and all of my fixes are really dirty and were mainly out of curiosity, but maybe it helps finding a better solution. I edited the following files:

• ./play-services-core/src/main/java/org/microg/gms/ui/Conditions.java
• ./play-services-core/src/main/java/org/microg/gms/ui/SelfCheckFragment.java
• ./play-services-core/src/main/java/org/microg/gms/ui/PlacePickerActivity.java
• ./play-services-core/src/main/java/org/microg/gms/location/GoogleLocationManager.java

I added/edited the following lines in there:
./play-services-core/src/main/AndroidManifest.xml
<uses-permission android:name="android.permission.ACCESS_BACKGROUND_LOCATION"/>

./play-services-core/src/main/java/org/microg/gms/ui/SelfCheckFragment.java
import static android.Manifest.permission.ACCESS_BACKGROUND_LOCATION;
[...]
if (SDK_INT > LOLLIPOP_MR1) { checks.add(new PermissionCheckGroup(ACCESS_COARSE_LOCATION, ACCESS_BACKGROUND_LOCATION, WRITE_EXTERNAL_STORAGE, GET_ACCOUNTS, READ_PHONE_STATE));

./play-services-core/src/main/java/org/microg/gms/ui/PlacePickerActivity.java
import static android.Manifest.permission.ACCESS_BACKGROUND_LOCATION;
[...]
if (ActivityCompat.checkSelfPermission(PlacePickerActivity.this, ACCESS_FINE_LOCATION) != PERMISSION_GRANTED) { ActivityCompat.requestPermissions(PlacePickerActivity.this, new String[]{ACCESS_COARSE_LOCATION, ACCESS_FINE_LOCATION, ACCESS_BACKGROUND_LOCATION}, 0); } else { updateMapFromLocationManager(); } }
[...]

./play-services-core/src/main/java/org/microg/gms/location/GoogleLocationManager.java
import static android.Manifest.permission.ACCESS_BACKGROUND_LOCATION; [...] private boolean hasBackgroundLocationPermission() { return context.checkCallingPermission(ACCESS_BACKGROUND_LOCATION) == PERMISSION_GRANTED; }

It's more of a workaround and after compiling and installing the package I needed to delete the runtime-permissions.xml since I encountered a problem similar to Issue #954.

Especially the changes in GoogleLocationManager.java are far from complete, but accessing location e.g. from OsmAnd seems to work correctly.

[ploink]

I have been working on a fork of the Local-GSM-Backend and made some progress for Android 10 compatibility (I am using crDroid 6.3). See this issue I posted there.
I wonder if the ACCESS_BACKGROUND_LOCATION permission is really required for microg, because the debug apk I published works just like it did on Android 9. It does not loose permissions and works reliably in Osmand. I think the backends need an update.

[ploink]

I got an email notification about a new post here and I wanted to comment, but it seems to have been removed.

It reminded me that I had set "disable battery optimization" for the location backend. That is maybe why it kept working in my case.

What may be happening without optimization is, you start the service manually in the foreground and as long as it keeps running and bound to microg, it functions properly also in the background.

When battery optimization kicks in, it shuts down the backend. Microg NlpLocBackendHelper then tries to rebind it in the background, the system checks microg's permissions again and is denied location access. So I agree microg does need android.permission.ACCESS_BACKGROUND_LOCATION.

[FriendlyNeighborhoodShane]

@tragedypoet that was rather rude :)

But seriously though, you could've just given a diff instead of typing out all that.

Anyway, commited in the fork under my org @NoGooLag.

Do keep in mind I haven't tested it yet, and it's on a fork with several diverging commits that was not updated for two years and hastily brought up-to-date by me just a couple minutes ago. Gonna see what I can do for UNLP now. Have a good day, everybody.

[FriendlyNeighborhoodShane]

Update: UNLP fork has also been changed to add the permission whereever I though it was needed. I am not a developer either, so I may have missed a lot of spots. Haven't compiled and tested yet, so if anybody is brave enough, please do go ahead.

[robson-sz]

@FriendlyNeighborhoodShane great job there.
I've used your commits from @NoGooLag repos. It builds and works in SatStat (blue and red dots on map with microg settings closed) after:

1. swapping @microg submodule UnifiedNlp with @NoGooLag one

2. bumping androidCompileSdk to 29 in GmsCore, UnifiedNlp and UnifiedNlpApi.

Right now maps aren't displayed in apps depending on google maps, I haven't figured out how to overcome this. Any ideas?

Edit: it may sound trivial, but does anyone know how to build mapbox or vtm version to compare if it's the case?
Edit 2: It was trivial, i've found it inside def useMapbox(), will test it tomorrow.
Edit 3: Both versions have the same issue - maps don't get displayed in uber, for example.
Satstat display maps without problems. In logcat there are lines pointing that problematic apps:

• try to use ACCESS_SURFACE_FLINGER and get denied

• try to make directory /data/user/0/com.google.android.gms/shared_prefs and gets mkdir failed: EACCES (Permission denied)

[FriendlyNeighborhoodShane]

@robson-sz That second thing is weird... Should Play/microG be making the directory itself (but isn't) and do other apps access it using some sort of an API?

[robson-sz]

@FriendlyNeighborhoodShane Thanks for reply, but it's something with my build process - GmsCore doesn't work even when i compile with gradle from migrog repo only.
Using binary released by marvin solves the problem, so my case is off-topic.
Now i will use the emulator to narrow down the cause.

[ristein]

@ploink
thats not working for me.
i still have to click "ok" in Microg's UNLP settings after every reboot and sometimes in between.
i am also on HavocOs on Guacamole and would really appreaciate a working solution (please keep this post up to date).

[rKsanu2MMYvypWePtQWM]

Any chances getting these fixes into this (main) microg repository anytime soon? Seems like the project has been in a standstill for half a year :P

[FriendlyNeighborhoodShane]

@rKsanu2MMYvypWePtQWM https://gist.github.com/mar-v-in/c8254168c63361c5094de13a7afea344

[ristein]

can we do anything to speed these fixes up?
having to click "ok" in microg's nlp settings everytime i want to use nlp is quite inconvenient

[upya4ko]

Hi! i get same problem on update (before all work OK) and found working version of MicroG GmsCore.apk that works installed as magisk module.

Also i found one thing, if latest GmsCore-v0.2.11.202414.apk installed as user app it also work perfect (same work on NLP modules too).

[e00E]

Is this supposed to have been fixed by the same refactor that closed #1004 ?

[tazer4]

It is fixed, install your backends as system apps, but also install it again as an update with the same version of the user app, then you will have the option for properly setting each backend to read your location at all times.

[ale5000-git]

In the meantime both microG GmsCore and Ichnaea Nlp Backend got an update so this is fixed.