Comparison of Android-based Operating Systems: possibly add "Location spoofing/Location scopes" as a criteria

[jarelllama]

GrapheneOS	DivestOS	CalyxOS	iodeOS	/e/	LineageOS	AOSP
No	No	No	No	Yes	No	No

This does not include the mock location option hidden under developer options since it requires an app and can be detected by other apps via API.

GrapheneOS may implement Location Scopes in the future: https://discuss.grapheneos.org/d/3103-feature-request-location-scopes/14. I am aware this feature would not fake a location, merely trick individual apps into thinking the location permission has been granted. Perhaps when it is implemented it would require a separate criteria.

[jarelllama]

Updated initial comment with a table.

[thestinger]

/e/OS location spoofing can certainly be detected and it's also possible for apps such as Ingress to entirely ban /e/OS because it allows doing something they don't want to allow, which they are already doing. You're drawing a distinction between Mock Location and their feature which doesn't really make sense. It is a variant of the standard Android Mock Location feature which can be and still is already detected through the OS not passing integrity checks by apps which want to enforce a property like this about the OS.

In general, apps which want to enforce a property like this such as Ingress are using the Play Integrity API or hardware attestation API, so they won't work on /e/OS in the first place. Any app which wants any property to be enforced about the OS such as not being able to trick it about location is going to be doing that. Therefore, the approach doesn't actually provide better compatibility beyond the extreme short term where there may still be a small number of apps which check for Mock Location without the Play Integrity API. Can you provide a list of apps which DO NOT use the Play Integrity API but DO check for Mock Location? How many really exist? Beyond the short term, they're almost certainly going to add a Play Integrity API check. If their check is being actively bypassed, they'll react to that. The main apps doing this are either doing DRM or it's part of anti-cheat for competitive location-based games. In both cases, Play Integrity API is going to end up being used since that's the precise use case and it's easy to do. GrapheneOS is aiming to force Google to allow alternate operating systems which preserve the properties apps expect and in the meantime convincing individual apps to permit those alternate operating systems via the hardware attestation API. If an OS does this, it doesn't qualify for either, so it will remain banned, and we can't reasonably argue otherwise.

These apps may be willing to support alternate operating systems but only if they preserve the security model and do not try to trick the app about things like this. Why would a competitive location-based game permit using an operating system where Mock Location can be used without it being shown to the app? There will be less app compatibility in the long term if we took this approach and made GrapheneOS unacceptable to apps like location-based games. Our goal is providing a more useful privacy feature than the current Location feature while not having these apps ban GrapheneOS but rather whitelist.

Location Scopes is a fundamentally different kind of feature than global Mock Location since Location Scopes will be per-app. The reason we want to make it instead of people using existing Mock Location apps is because they're global, and users may want to use real location for navigation/maps while spoofing it for a different app. We don't want Location Scopes to rule out apps like Ingress from using GrapheneOS. Therefore, we plan to provide a way to detect it and document it in our attestation compatibility guide so apps like Ingress can permit GrapheneOS. It doesn't have to be the same API that the Mock Location feature uses, although we don't want to push developers to leave GrapheneOS banned, so the details of that need to be worked out.

[thestinger]

This is really just similar to whether an OS bundles an end-to-end encryption messaging app such as Signal. Either way, people can use end-to-end encryption, and either way people can use Mock Location. Mock Location apps provide different features. Some of them actually do provide a real location via an external GNSS unit which is useful for a device without GNSS such as the Pixel Tablet. Some of them provide more than specifying a specific user chosen location. They may move it around based on how the user configures it. Support for specifying a specific coordinate with Mock Location being built into the OS isn't the whole reason people want to use Mock Location. An app can also easily tell something is up even without using the API, Play Integrity API or hardware attestation. In case you don't realize though, an app can use hardware attestation to check if it's the stock OS vs. alternate OS vs. unlocked and for an alternate OS can determine which OS it is via the verified boot key fingerprint so they can choose which alternate operating systems they want to allow instead of banning all of them as the Play Integrity API does. Apps like Ingress already use the Play Integrity API.