
Android now forces apps to include proprietary code for push notifications - lelf
https://www.reddit.com/r/freesoftware/comments/by4ipr/android_now_forces_apps_to_include_proprietary/
======
kartan
> Problem: The Firebase Android client library is proprietary, meaning FOSS
> apps can not use it. Apps that do not comply are reported to the user as
> "using too much battery".

This is a standard on the industry. From 1999:
[https://www.theregister.co.uk/1999/11/05/how_ms_played_the_i...](https://www.theregister.co.uk/1999/11/05/how_ms_played_the_incompatibility/)

It doesn't matter how much money Google is going to have to pay in the future
as a fine for this practice. The amount of money that they will get for
kicking out the competition is going to be way higher. That is a learned
lesson from Microsoft (and probably others before them).

~~~
izacus
> It doesn't matter how much money Google is going to have to pay in the
> future as a fine for this practice. The amount of money that they will get
> for kicking out the competition is going to be way higher. That is a learned
> lesson from Microsoft (and probably others before them).

The competition in this case is Apples iOS, for which even HackerNews users
love to harp over and over and over again how amazing it is and how little
battery it uses because it doesn't allow apps to use anything but APNS, run
anything in background or even include GPL source code.

This is what's Android competing against - an completely locked down operating
system which cannot deliver any kind of GPL code. And every time it allows
more freedom to developers it's punished in the market by losing against iOS
and mocked on this very website about how it allowes their app developers to
drain battery and access data.

What exactly do you expect Google to do here?

~~~
soulofmischief
I don't think you're focusing on the entire picture.

 _Some_ people here like iOS for the reasons you described. However I'm
willing to bet, unless you can show me otherwise, that it's a vocal minority.
I don't know of anyone personally who is happy that Apple disallows GPL code.

Comparing Apple's digital Fort Knox with Google's unsupervised free-for-all is
a false dichotomy.

There exists a happy medium, where power users get all the freedom they want
but apps are still by default beholden to certain restrictions. And this is
orthogonal to a proprietary API.

~~~
maxaf
Please forgive me for being unnecessarily obtuse this early on a Monday
morning.

Where does Apple say that GPL code isn’t allowed on the App Store? I ask
entirely out of my selfish need to avoid unpleasant surprises later on.

~~~
soulofmischief
It's what I've heard rehashed around HN, but afaik the actual policy is more
or less as described here:

[https://forums.developer.apple.com/thread/18922](https://forums.developer.apple.com/thread/18922)

Essentially it works like it should anywhere else: If you don't publish source
code and someone complains, you're out. In an ideal world Google Play would
hold itself to the same standards.

However, the App Store does impart restrictions which are incompatible with
GPL, so it's not so much that Apple doesn't allow it as it is that GPL doesn't
allow it.

Apple has no official statement on this of course, but we know how they feel
about GPL code given that they've removed every bit of it from their OS over
the last few years.

~~~
avar
They haven't been removing GPL code actively, they decided not to take the
risk of using GPL version 3 software, so they've let the respective versions
of bash, rsync etc. linger at their last released GPL version 2 releases.

E.g. Git is on GPL version 2 still (and probably forever), and Apple continues
to update that in a relatively timely fashion.

~~~
soulofmischief
Apple just switched to zsh, which is not GPL other than a few optional shell
functions. Expect this trend to continue.

------
ddrager
This has been coming for a while. We attempted to create a push-based
notification system based on MQTT. It worked well, then the notifications
started getting lost. Turns out, the receiver service was getting killed in
the background. We found out the best way to get reliable notification was
through Google's own GCM (which has now moved to Firebase Cloud Messaging.

We learned its incredibly difficult, if not impossible to build an app (with
reliable notifications) that do not use Google services.

You can say its in an effort to maximize battery resources, which I totally
understand, but by requiring a Google service (and now library) you are truly
tied in to and reliant on their systems.

BTW, as others have pointed out, there _are_ open source Firebase libraries
([https://firebaseopensource.com/projects/firebase/firebase-
an...](https://firebaseopensource.com/projects/firebase/firebase-android-
sdk/))

~~~
bchimp
This has been true for awhile once they forced apps to use API26 or higher (if
you want to be listed in the Play store, and really, there is no other place
if you want decent exposure.)

I had a similar experience switching from "real background" to using FCM. I
understand the battery saving motivation, but the problem is that the
performance of the google service is terrible. The response time of my simple
notification system was nearly instantaneous, but OK google, I'll play your
game. I put together something that used FCM and it can take 15 or 20 MINUTES
to get even a "high priority" message from FCM.

Reading the google docs, apparently google will deprioritize notifications
that are shown but "not intereacted with" in a timely manner, so that is
another source of delay.

I think the crux of the matter is that notifications have multiple purposes:
signaling, and advertising, etc. Google hasn't provided a way for an app to
declare its use case. So, you get policies to prevent notification spam
creeping in and messing with basic app signaling functionality.

In the end, I kept both my "in-house" notifications for use by older Androids,
and a kluge that uses FCM in addition, with some hacks to get somewhat better
FCM performance. I live with the notification in Oreo+ and just tell users to
ignore it (but honestly, I don't think users care that much.)

~~~
jayd16
>The response time of my simple notification system was nearly instantaneous,
but OK google, I'll play your game. I put together something that used FCM and
it can take 15 or 20 MINUTES to get even a "high priority" message from FCM.

Letting your phone actually sleep _is_ the battery saving feature. Also, you
get throttled for high volume so check that as well.

If you think your messages are so important to have a constant socket open
then make a foreground service. You're abusing a system that is really not
suited to your needs.

~~~
ajnin
Some types of messages do require immediate attention of the user, or are of
highest value if delivered immediately. Instant messaging apps have been using
notifications for a long time and did not require a foreground service.
Expecting instant delivery of that class of messages is not abusing the
system.

~~~
jayd16
While it's not really possible to do this in your own background service any
more, GCM still supports this use case. This is the deprioritization the grand
parent is talking about. If there's already a notification showing you won't
get instant follow up responses. It's a compromise to be sure but if you want
to break that compromise you have to make a foreground service.

~~~
AstralStorm
It was supposed to be possible, via standard notification mechanism and
scheduler, new in 7.x. If Google starts flagging apps pinging network off the
scheduler, _everyone_ will get even more angry, as there will be a glut of
foreground notifications just because they broke a use case.

------
Ajedi32
So to summarize, to save battery all notifications on Android (since two
versions ago) have to go through a single notification service (rather than
each app having the option of continuously running in the background and
maintaining a connection with its own notification service). Recently Google
killed their GCM notifications service in favor of Firebase Cloud Messaging,
which (unlike GCM) unfortunately doesn't have an open source library available
for it at the moment.

Does that sound right so far?

Anyway, the Telegram-FOSS team claims that this doesn't _actually_ save
battery:

> Despite Google's misleading warnings, there is no difference in battery
> usage between v4.6 in "true background" and v4.9+ with notification.

But this seems rather unlikely to me. Are they saying that an application
running continuously in the background uses the same amount of battery as an
application that's not running at all? Or am I just misreading that statement?

~~~
runeks
> Are they saying that an application running continuously in the background
> uses the same amount of battery as an application that's not running at all?

A single application running in the background probably uses only a small
amount of extra power compared to the notification service alone.

However, a couple dozen applications -- all running in the background in order
to enable notifications -- probably consume a lot more power than a single
service.

~~~
Ajedi32
There's also a wide variety of possible implementations of a notification
service, and not all of them will necessarily be as power efficient as what
Telegram-FOSS does.

~~~
AstralStorm
And Android's battery monitoring should flag them accordingly, not rely on
presence of some library.

~~~
ahupp
It's not relying on the presence of a library. It's indicating that the app is
still running in the background, and thus using more battery.

------
megous
Can this fall under system library exception?

For example if you're building mingw32 based GPL C app, you're linking to all
kinds of windows system libraries and there's no need for them to be under
GPL.

If this notification library is available to anyone on Android and is part of
the Android system platform, can it be the same, like some DLL that does
notifications on windows?

~~~
izacus
No it doesn't, because the code that receives push notifications isn't part of
AOSP.

~~~
shawnz
But my "system" isn't AOSP. It's my OEM's specific packaging of AOSP along
with Google services and other components. Why should the line be drawn around
AOSP specifically?

------
geofft
You can still write free software that uses it and produces a not-entirely-
free artifact when compiled, though, right? (Is there a distribution
restriction on the artifact, or is it impermissible to link it with GPL apps,
or something?)

I'm curious if the free software apps are compelled not to link it to preserve
the free software status of their code, or just voluntarily refusing on
principle (which is laudable, to be clear).

~~~
krn
Ubuntu gets around any possible GPL violations by offering to download and
install proprietary drivers (ex., Nvidia) and codecs during installation
process. Could something similar work for Android apps?

~~~
izacus
Yes, it would work - you could deliver the push notification module as a
separate APK which talks to the main application part. It's still way more
complexity than adding a GPL lib to your app.

------
shawnz
I think this is misleading. To me it seems the issue is that app developers
are being forced to use the proprietary Firebase service, but they are NOT
being forced to use a proprietary library from what I can tell. The library in
fact DOES have an open source version available:
[https://firebaseopensource.com/projects/firebase/firebase-
an...](https://firebaseopensource.com/projects/firebase/firebase-android-sdk/)

~~~
icebraining
From what I can tell, you need firebase-messaging, which doesn't seem to be on
that list. Am I reading it wrong?

Edit: seems I was reading correctly: [https://github.com/firebase/firebase-
android-sdk/issues/125#...](https://github.com/firebase/firebase-android-
sdk/issues/125#issuecomment-481566392)

~~~
shawnz
Ah, thanks for the clarification.

------
DannyBee
Since the FSF does not consider GPLv2 to be Apache 2.0 compatible, telegram-
FOSS is GPLv2, and Android libraries are usually Apache 2.0, you have _always_
had a problem.

They also use a _ton_ of Apache2 libraries (at least 5 or 6) directly in their
source repo.

They don't appear to even bother to properly give attribution/etc for the used
software, so yeah.

~~~
coding123
This is so damn true I am LMAO at the other comments. So basically the entire
community can get around the problem by releasing an Apache2 lic'd library
that wraps whatever it is they need from firebase.

We'd be at a place no different from any other "FOSS" App on android today.

And
[https://opensource.stackexchange.com/a/4642](https://opensource.stackexchange.com/a/4642)

------
jchw
I was confused for a moment because I thought the Firebase SDK was open
source.

Interestingly, though, the Android version appears to be only partly open
source. I did not find an explanation as to why some of the source is not
available, it is mentioned on the Github repository but not explained. In any
case, I don’t see the code for Cloud Messaging in there.

It may not be that it is done out of secrecy, though. A cursory glance of the
iOS SDK shows what seems to be the full iOS portion of Firebase Cloud
Messaging:

[https://github.com/firebase/firebase-ios-
sdk/tree/master/Fir...](https://github.com/firebase/firebase-ios-
sdk/tree/master/Firebase/Messaging)

Though that also raises its own question: doesn’t iOS effectively enforce
APNS, and all third party providers actually must go through that? I imagine
going through a single provider really can improve battery life. Each push
provider needs to background fetch.

FWIW, as far as I know, FCM and APNS are both free to use indefinitely. I’ve
always found this a bit perplexing since I can’t even really fathom how many
messages an app like Facebook or Twitter would push per month. I wonder what
the odds are of this ever changing. The cynical viewpoint could go either way.

At face value, this really does seem problematic for open source projects. Can
a GPL app link to (the non-open parts of) the Firebase SDK? My guess would be
no.

Hope this can be resolved :( There’s some really great stuff on F-Droid, like
Amaze file manager.

(Disclosure: I work for Google, but not on Android. I don’t even use Android
phones anymore.)

~~~
habosa
[Firebase team member here] Our goal is to open source all of our SDKs, and we
have steadily open-sourced more of them over time. The SDKs you see on GitHub
right now are all standalone, they don't require communicating with Google
Play services running on the device.

Our bar for moving an SDK to GitHub is that it has to be more than a source
dump, it must be the source of truth for that team's development. Right now
that's not possible for FCM because of the dependency it has on Google Play
services.

~~~
bubblethink
Is there a plan to a) Support use of FCM without play services (i.e., in
AOSP)? b) If not, is there any legit path forward for cases like these short
of them forking AOSP ?

------
segmondy
Google is one of the most evil companies out there for a company that started
out with don't be evil. The have some very smart people, some amazing tech,
but unfortunately they have some very evil people working for them help bent
on maintaining their advantage by any means necessary.

Without using Google's push notifications, you are going to end up with
something that works about 75% of the time. When this first started happening
to me, I lost tons of time thinking it was a bug only to finally realize I
needed to use Google's library to get reliability for what once worked.

~~~
throwayEngineer
>Google is the most evil, of the companies that started with "don't be evil".

Curious, what companies use that same phrase you are comparing it to?

Or if that isn't what you meant, where is Apple and Microsoft on the Good vs
Evil dichotomy?

------
jmkni
I'd love to know just how different/bare bones AOSP (Android Open Source
Project) is to regular Android.

As an experiment, I'd love to compile it, put it on a spare phone and use it
as my daily driver for a week.

~~~
pzmarzly
I was using clean LineageOS for over 2 years, recently switching to
LineageOS+microG. I'm using APKPure and F-Droid for apps, Chrome for browsing
(as in Firefox, last time I checked, one tap separates you from losing all
open tabs). Some apps refuse to work or break (e.g. Bitwarden does not sync),
some have degraded functionality (e.g. WhatsApp sometimes does not ring when
someone is calling you), many are just spamming "This program will not run
without Google Play Services" (but there is Xposed module called something
like "This program will run" that gets rid of these). In case of Google Maps,
I'm using old version (9.69.1), and for Youtube, I'm using NewPipe.

Overall I liked the experience, battery life (especially with greenify) was
amazing.

~~~
jeroenhd
In my experience, Firefox with the Bitwarden addon installed syncs well
without requiring you to install any Google services. The obvious downside
being that you need to open Firefox to copy your password, but that can
probably be worked around by adding a shortcut to the Bitwarden addon page to
the home screen.

I don't know what you mean with "one tap away from losing all your tabs"
though, perhaps you have an issue I haven't encountered yet. I personally
never lose any Firefox tabs, even if I manage to make it crash somehow; I
suppose what I'm trying to say is you might want to try Firefox again to see
if the situation has improved.

As for maps and navigation, you might try Maps [0] or Here Maps [1] (if that
runs without play services, I assume so with Microsoft behind it). Of course,
an old copy of GMaps works fine, but Maps [0] is open source, which one might
likely favour on a Google-less phone.

[0]:
[https://f-droid.org/en/packages/com.github.axet.maps/](https://f-droid.org/en/packages/com.github.axet.maps/)
[1]:
[https://play.google.com/store/apps/details?id=com.here.app.m...](https://play.google.com/store/apps/details?id=com.here.app.maps)

~~~
pzmarzly
I forgot to mention that I keep Firefox just for Bitwarden extension. Though I
usually just copy the password on my PC, and KDE Connect syncs the clipboard.
I also try to be logged into as few services as possible on my phone, in case
someone steals it while the phone is unlocked. Since the phone is rooted,
determined thief would have many opportunities.

By "one tap", I meant the "Close all tabs" options next to "New incognito
tab". If you tap "Close all tabs" in Chrome, you get an "Undo" button for few
seconds. If you do the same in Firefox, you don't. There are "Recently closed
tabs", but I learned the hard way that it only holds few tabs.

~~~
pmontra
Maybe it's because I'm using Firefox on Linux, but I couldn't find a Close all
tabs button or menu entry. There is even an extension for that [1]. Closing
all tabs wouldn't be the same as closing the window they belong to?

[1] [https://addons.mozilla.org/en-US/firefox/addon/close-all-
tab...](https://addons.mozilla.org/en-US/firefox/addon/close-all-tabs-
webextension/)

------
ridaj
Misleading title... Real title something like: apps that use Android push
notifications without Firebase, including GPL-licensed apps, now reported as
"using too much battery"

------
kbumsik
I'm not an Android dev, but according to the source in the article [1] this
limitation is applied since Oreo, which is released two years ago. Why this
problem arises today?

[1]: [https://github.com/Telegram-FOSS-Team/Telegram-
FOSS/blob/mas...](https://github.com/Telegram-FOSS-Team/Telegram-
FOSS/blob/master/Notifications.md)

~~~
icebraining
Until April 11, 2019 you could use GCM instead of the Firebase system.

~~~
veeti
The GCM client is/was also proprietary. There is nothing new here.

------
orblivion
So are we, fans of FOSS, all-in on the Librem phone at this point?

~~~
ocdtrekkie
I'm just waiting to find out if someone will get Librem 5 working with a
Verizon approved networking module before I jump in. But yes, very excited.

------
Mbaqanga
One day Google will regret having made Android open source and will try to fix
it, but is it possible?

~~~
TeMPOraL
I think they already do. Isn't it what Play Services is really all about?

~~~
squarefoot
They never did. Releasing the source contributed creating the developers
ecosystem we have today. What Google fears more than the Armageddon would be
someone making a truly FOSS operating system capable of running on Android
devices, and they prevent that by keeping device drivers and firmware tightly
locked.

~~~
extropy
IMO Android is working towards having a compatibility layer so that drivers
can be freely shared across distros.

Look up Project Treble.

~~~
imtringued
That still requires cooperation from the SoC vendors. If they aren't
interested then Treble will go nowhere.

~~~
lern_too_spel
Treble is required by the Vendor Test Suite for Android 8 and higher.
[https://source.android.com/devices/architecture](https://source.android.com/devices/architecture)

~~~
anchpop
This is probably still in Google's best interest, since it greatly reduces the
cost for OEMs to distribute updates (and updates are one area where Android
severely lags behind iOS)

------
Khaine
“the definition of open: "mkdir android ; cd android ; repo init -u
git://android.git.kernel.org/platform/manifest.git ; repo sync ; make"” [1]

Not anymore. Having basic android open source help when everything is pushed
into the proprietary play store

[1]
[https://mobile.twitter.com/Arubin/status/27808662429](https://mobile.twitter.com/Arubin/status/27808662429)

------
evilDagmar
This is pretty darned incorrect on a number of fronts. Skipping for the moment
that a random histronic Reddit post is being considered "news"...

> "Google started leveraging its de-facto monopoly on Android distributions by
> forcing all apps to use its proprietary service Firebase for push
> notifications."

A number of logical leaps of faith need to be made before the word "force"
carries any truth, but no one's "forcing" anyone to do anything. A developer
can still use the FCM or not, it's up to them. If a developer simply refuses
to interface with any sort of proprietary code then it's a wonder they'll
touch any commercial product at all (iOS included).

..and since Telegram-FOSS were cited as a source for this mess, here's the
very first part of [i]their[/i] statement, which is also not true:

> Since Android 8.0 Oreo, Google doesn't allow apps to run in the background
> anymore, requiring all apps which were previously keeping background
> connection to exclusively use its Firebase push messaging service.

Sooo very not true. Android [i]does[/i] still allow apps to run in the
background. The developer docs caution against doing so without good reason
because so many developers try very hard to ignore the lifecycle methods,
resulting in many wasted clockcycles and reduced battery life.

But the Telegram team didn't stop there, so let's unpack the rest:

> Sadly, if the app would set the notification to lower priority (to hide it a
> bit in the lower part of the notification screen), you would immediately get
> a system notification about Telegram "using battery", which is confusing and
> is the reason for this not being the default. Despite Google's misleading
> warnings, there is no difference in battery usage between v4.6 in "true
> background" and v4.9+ with notification.

First, it's not a "warning". It's simply a statement. ...and yes, if you're
going to maintain a separate push notification service of your own (I'm
looking at [i]you[/i], Facebook.) you [i]are[/i] going to be using at least a
few clockcycles. There's no way around this.

The backgrounded apps notification is also as "judgement free" as any
notification can possibly get. On my phone right now, running Android 8.0...
"3 apps are using battery". One of these is my own app (which happens to be a
homescreen widget), another is Life360, and another is GSam Battery Monitor.
Tap that notification and a list appears, headed up with "Apps running in
background" with "Tap for details on battery and data usage" and lists the
apps with their icons. Tap one and it shows what resources the app [i]is[/i]
actually using. GSAM... 52Mb of RAM, and ~55kB of data in the last month. 0%
battery used since last full charge. My app, 0% battery (probably not enough
to count as a whole percent) use since last full charge, 5.84MB of internal
memory, no data usage. I don't know how other people might view them, but to
me these seem like vindications. None of that information is being presented
in any way that that should be construed as condemning or accusatory, let
alone "misleading".

If Telegram-FOSS doesn't want users throwing a fit about their resource usage,
perhaps they should spend a little time grooming user expectations to be more
reasonable.

The reddit user who posted this mess, on the other hand... A five-year old
account that only occasionally posts anything that doesn't smell of astroturf,
and this one post is nearly 80% of their karma. Seems like they've decided to
make a foray into outrage-farming.

------
DigitalTerminal
I am confused. The repo you linked to hasn't had a release since 2016, and I
cannot find a reference to that library ANYWHERE else. The firebase android
sdk, which is what I would guess you would use (though I don't do android, so
could still be wrong) is apache. What am I missing?

------
astannard
Amoungst this big thread, I've not noticed any evidence for this and the
original article does not back this up with anything. Is the allegation that
google are using battery warnings to push people towards using firebase
notifications? Has anyone any experience of this?

------
gdrift
I think the only difference is that foreground service must show a
notification that's all. Users will learn to just disable those useless
notifications.

------
jcriddle4
Google probably wants one stream of data coming in that they have complete
access to. Also probably make it more convenient to tap for the NSA

~~~
5trokerac3
This was my first thought as well. If you can't get encrypted messaging apps
to use the SMS service siphon you can at least snag notification text - and
most people allow the message to be in the notification.

------
EGreg
What do you mean FOSS apps can’t use a proprietary library?

The library’s license says that it cannot be used by AGPL software?

Because if not, the FOSS authors can just make builds for Android with it.

------
deogeo
Perhaps it is time to treat Google as the enemy, because that is how it is
treating us.

~~~
throwayEngineer
Google puts 1 restriction, they are the enemy.

Apple has created priopritary connectors, closed off systems, paid barriers to
entry, and banning apps from their store.

Where is Apple and Microsoft on the scale from Friend to Enemy?

~~~
pfortuny
Hi. Nobody said they are the friends here.

Just that Google is not.

~~~
SketchySeaBeast
In this case I guess there are no friends, only enemies?

~~~
throwayEngineer
Rank the enemies since op avoided that.

Since things are not black and white, it should be reasonable to differentiate
between Apple, Google, and Microsoft.

------
mtgx
And through this, the FBI/GCHQ will get their much-wanted "targeted" malicious
updates vector for which they've been asking for a while.

If Signal has to implement it, I assume the FBI will ask Google for the
ability to insert itself in the proprietary code in some updates from day 2.

~~~
buildzr
Signal has sworn by GCM the entire time they've been running on Android, it
took a lot of whining from the community to get them to allow anything else.

~~~
tialaramex
The reason to do this is security principle: Don't Stand Out.

If Bob uses Bob's personal notification system for Signal, a passive observer
can see that Bob was notified by James. If everybody uses Huge Corp
notifications the passive observer can only tell that James was notifying
somebody about something and that Bob was notified about something.

------
paulcarroty
Good luck for people who still believe in marketing term "Android is Open
Source".

~~~
lern_too_spel
How does this change that?

