README.md is missing

[gdt]

I have a lot of questions which aren't answered in the missing README.md :-)

• How does this relate to https://github.com/microg/android_packages_apps_UnifiedNlp? Is one a fork of the other? Are they competive? Do they use the same interface to plugins?
• Security properties aren't explained. It seems this does no lookups and thus no network activity, but it would be nice to say that.
• there's no explanation about fitting on rooted/unrooted devices with or without gapps.
• In these providers, it seems there is a way to return "last known location". But arguably that's a security bug, if one only starts up programs that might send location in some places. (Yes, I know starting or more accurately stopping is a concept that the Android architecture doesn't like.) So it seems a unifiedNlpProvider should have a way to decline to provide that.

[wish7code]

• UnifiedNLP (https://github.com/microg/android_packages_apps_UnifiedNlp) is a great framework, which intends to replace Google's propriertary geolocations services. Thereby UnifiedNLP is a pure backend framework, meaning it doesn't provide any geolocation mechanisms by itself. Instead you choose a concrete module which does the actual geolocation part. The openbmap geolocation module is one such module, but there's also a variety of other open source modules (e.g. opencellid or Mozilla location service)

Are they competive?

Not at all! We completely rely on the UnifiedNLP framework to 'feed' location upstream into Android OS.

• Security properties aren't explained. It seems this does no lookups and thus no network activity, but it would be nice to say that.

One of the unique point of openbmap geolocation provider is the offline mode. You save the geolocation database on your devices (worlwide coverage ~1GB) and you're completely independent from the internet.

1GB is quite heavy for some folks, so we also provide an online mode. In online mode the device sends visible cells and wifi bssids to the server, which in turn provides the estimated location.

Please keep in mind, that for technical reasons, you'll have to activate the offline mode manually. Simple reason: we can't distribute the 1 GB file via F-Droid ;-)

• there's no explanation about fitting on rooted/unrooted devices with or without gapps.

There're some limitations in the UnifiedNLP framework: it definitely works on rooted devices without GAPPS installed. There've also been attempts to use GAPPS and UnifiedNLP side-by-side, but as far as I know it doesn't work (see Rawi01/XposedUnifiedNlp#2)

• In these providers, it seems there is a way to return "last known location". But arguably that's a security bug

Unfortunately I guess this is Android OS specific :-( To my knowledge your device caches this locations, not UnifiedNLP or the modules. Having said that, at least I think the location isn't send somewhere, it's just a local copy of a previous request that is returned.

Let me know, whether this helps
Cheers

Toby

[gdt]

Yes, that helps. Putting it in README would be great. I can explain some of my confusion now (which may have puzzled you): I have been trying to figure out all the pieces in this world, and unifiedNlpProvider.git looked to me like android_packages_apps_UnifiedNlp.git. Now that you point it out, "Provider" is obvious, but I failed to understand it. Obviously you should not change the name for me, but I expected org.foo.bar to have a bar component that was fully descriptive, instead of having to be interpreted in the context of bar. In other words, this isn't org.openbmap.UnifiedNlpOpenBmapProvider.

I withdraw my questions about rooted/unrooted and last known location. Those are about UnifiedNlp, not your provider, and I asked them because I thought this was a fork of the umbrella code.

My security question stands. While I get the big-picture point and applaud it, I found that the openbmap provider defaulted to online (instead of that having to be an explicit choice) and it seemed to flip back to online when you lost the database (instead of failing safe).

I'm glad there is no fork here. Thanks for taking the time to straighten me out.

[gdt]

Thanks for documenting the lack of storing anything. The only remaining thing to add is if the lookups are https. I think they aren't so far. Then I'm content for this ticket to be closed.

[gdt]

I see the README says that lookups are over https and no logs are kept - which is the right answer :-)