Whats in the next (10.2) Vespucci update?

Posted by SimonPoole on 18 March 2018 in English (English)

First a note, it seems as if I never blogged about the 10.1 update, information on those changes can be found in the release notes on the Vespucci website.

The beta release of 10.2 that is now available in the beta channel on the google play store, or from the releases on github does not change an awful lot that is end user visible outside of a new upload UI, however there are two core changes that I want to touch on quickly.

Support for "network" location providers

Historically Vespucci has only supported using the on-device GPS location provider, or nothing at all. That meant that you were unable to get a rough location approximation on devices that didn't have onboard GPS, or that had GPS disabled for example to reduce power requirements. The main reason for this is that on the one hand we wanted to avoid location information potentially tainted by your devices Android provider and avoid our users position being tracked by them.

We now support using so-called "network" location providers, that is location sources that derive your position from the mobile network, WLAN and other signals your device is receiving. If you've enabled such providers on your phone, more on that later, Vespucci will use all available providers for centering the map display on your position and for auto-downloads, tracks will still exclusively be generated from GPS data.

The change in opinion is mainly due to less and less people caring about such matters and at least google tracking in any case (see for example, further allowing such providers enables better indoor positioning which is a clear advantage.

If Vespucci detects that network positions can at least potentially be used, it will display this icon instead of the classic GPS icon on the screen and will alert you to which provider it is currently using via toasts (the short on-screen messages).

Modern devices running a google variant of Android have three location mode setting (besides turning location services completely off):

  • Device only - use only the on device GPS location information, does not require sharing your location data with google
  • Battery saving - doesn't use GPS, instead uses mobile network, WLAN and other signals to determine your location, requires sharing of your location data with google
  • High accuracy - uses GPS and other signals to determine your location, requires sharing of your location data with google, this is typically only more "accurate" than Device only if receiving GPS signals is seriously impaired

Vespucci does not use the Google play servers "fused" location service and remains usable independent of if you are running it in a Google sanctioned environment or not.

Better https support

Given the push for more and more services on the Internet to be accessible only via encrypted transport (https) Android apps are faced with two challenges:

  • the standard Java API for accessing http services does not support protocol level redirects, that is http to https or the other way around this is not difficult to work around but would still require codes changes at every impacted place in the code
  • more and more sites are turning off TLS 1.0 support for security reasons, unluckily TLS 1.1 and 1.2 are only supported from Android 4.1 on and are only enabled by default since 4.4, again addressing this requires touching all the same code as above

In the end I decided to address these issues by migrating all the networking code to OkHttp that we've already been using for some things, for example for map tile retrieval since 10.1. As OkHttp exposes a different programming model and it didn't require massive changes, it wasn't a drop in replacement and we appreciate all feedback on the changes as some aspects of the networking code are difficult to test automatically.

Two notes:

  • yes this means that users with devices running Android 4.0 and older are not able to access any services that have turned off TLS 1.0, for example you will not be able to update the imagery configuration on the fly from github.
  • modern Android versions actually use OkHttp under the hood wrapped in code that emulates the standard Java API, so we are not doing anything particularly exotic.

Comment from SimonPoole on 18 March 2018 at 17:28

@Glassman I particularly like " anonymized string of numbers unique to each device...", now obviously the police could obtain similar, likely not quite as good information from the mobile network operators, and in the case of actual crimes it is likely that nobody would seriously object to that being possible.

The real problem is a private company, operating multiple monopolies in different areas of business, has unfettered access to such information.

Comment from Glassman on 19 March 2018 at 01:52

I should have added a disclaimer. I enable high accuracy, gps, wifi, cell and bluetooth, on my android.

The real problem is a private company, operating multiple monopolies in different areas of business, has unfettered access to such information. We have been reading about Cambridge Analytica this weekend. I'm not surprised, just saddened.

Comment from n76 on 30 March 2018 at 17:33

FWIW, the microG provides an open source replacement for part of the Google services found on Android phones. The network location provider portion of that uses a plug-in architecture and there are a number of "backends" that you can use including some that use on-phone databases with no communication to any provider.

Comment from SOSM on 30 March 2018 at 19:00

@n76 but the sad fact is that irl it only works on phones with non-google non-amazon versions of Android or rooted devices (originally there was a plan to provide a direct interface to the microg backends, but given that there are a fixed number of hours per day and nobody volunteered to take it on as a project, I've dropped it). Naturally if you can actually get it to work on your device there are no issues with using it now.

Comment from SimonPoole on 30 March 2018 at 19:01

@n76 upps sorry wrong account.

Login to leave a comment