allow GMS remote credential service to be used

[inthewaves]

Currently, GMS allows passkeys via hardware keys ("remote credentials" from a "remote device") by its RemoteService, but this is being filtered as sandboxed Google Play doesn't result in system services. The RemoteService is also expected to be set as an OEM config value in frameworks-res (config_defaultCredentialManagerHybridService).

This will make it so that external devices (e.g. FIDO2 with NFC / USB) can be used with sandboxed Google Play to register hardware keys in Vanadium / Chrome, along with improving hardware key functionality in other apps that make credential requests with android.credentials.CredentialManager (Context.CREDENTIAL_SERVICE) directly instead of contacting Google Play services.

It still comes with the caveat that for some apps, Google has to be enabled as a credential service under Settings > Passwords, passkeys & accounts, as sandboxed GMS services are not system credential providers and have to be explicitly enabled as user credential providers. Apps that contact GMS directly for credentials / passkeys still work without needing to enable Google as a credential service (e.g., Vanadium / Chrome will fall back to contacting Play services directly if the framework GetCredentialRequest fails which allows authentication to work without this patch, but they don't such a fallback when creating credentials).

Appears to resolve issues like ones described at https://discuss.grapheneos.org/d/12056-fido2-security-keys-on-grapheneos-a-summary/24 (tested on release-keys user build), though Discord passkey sign-in was also broken on stock OS when I tested it:

This is due to Sandboxed Google Play not displaying the option of choosing between security keys and password managers / local passkeys in Play's FIDO authentication dialog. This is possible for several months now on stock PixelOS, but Sandboxed Google Play seems to be displaying an older UI which does not have this option.

For apps that don't call the default web browser for signing in/up with passkeys (such as Discord and Microsoft Teams), it doesn't seem possible to sign in with security keys unless they are used as MFA (in that case, you are probably not signing in with passkeys anyway).

Tests with Play services alpha 25.18.33 (260400-756823100), Vanadium 137.0.7151.72.1, Chrome Beta 138.0.7204.14, Brave 1.79.119:

• webauthn.io with various Advanced settings (such as Attachment set to cross-platform) on Vanadium, Chrome Beta, Brave with FIDO2 (USB and NFC)
• GitHub Passkey registration and passwordless sign-in ("Sign in with a passkey" button on sign in page) on Vanadium, Chrome Beta, Brave with FIDO2 (USB)
• Google account login via Play Store and google.com on Vanadium with FIDO2 (USB)
• Amazon Shopping and Microsoft Teams with "Sign in another way" toast pop-up at the bottom of the screen with FIDO2 (USB); able to sign in without specifying a password
• Discord security key enrollment and 2FA (but sign-in with passkey option seems broken on stock as well)

Note that Brave doesn't require Google to be set as a credential provider under Settings > Passwords, passkeys & accounts, but all the other tested browsers and most other apps require this.