• General
  • Shelter versus native GOS app isolation - tradeoffs

Hey all,

I've come the decision that I want Google Play services installed on my owner profile to enable NFC / Yubikey support; I believe FIDO requires this. I currently have Google Play services isolated on a separate user profile.

My first instinct was to install Google Play services on a work profile using Shelter, but I'm cautious about giving privileged device access to a third party app. My question is - as GrapheneOS provides solid app isolation, isn't Shelter's extra isolation largely redundant? What am I gaining from Shelter, especially if I'm just installing a few fairly well trusted apps (Microsoft Authenticator, my banking app, etc.).

From my perspective, going without Shelter seems a like a superior option as I don't have to give away any privileged device access. Does anyone have any compelling counter-arguments to this? Would love to hear any thoughts, thank you :-)

    FreshStart I use yubikey without google services . depends how you are using it though .

    My understanding is that Google Play services are required for Yubikey NFC support - are you using NFC without Google Play services?

      FreshStart yes I'm using yubikey without play services . if I need it for bitwarden or any other app or webpage it works just fine , including the yubico authenticator app . you may need to enable NFC under connected device settings .

        Skyway I tested it and set up my Yubikey as a MFA method for Tuta. As I mentioned, I have two user profiles set up on my device - one with Google Play services and one without. I attempted to log into the browser version of Tuta with my Yubikey on both profiles. I was only able to log in on the profile with Google Play services installed.

        Clearly Google Play services are a requirement for Yubikey NFC. Which takes me back to my original question - does anyone have any compelling arguments for using Shelter over GOS's native app isolation?

        The main benefits of a separate profile are potential fingerprinting resistance and that standard IPC doesn't work across profiles. The lack of cross profile IPC also means no push notifications from Google across profiles.

          p338k would you mind explaining how this increased fingerprinting resistance works? What exactly is doing the fingerprinting? Google services, or apps? And what does IPC stand for? I haven't come across that acronym before. Thanks

            FreshStart

            First, it is merely potential fingerprinting resistance. Applications in the work profile will only be able to see applications that are installed in the same profile. There are other ways to fingerprint a device. Any application (including Google services) can employ various means to fingerprint your device.

            IPC is interprocess communication. Apps designed to communicate with one another can be share data if they are installed in the same profile.

              p338k thanks. I've just realised that Shelter is pointless for my use case anyway as I want NFC on my main apps, meaning I can't just install Google Play services in a work profile anyway. Thanks for your time 😊

              FreshStart Shelter is not an additional app sandbox. It relies entirely on the OS provided app sandbox. Shelter is an app for managing a work profile, which is a standard OS feature. Work profile management apps are considered to own the profile, not you, and they're responsible for a huge part of configuring how they work.

              Profiles can be used without a management app by using user profiles. User profiles also have separate encryption keys and a much more isolated user interface.

              Apps can detect the other apps installed within the same user, including across the work profile boundary to an extent. They can't detect apps only installed in other users except via exploits of vulnerabilities.

              Apps can only communicate with other apps within the same profile with mutual consent between both apps. However, work profile management apps can enable limited communication between the work profile and the user profile it's nested within if they choose to do that. Work profiles are also inherently a lot less separated than user profiles.

              Both work and user profiles entirely rely on the standard app sandbox and do not provide ANY additional layer of sandboxing. They provide separate workspaces for the app to communicate with from within their app sandbox, not another layer of sandboxing. They aren't a virtual machine running another OS. It's the same SystemUI process, etc.

              Sandboxed Google Play is not inherently required for anything to do with NFC. Many apps choose to use it for FIDO2 and passkeys rather than using another implementation, but that varies based on the app. A YubiKey will work fine without Google Play, but most apps won't support FIDO2 without Google Play.

              Sandboxed Google Play are regular apps with no special ability to communicate. Each app using Google Play services includes the Google Play libraries anyway, so you need to be clear about what you're really trying to achieve. Many of the Google libraries work fine without Google Play services installed. Google Play services doesn't need to be installed for apps to use Google libraries and services, which is a common misconception. Sandboxed Google Play cannot do anything that other regular apps cannot do, which is the whole point of the approach. The Google libraries in apps using them can inherently do anything sandboxed Google Play can do without it, and simply choose not to provide fallback code for running without Google Play services installed in many cases. Many of their libraries such as the regular non-lite Ads and Analytics libraries work fine without Google Play services installed.