• General
  • App compartmentalization options on GOS

I like to compartmentalize my apps based on trusted/FOSS apps vs. untrusted/proprietary apps, and I have been doing so using the work profile within the owner user profile using Shelter.

I know user profiles are a great way to achieve compartmentalization of apps in GOS, but I have not adopted this method yet because of the following compartmentalization requirements:

  1. Prevent untrusted apps from having access to my sensitive data (ex: files, contacts) by default
  2. But selectively & manually-enable data flow between trusted apps and proprietary apps when required
  3. Completely shut off the trusted apps when not in use, so that they do not run any background processes when not in use
  4. Seamless installation/maintenance of apps installed in the untrusted compartment

User profiles are great for #1, #3 and #4, but AFAIK, #2 is not possible with user profiles. I know that is a feature and not a bug, but I still need #2 in my compartmentalization setup during the following example use-cases:

  • Receive banking account details on Signal (trusted app) & copy-paste the details into my banking app (untrusted app)
  • Send photos stored on main system/profile to contacts only on proprietary messaging apps

To meet all requirements, I use the following compartmentalization setup:

  • Install trusted apps into the main owner user profile, which has sandboxed Google Play services enabled for various reasons
  • Use Shelter to create a compartment to store my untrusted apps using the work profile within the main owner user account
  • Install sandboxed Google Play Services within the created work profile to use Google Play Store to install and update apps within the untrusted compartment
  • Enable auto-freeze for all apps installed within Shelter's work profile, so that they can not run any processes once not in use
  • When I need to enable data flow, I unfreeze the untrusted app via Shelter, and share whatever data I want to share using the work tab of the Android share menu

The above current compartmentalization using Shelter meets all of my requirements. But on my post detailing my 2-month tracking of battery life comparing stock vs. GOS where I concluded that my current GOS setup gets an average of 48 mins SOT less compared to my similar setup that I had when I was on stock, I've received insights that my current setup results in increased battery drain due to the system needing to keep 2 instances of GmsCompat running at all times:

You have two instances of sandboxed Google Play running at all times. That's likely your culprit. If you weren't using that work profile and just used the owner profile as is, with sandboxed Google Play, I think your results would be substantially different.

(via @matchboxbananasynergy)

Google Play services uses a significant amount of resources and running 2 instances of it will reduce battery life significantly compared to running 1 instance. GrapheneOS out-of-the-box will have much better battery life and it should still be better if you're comparing a single instance of sandboxed Google Play to the stock OS. This fully explains why you have lower battery life.

(via @GrapheneOS)

As concluded in my other post, I am completely fine with the very slight decrease of SOT, as long as I can use the amazing OS that is GOS and achieve compartmentalization that meets all of the 4 requirements. But with that said, if there is a more battery/memory-efficient way to achieve compartmentalization in the way that I need, I would love to know.

AFAIK, the below is my understanding of the different compartmentalization methods on GOS and how they perform on different aspects:

|#|method |req. #1|req. #2|req. #3|req. #4|efficient resource/battery use|
|-|----------|-------|-------|-------|-------|------------------------------|
|1|none |FALSE |FALSE |FALSE |FALSE |TRUE |
|2|Work profile via Shelter in owner user profile|TRUE | TRUE |TRUE |TRUE |FALSE|
|3|Separate user profile |TRUE |FALSE |TRUE |TRUE |TRUE |

Are there any other compartmentalization strategies available on GOS that I am not aware of? How do you compartmentalize your apps?

EDIT:

I also considered keeping my same setup but deleting sandboxed Google Play Services (GPS) from my work profile - I probably don't need GPS because the untrusted apps are always frozen and I don't receive notifications anyways (but not having GPS may break compatibility, although I will need to do some testing and verify), but the main drawback of this is that I will no longer be able to use the Play Store within the work profile to install and update the untrusted apps, which is a big security risk, especially since that includes my banking apps.

The updated summary table:

|#|method |req. #1|req. #2|req. #3|req. #4|efficient resource/battery use|
|-|----------|-------|-------|-------|-------|------------------------------|
|1|none | FALSE | FALSE | FALSE | FALSE | TRUE |
|2|Work profile in owner user profile with GPS | TRUE | TRUE | TRUE | TRUE | FALSE |
|3|Work profile in owner user profile without GPS | TRUE | TRUE | TRUE | FALSE | TRUE |
|4|Separate user profile with/without GPS | TRUE | FALSE | TRUE | TRUE | TRUE |

    Vagabond8630 Thank You for your thoughtful post(s)!

    Sorry..... I have no answers for you.

    To add to your summary table :) IIUC GOS is working on some sort of inter-process communications scopes. I've been wondering if careful use of this feature will do away with some of the privacy needs for multiple profiles. Especially keeping Google(s) in a communications box. Switching between users can be a PITA.