Use case for user profiles after App Communication Scopes?

DeletedUser88

What do you think the main use case for user profiles will be after that feature is implemented?

de0u

DeletedUser88 It's hard to say, since there isn't an implementation to try.

Personally I am a bit skeptical about IPC filtering. I suspect lots of IPC activity that people want to filter out is already not happening, and also that a lot of people will find that filtering apps from talking to Google Play will just cause those apps to throw an error and quit.

Like any control mechanism, it will likely have uses. But if people have a vision that IPC filtering will convert spyware apps into privacy-preserving apps, I don't think that will come to pass.

And I think it may be fussy to set up. If an app is allowed to do IPC for clipboard purposes, that's non-trivial attack surface. But if an app is denied clipboard access I think that will be annoying. If a new keyboard is installed, will it be necessary to authorize each app to talk to it?

Overall I am not expecting it to be a giant positive life change for most users. I suspect most GrapheneOS users would benefit more if upstream AOSP glitches in the profile system were fixed (hopefully by Google).

But maybe I'll turn out to be wrong!

mmmm

de0u if its granular, then trial and error will be the order of the day. I was hoping (and what I'm about to say is a stretch), that it may throw up requests per app as to the type of thing the app requested, which could be denied or accepted. In highly doubt it will be able to be like that though. More likely its a more all or nothing approach. Time will tell.

GrapheneOS

de0u

and also that a lot of people will find that filtering apps from talking to Google Play will just cause those apps to throw an error and quit.

It will have to both block communication and hide that the app is there, to prevent that situation. It's inherently the same feature as avoiding apps being able to detect other apps in the same profile since one implies the other for it to function properly.

And I think it may be fussy to set up. If an app is allowed to do IPC for clipboard purposes, that's non-trivial attack surface. But if an app is denied clipboard access I think that will be annoying. If a new keyboard is installed, will it be necessary to authorize each app to talk to it?

We're not planning on having it overlap with other permissions. If you allow microphone access and another app plays audio to it, allow access to the same file, allow both to access contacts, give both Network access (we do plan to offer loopback isolation which could block this when combined with a certain type of VPN), etc. then you allow communication explicitly which is outside the scope of it. Side channels are also outside the scope of it. It's very difficult to implement even with this limited scope and we may end up providing a different approach than what we initially set out to do. Even a partial implementation of controlling which apps can access another apps exported services would be useful for protecting apps from each other since apps can have vulnerabilities in their exported interfaces, but it wouldn't be able to block communication without a lot more. We may simply need to leverage nested profiles.

DeletedUser24

Each profile has its own encryption keys.
To store some more sensitive data, it can be useful to have a separate profile, with a different password.

kopolee11

Another benefit is that each user profile can have its own VPN.