• General

  • Questions about user isolation & privacy while using work profile

Hello, I'm currently using GrapheneOS on Pixel 8.
I've tried to make use of user isolation for privacy oriented apps & separate for proprietary apps, but it has turned very tedious for me to keep switching and I would like to find a middle ground for better usability.
Ultimately, I want to reduce my dependency on proprietary apps, but currently, I want to reduce how much data could be collected by these apps.
I want to know what privacy concerns still exist when using single user profile, with work profile to isolate the proprietary apps.

Some things that I know are isolated: Contacts, storage, etc.

Some issues that I could think of:

  • Clipboard is shared. I'd expect to see a notification that it's being accessed, but if it's a background service, I wouldn't realize.
  • Pure user isolated encryption is lost. As users are not separate, all data relevant to the user can be accessed (although, I'd expect separate user space for the work profile, I don't know if this can be broken through).
  • Trust that DPC (device policy controller)/Shelter ensures isolation. I'm not sure if there are any known major issues with their implementation.
    (Without app/Test DPC: https://androiddev.social/@MishaalRahman/110737255948689914)

Some questions about the isolation through work profile:

  • If (sandboxed) play services is installed in the work profile, does that mean it can access app list of the main profile/other intrusive data gathering, which can help in identifying the device & various app usage info?
  • Is IPC possible between the primary & work profile apps? Or can data be collected about apps from the work profile?
  • Can you enable always-on VPN (Wireguard) only in non work profile, while the work profile uses normal connection?
  • Are notifications created on the main profile readable within the work profile?
  • My understanding of reducing browser fingerprinting is to reduce installed addons so my device is not as unique. I assume this has no bearing on separate user profiles though.

Are there any other ways that data could be shared / other privacy concerns, I would like to know, and maybe find workarounds for it.
Or even benefits of using work profile within same user, if any.

  • [deleted]

  • Post #2

Very interesting questions. Also made me curious. Hopefully someone with the expertise can answer.

15 days later

It would be greatly appreciated if someone with the sufficient knowledge could help out on this topic.

    [deleted]
    Hey, I thought I'd try to answer some of my own questions:

    • App list - This seems to be separate, atleast using PackageManager API.
    • VPN-only on main profile does not affect the work profile. I tried accessing a website that I had hosted locally, and it's not accessible through work profile.
    • Notification does not seem to be accessible across the work profile. I tried using this & this, and I got an error message mentioning "work profile apps cannot change notification access".
      So, unless there's a way to give access to the work profile, I don't think it's possible.
    • IPC between main & work profile apps was not possible. I tested it with this repo.
    • Clipboard should not be accessible when the app is in the background. I got the following error message when I tried it: "Denying clipboard access to com.example.datacollect, application is not in focus nor is it a system service for user 5".
      But I could access it once it the window got back the focus (a toast message is shown when new clipboard data is accessed).
      A hack is mentioned here, where the activity could be transparent, and it pops up and disappears. But I couldn't get this working perfectly, as I could still see a popup of the transparent activity where you'd lose focus to whatever you were doing. Maybe there's a way to perfect this, but I don't know.
    • I tried this app to get some info on the device, mainly hardware info. The device ID was similar across user profiles, and different in the work profile. I believe this can be used to identify the user uniquely.
      The device fingerprint was similar across all profiles, and likely everyone with the same device config should fall under this.
      More info here & code here.
    • I tried to use AdvertisingID, but I believe you need to have published an app on the play store. I didn't go any further.

    This doesn't cover the possibility of using internal APIs using reflection, or other hacks.
    If anyone has more ideas, or thoughts about this, I'm very interested.

    So far, I can't think of a compelling reason to use separate user profiles. Work profile seems to isolate the apps mostly.
    The only concern I could think of is, if there's some malware or malicious code running on the work profile, and somehow, it could affect the main profile (eg, clipboard access, sharing screen, etc).
    I don't know how easy that situation is, but in my opinion, I don't think it'd be that different with actual profiles.

    What I would've personally liked is a hybrid, where I could have an empty main profile, a second profile, which in-turn uses shelter for the proprietary apps. In situations of low battery, or just random issues, I'd just be able to close the other profiles.
    Unfortunately, second profiles are not allowed through shelter. Maybe I'll try using Insular or TestDPC at some point, but it's not that important for now.

        • [deleted]

        • Post #6

        KershinNoa Can confirm, that apps dont have access to see packages in the main profile. I tried to use a package manager app and they didnt show up.