• General

  • How does Private Spaces isolation compare to secondary user profile?

About the new private spaces feature in AOSP 15, just how much separated is it from the main user? Unfortunately official documentation of the feature seems a bit sparse, but I imagine those involved in the GrapheneOS project knows pretty well how the feature works, so I ask here.

If I have understood it correctly, the private space can have an always-on VPN set up even if the main user does not have any VPN, and all apps in the private space will run through this VPN. And apps in the main user cannot even detect the private space uses a VPN. Correct?

And the private space will have its own app data and file storage separate from the main user, just like on secondary user profiles, such that even if an app in either the main user or the private space is granted all storage permissions there are, they cannot see or access files from the other in any capacity, even when the private space is unlocked. Correct?

But the documentation says sharesheet, file picker and docui can see files between the main user and private space. What is sharesheet and docui? Are they part of GrapheneOS? And how is file sharing between main user and private space implemented for the file picker? What process has privileges enough to copy the file between the profiles and how is this done? I am just trying to understand how separated file access really is. Are there any other means to transfer files between main user and private space?

Are storage for the private space encrypted separately from the main user, such that if the private space hasn't been unlocked since device start, the files are at rest to the same strong degree as for secondary users? All screenshots show unlocking is by fingerprint. Does this mean there is no separate encryption passphrase for the private space? On GrapheneOS, what unlock options will be available for the private space?

The official documentation says apps between main profile and private space cannot see each other when the private space is locked. But to what degree can they see each other when private space is unlocked? Is IPC between main user and private space allowed in any capacity at all, or are they as separated as for secondary users? If IPC is allowed at all, what kinds of IPC and when?

When the phone is plugged in into a computer, how does one control whether main user storage or private space storage is shared with the computer?

Does notifications work in private space? Are notifications from main user and private space shown together the same, like they originated from the same user? Unlike for secondary users where content is hidden, if notifications are propagated at all?

Does private space have access to telephony to any degree at all, or is all that handled by the main profile? Do they share contacts?

I hope some clarity about this feature can be provided, in the context of GrapheneOS, since I am seriously considering redoing my phone setup to use private spaces, since it sounds like it would be way more convenient with telephony and notifications and app switching, while providing similar isolation as secondary users. But I just want to be sure just what weakening of security there is, if any, before I can make a choice.

    • [deleted]

    • Post #2

    Hopefully Side of Burritos makes a video on this, he is very informative.

    I can only answer the questions that relate to usability, based on the user-facing interface of the Private Space feature in Android 15 Beta on stock PixelOS.

    ryrona If I have understood it correctly, the private space can have an always-on VPN set up even if the main user does not have any VPN, and all apps in the private space will run through this VPN.

    You can install any VPN app in the Private Space (PrS) profile, and choose to only use it in the PrS. You don't need to have or use a VPN in Owner. The Owner and PrS have separate VPN slots, and "Always-on VPN" and "Block connections without VPN" can be configured separately in the Settings app (opened from Owner). Screenshot: https://ibb.co/F3cD1zj

    Notice that the Settings app distinguishes between the PrS and Owner VPN slots by adding a tiny icon to the PrS-specific settings.

    ryrona All screenshots show unlocking is by fingerprint. Does this mean there is no separate encryption passphrase for the private space?

    On PixelOS, you have to unlock the PrS with the PIN/password for the PrS after every device boot. After that, you can use fingerprint unlock for any successive unlock attempts. On PixelOS you can't "end" the PrS session without rebooting – but on PixelOS you can't end any other profile session anyway, without a device reboot.

    ryrona Does notifications work in private space?

    Yes.

    ryrona Are notifications from main user and private space shown together the same, like they originated from the same user?

    Notifications from Owner and PrS are shown together in the notification bar and pull-down menu, but the notifications from PrS are tagged with a separate icon. Screenshot: https://ibb.co/BndbBkT

    I personally would've preferred the PrS icon to be larger and more prominent, although it matches the size of the notification headline.

    The app switcher will also distinguish between actively running apps with the PrS icon. Screenshot: https://ibb.co/n3y1MZ3

    ryrona Do they share contacts?

    I added a contact to the Google Contacts app in Owner, then opened the Google Contacts app in PrS: the PrS did not show any contacts. So at least UI-wise, they don't appear to be shared.

                fid02 Thanks for all this info.. so the prs can just run in the background and you'll be able to see any notifications and the content from the owner profile? This sounds amazing.. do you know if the PrS apps are isolated from doing IPC with the apps in owner profile?

                    flighty_sloth do you know if the PrS apps are isolated from doing IPC with the apps in owner profile?

                    My answer to this question would be an assumption, not based on insight into the code or documentation. I have only tried the Private Space feature on PixelOS as an end-user.

                      fid02 You can install any VPN app in the Private Space (PrS) profile, and choose to only use it in the PrS. You don't need to have or use a VPN in Owner. The Owner and PrS have separate VPN slots, and "Always-on VPN" and "Block connections without VPN" can be configured separately in the Settings app (opened from Owner). Screenshot: https://ibb.co/F3cD1zj

                      Notice that the Settings app distinguishes between the PrS and Owner VPN slots by adding a tiny icon to the PrS-specific settings.

                      Does this mean VPNs can be nested? If the VPN in your Owner profile is turned on, and the VPN in the private space is turned off, does the private space see your real IP or the IP of the active VPN in your Owner profile?

                          ignition Correct I believe they operate independent of eachother, either one that doesn't have a VPN will be your real IP. In the scenario you described the private space should see your real IP

                              fid02 Are private spaces available on secondary profiles? If so, is it possible to have multiple private spaces? A private space on the owner profile and a private space on a secondary profile, for example.

                                  flighty_sloth Thanks. Yeah I just found that question was answered in another thread as well.

                                  I wonder if adding support for private spaces in secondary profiles is something the GrapheneOS team would consider doing?

                                    flighty_sloth In the scenario you described the private space should see your real IP

                                    If this is true then the VPNs are not nested

                                        ignition True not nested, not sure why I wrote "correct" at the beginning, my apologies that was an error, the rest of what I wrote after the first word is what I meant.

                                          ignition Does this mean VPNs can be nested? If the VPN in your Owner profile is turned on, and the VPN in the private space is turned off, does the private space see your real IP or the IP of the active VPN in your Owner profile?

                                          @fid02 can you please confirm what is true here?

                                            ignition Does this mean VPNs can be nested?

                                            I don't understand what this means.

                                            ignition If the VPN in your Owner profile is turned on, and the VPN in the private space is turned off, does the private space see your real IP or the IP of the active VPN in your Owner profile?

                                            What do you mean by a profile "seeing" the IP address of another profile? Unless the question is deeper than what I've already explained, I think my previous explanation that the Owner and PrS profiles have separate VPN slots should be sufficient to answer your question. I've already derailed this topic enough with my usability perspective of PrS. I won't answer any further questions.

                                                  fid02 I don't understand what this means.

                                                  That was in the question that followed. If the VPN in your Owner profile is active, but there is no active VPN in your private space, is the reported IP of the private space your real IP or the IP of the Owner's active VPN when you check an IP testing site in a browser (or even the disconnected private space's VPN)?

                                                  I think my previous explanation that the Owner and PrS profiles have separate VPN slots should be sufficient to answer your question

                                                  Being able to run more than one VPN simultaneously would require this regardless so I am not sure how this could possibly be relevant.

                                                  I've already derailed this topic enough with my usability perspective of PrS. I won't answer any further questions.

                                                  My question is very literally about the topic, VPNs and isolation, so I am not sure how this is spun as a derailment but I cannot force you to answer.

                                                      ignition I'm sorry for being cross.

                                                      ignition If the VPN in your Owner profile is active, but there is no active VPN in your private space, is the reported IP of the private space your real IP

                                                      Yes.

                                                            ignition "That is an unfortunate design choice." Out of interest, why do you say it's an unfortunate design coice? Surely this way is preferred, as you can have a separate 'identity' in each profile.

                                                            If you want to have a VPN in each profile, you can. You can also have one profile with one VPN and one with another, or one as your actual IP. Then you can keep certain apps in each profile, depending on which IP you wish them to be routed through.

                                                            I know that having seperate IP addresses aren't enough on their own to stop cross profile fingerprinting, but it is an element of it at least.

                                                            If I'm misunderstanding what you mean, let me know though

                                                                roamer4223 why do you say it's an unfortunate design coice? Surely this way is preferred, as you can have a separate 'identity' in each profile.

                                                                Because it means it's impossible to nest VPNs, which is necessary for certain higher privacy and anti-censorship postures, but also impossible to simultaneously run a full, privacy-preserving VPN app and something like Blokada because the VPN connection from your Owner profile isn't carried over to the private space.

                                                                If there was at least a toggle to allow sharing, I could run a VPN in the Owner profile and Blokada or something else in the private space, and stick to using the private space for everything I cared for while remaining confident I had full coverage across my device. The current design means my Owner profile VPN is meaningless to the apps in my private space, so I'm forced to choose either running the same VPN again in the private space, forfeiting Blokada, or Blokada, forfeiting the VPN.

                                                                I know that having seperate IP addresses aren't enough on their own to stop cross profile fingerprinting, but it is an element of it at least.

                                                                This type of fingerprinting is a very insignificant concern compared to the inability to simultaneously run a full VPN app that allows you to switch locations as needed plus offers obfuscation/anti-censorship measures and a firewall app like Blokada.

                                                                The current compromise often recommended is a not particularly intuitive hack offered by some firewall apps that have secondary VPN functionality but you forfeit expedient location changes and now have to place your trust in them to not introduce subtle bugs that break the VPN, a big ask for something of secondary concern to them, while they're focused on building out their firewall/dns features. Even worse, this compromise is off the table if you rely on the anti-censorship/obfuscation measures the full VPN provides.

                                                                There is also the nesting VPN case which is increasingly relevant in today's political climate where more privacy-respecting VPNs and services are censored in favor of those that, while secure, are more useful to goverments because of data they retain. If such a toggle existed, I could run my privacy-respecting VPN in the Owner profile and the less privacy-respecting one in the private space without exposing my real IP to nested VPN. This is the principle underlying iCloud Private Relay but without being limited to Safari browser or their mail app.

                                                                    ignition I think the main issue here is, this is not what the Private Spaces feature is for. Unless I'm mistaken, It's basically similar to using a work profile with an app like Shelter, but without the need to use a third party app, or without needing to switch between the built-in user profiles either. It allows you to keep certain apps seperated from each other so they can not use IPC, or see each other. I assume it's not as isolated as the built-in user profiles but it's also slightly more convenient. You are looking for a completely different feature, as far as I can tell.

                                                                    I don't know much about Blokada at all. However, I know RethinkDNS allows you to essentially do these things. You can download a bunch of multi-hop Wireguard configs from your VPN of choice, such as Mullvad, then import them into RethinkDNS. You can then use your VPN's DNS server or a seperate one if you want (though that would make you stand out more, generally speaking). It has a firewall built in, which tells you which app made which request, and allows you to block DNS or IPs. It also allows you to block an app's internet access entirely, though of course the built-in GOS network toggle is better to use in that case.

                                                                    I'm not necessarily recommending RethinkDNS or anything. It just seems to be similar to what you're looking for? Maybe I'm way off.

                                                                    I'm not really an expert so if I'm talking rubbish then please feel free to ignore me. Just wanted to help / understand what you were saying :)