• General

  • How does Private Spaces isolation compare to secondary user profile?

ignition authority posturing

If anyone talks about my projects to me, that's just me, in my comfort zone. Not my intention to "posture".

ignition priority as a matter of fact

How is the developers spending the past 10 months (16 releases!) working mostly on WireGuard be not priority to them? (it is a rhetorical question)

ignition goalposts are moving

I said "anti censorship", and you went GFW. I built an app that can supports WireGuard, and you go "but where is your VPN network"?

ignition you're offended about what you've confused

tbh, I'm astounded, not offended. I'm amused, not confused.

(I hope we can drop our disagreements here as this thread is getting derailed. Hopefully, you find answers you're looking for, from contributors better than I).

            I have no issues with people who represent a project here defending it if they feel it's being attacked or misrepresented by someone, but I hope that we can all collectively end it there, as it's getting a bit too far away from what this thread is supposed to be about.

              ignoramous How is the developers spending the past 10 months (16 releases!) working mostly on WireGuard be not priority to them?

              The part where supporting WireGuard and or OVPN is so table stakes for a centralized VPN, the absolute barest minimum, that being able to get by with 'later support' speaks for itself. The Mullvad, ProtonVPN, and IVPN teams spent even longer getting ad block support integrated. It still doesn't make it a priority, sorry.

              I said "anti censorship", and you went GFW

              Nice goalpost shift but, no. You jumped in here offended that I called your non-VPN that, claiming it was mere 'opinion', and when I listed numerous properties of real VPNs for which the VPN is the priority, you cherry-picked one and decided to posture about irrelevant apps you've built elsewhere like it grants some sort of authority.

              as this thread is getting derailed

              Would be nice if you thought of that before you decided to make it about your project.

                  matchboxbananasynergy That's fair. My question was answered days ago actually. I definitely didn't expect a one-liner comment I made then to cause this much engagement.

                    @matchboxbananasynergy Actually, I wouldn't mind if the VPN-over-VPN discussion was split out into a separate thread from mine, since it had nothing with my thread to do. Many of my questions in my original post is still unanswered, but I guess many would not feel encouraged to answer them even if they know the answer, since there is an unrelated heated debate going on here.

                    But I guess I will be able to answer most of those questions myself whenever the release is finally made, in case no one actually knows.

                    12 days later

                    ignition Chaining VPN connections is supported. Using local filtering at the same time as a VPN is supported. You're simply wrong about these things. Your issue is that you're using apps not supporting it. It has nothing to do with profiles and it wouldn't make any sense for secondary profiles to go through the Owner user VPN as an additional layer. It goes against the whole purpose of profiles of acting as separate devices as well as they can on the same device. Nesting VPNs is entirely possible and something VPN apps can support already. They can provide configuration for this inside the app or simply support chaining through multiple providers as the default approach. Some apps do support this in some form such as bridge support for Tor which is essentially exactly that provided in a specific way.

                    The current compromise often recommended is a not particularly intuitive hack offered by some firewall apps that have secondary VPN functionality but you forfeit expedient location changes and now have to place your trust in them to not introduce subtle bugs that break the VPN, a big ask for something of secondary concern to them, while they're focused on building out their firewall/dns features. Even worse, this compromise is off the table if you rely on the anti-censorship/obfuscation measures the full VPN provides.

                    No, there are apps with first class VPN support in addition to first class filtering support. Apps can support chaining VPN connections too. None of this is relevant to profiles and is something VPN apps need to provide. Most of these apps focusing on 1 specific thing instead of providing everything users want from a VPN app is because almost none of them are trying to make a high quality Android VPN app. Most are simply adding Android support to an existing project and use the VPN service feature for it without considering what makes a good Android VPN service app. There are a few apps trying to provide a good Android VPN service app and fulfilling multiple use cases at once.

                        Probably9857 No need to apologize. The user you're responding to has derailed multiple threads with their grievances about unrelated things, attacking GrapheneOS and other projects for illogical reasons. They were permanently suspended for doing this same thing in another thread in a much more severe way.

                          Viewpoint0232 You can use both a Private Space and a work profile at the same time so you don't need to choose. Private Space doesn't depend on a management app and provides more built-in functionality since it's not tied to one. It's not currently possible to have multiple Private Spaces but it could be added and it's something we could do in the future, but the UI would need to be figured out to properly differentiate between them in the same way the Private Space is differentiated from a work profile.

                              GrapheneOS Im just sad that i have to use up more than 3 VPN device slots with my provider just on a single device.

                                  Rizzler if it really bothers you, depending on what VPN provider you use, you can download an OpenVPN config and use the OpenVPN app.

                                  All VPN providers I have tried, don't bother attempting to limit consecutive OpenVPN connections (at least, not when made in the way described above). It's probably more work than it's worth, I imagine.

                                  I'm not vouching for the speed or the security etc, of this method though. In fact I'm pretty sure the only VPN app advised by GrapheneOS is the Official WireGuard app.

                                  I guess another method could be to use your home router, if it has the functionality. When at home, you could leave all the VPN slots without a VPN and connect your router to a VPN via a downloaded WireGuard config. Then when not at home, you could set up a VPN server on your router and make separate configs for each profile etc etc, I think you get the point by now...

                                  Personally, I like having separate VPN slots for each profile as it helps with keeping them isolated.

                                  @Rizzler mind me asking what VPN you use? Or how much it costs per month?

                                  Edit: Actually, maybe leave it as I'm just going to derail the thread more with stuff that isn't really relevant to the topic. The reason I asked is because I find it hard to believe it could end up costing you that much extra by taking up a couple extra VPN slots

                                      roamer4223 please feel free to delete my last message (and this one) if you feel I have derailed the thread again after the official GrapheneOS account pretty much brought the entire VPN matter to a close. I really didn't think before commenting, sorry

                                        roamer4223 Hey, thank you for the detailed info. I use Mullvad with the WireGuard app. It may actually work with profiles, cuz i don't have two profiles open at the same time usually.

                                          6 days later

                                          Sorry if this has been asked, iv searched and the focus seems to be on VPNs. Can apps communicate between main and private space?

                                            r134a

                                            Do you have a source for that? Everything I've seen about it has been kind of ambiguous.

                                                Probably9857

                                                U are right actually, documentation is actually written pretty ambigious. I was under the impression that private space would be an isolated environment. I still assume it is.

                                                I've read https://developer.android.com/about/versions/15/features#private-space.

                                                The private space uses a separate user profile

                                                I assume that apps can't communicate between user profiles, at least not how user profiles are currently implemented in GOS.

                                                The system sharesheet and the photo picker can be used to give apps access to content across spaces when the private space is unlocked.

                                                This is written ambigious in my opinion, is it only system sharesheet and photopicker which can give apps acces to content across spaces? I assume this is only possible after user interaction first? At least i hope so. So can apps communicate, or can they access content after user interaction first. I hope and assume the latter.

                                                Apps in the private space show up in a separate container in the launcher, and are hidden from the recents view, notifications, settings, and from other apps when the private space is locked.

                                                Hmm, only when locked?

                                                When a user locks the private space, the profile is stopped. While the profile is stopped, apps in the private space are no longer active and can't perform foreground or background activities, including showing notifications.

                                                I guess its safe to assume that in a locked state, apps can't communicate between spaces. However i'm not so sure anymore what is actually the case in a unlocked state.

                                                This is based on AOSP, and the implementation in GOS might be slighty different, i.e. more secured.

                                                @Graphene1 Apologies, i should take back that 'no'. I hope a developer can chime in and give a definitive answer.