• General
  • Android 15 Private Space | Please Explain

Android 15 comes with a new feature called Private Space. It allows users to isolate certain apps/data within a user profile. Allegedly it uses a second user profile for this, or at least it is very similar. Being a long time fan of GrapheneOS and its user profile feature, I would like to know what the community recommends regarding this new feature. Is it any good?

I would like to know a little more about how this feature works. Primarily, does GOS support Private Space or will it in the future? Second, does it really take up a user profile slot (out of the 32 available)? Is it true that I can have a Private Space in any real user profile?

Is it better for security/privacy to use Private Space or keep things in a second user profile? My understanding is that user profiles are for identity separation, not security. So if I want to have a second identity on my phone (say personal and work) then it makes sense to separate them. Private Space is a wired mix. A profile within a profile. So what do you think about this? Is it just a convenience feature to be able to run the same application twice and a second layer of protection for sensitive applications?

Thanks!

    ttmp12 Is it any good?

    It is easier to use than a secondary user, and far more convenient, while only being slightly less secure than a secondary user. But private space seem to lack some features secondary users have, like the ability to transfer files to and from computer using MTP. And in GrapheneOS it is still a little buggy, but I guess it will work well in a month from now when most bugs have been fixed.

    ttmp12 Primarily, does GOS support Private Space or will it in the future?

    It will in the future. More exactly, it will starting 2-5 days from now. The feature is very close to being released.

    ttmp12 Second, does it really take up a user profile slot (out of the 32 available)?

    I don't think so. Either way, taking one slot out of 32 shouldn't be a problem. More concerning maybe is that you can only have 3 profiles running simultaneously. The owner profile and 2 other. If you set your private space to keep running when main profile is locked, it will take one of those slots, so you can only have a single secondary user logged in at the same time.

    ttmp12 Is it true that I can have a Private Space in any real user profile?

    No. You can only have a private space in the owner profile.

    ttmp12 Is it better for security/privacy to use Private Space or keep things in a second user profile?

    Secondary users are more secure. Private space is mostly a convenience feature, having similar security as a secondary user while being far more convenient to use

    ttmp12 My understanding is that user profiles are for identity separation, not security. So if I want to have a second identity on my phone (say personal and work) then it makes sense to separate them. Private Space is a wired mix. A profile within a profile. So what do you think about this?

    Secondary users are better for security domain isolation or identity isolation as you say. A private space is pretty isolated from the main profile, but clipboard is shared which is in breach of what security domain isolation should provide. No other issues are known with private space, but we are not entirely certain yet about exactly where the isolation boundaries goes.

    Actually, not even secondary users are perfectly isolated from each other. They can voluntarily communicate with each other using localhost TCP or UDP connections. IMO that is a security vulnerability as it breaks the expected isolation boundaries of secondary users. But for private space we still don't know exactly where the boundaries are intended by Google to go, and even less what GrapheneOS interprets that they should go.

    ttmp12 Is it just a convenience feature to be able to run the same application twice and a second layer of protection for sensitive applications?

    I would say private space is far more similar to a secondary user than app cloning and similar provided by other Android based systems.

    Hope these answers bring some clarity.

      Thank you for your reply. There are some things I want to get back to you on:

      ryrona I don't think so. Either way, taking one slot out of 32 shouldn't be a problem. More concerning maybe is that you can only have 3 profiles running simultaneously. The owner profile and 2 other. If you set your private space to keep running when main profile is locked, it will take one of those slots, so you can only have a single secondary user logged in at the same time.

      What exactly do you mean? Which 3 profiles do you mean? I can run many user profiles on GrapheneOS. Much more than 3. Can I only run 3 Private Spaces, or can I only run 3 user profiles if I use the Private Space feature on one of those profiles?

      ryrona Secondary users are more secure. Private space is mostly a convenience feature, having similar security as a secondary user while being far more convenient to use

      How is encryption/protection handled? Is it different from user profiles? In other words, what are the exact security/privacy tradeoffs?

      ryrona Secondary users are better for security domain isolation or identity isolation as you say. A private space is pretty isolated from the main profile, but clipboard is shared which is in breach of what security domain isolation should provide. No other issues are known with private space, but we are not entirely certain yet about exactly where the isolation boundaries goes.

      This answers my second question. Thank you very much. Who are you referring to when you say "we are not entirely certain"? Are you a developer, community member, etc.?

      ryrona I would say private space is far more similar to a secondary user than app cloning and similar provided by other Android based systems.

      Will application cloning be supported on GrapheneOS? Or is Private Space the new way to do something similar?

        ttmp12 Which 3 profiles do you mean? I can run many user profiles on GrapheneOS. Much more than 3.

        But not at the same time. When you switch to the fourth one, the apps running in one of the other ones will be stopped (and won't get notifications).

          ttmp12 What exactly do you mean? Which 3 profiles do you mean? I can run many user profiles on GrapheneOS. Much more than 3.

          Reboot your phone. Log in to the owner profile when prompted. Now switch to a secondary user, login to that, now switch to yet another secondary user, login to that. Now you are logged in on 3 profiles; owner and two secondary users. You can now happily switch between them. If you have fingerprint unlock enabled, you can unlock using fingerprint alone when switching. If you have open apps with unsaved changes, those apps are still open with your unsaved changes when you come back, if you have notification sharing between the profiles, you get notifications from them all.

          But now, switch to another secondary user that you still haven't logged in to. Login to it. Now, notice how the one of the two other logged in secondary user profiles that was least recently switched to got logged out and shut down completely. If you try to switch back to it, you cannot use fingerprint to unlock, but need to put in the encryption PIN/password. Notice how if you do login to it again, any unsaved changes have been lost. And even if you do not switch back to that user profile, notice how you are no longer getting notifications from it. It was completely shut down.

          This is what I mean with that you can only be logged in to three user profiles at the same time. Repeat the experiment with private space set to lock on phone reboot, and you will notice it takes up one of those three slots too.

          ttmp12 How is encryption/protection handled? Is it different from user profiles? In other words, what are the exact security/privacy tradeoffs?

          At least assuming you select to use separate credentials for your private space when setting it up, it will have files and app data separately encrypted in the same manner as a secondary user. GrapheneOS developers have confirmed this.

          This means private space unlocking will be protected with its own weaver slot for unlock attempt throttling, and assuming you have set a strong password, not even the most advanced adversary can break into your private space, even if they get hold of your phone when main profile is unlocked and they immediately disassembles your phone to get access to the still powered on raw chips. As long as your private space is locked that is.

          So this is the same as for secondary users.

          The privacy tradeoffs are rather what apps can do, not a physical adversary. As I mentioned, clipboard is shared between main profile and private space, so apps in the private space can read text you copied in your main profile and other way around.

          ttmp12 Who are you referring to when you say "we are not entirely certain"? Are you a developer, community member, etc.?

          Community member and beta tester.

            de0u But not at the same time. When you switch to the fourth one, the apps running in one of the other ones will be stopped (and won't get notifications).

            GrapheneOS limits the number of active user profiles to three? This is the case outside of the Private Space feature and is the default for all devices? Please confirm. I was not aware of this!

            • de0u replied to this.

              ryrona Reboot your phone. Log in to the owner profile when prompted. Now switch to a secondary user, login to that, now switch to yet another secondary user, login to that. Now you are logged in on 3 profiles; owner and two secondary users. You can now happily switch between them. If you have fingerprint unlock enabled, you can unlock using fingerprint alone when switching. If you have open apps with unsaved changes, those apps are still open with your unsaved changes when you come back, if you have notification sharing between the profiles, you get notifications from them all.

              But now, switch to another secondary user that you still haven't logged in to. Login to it. Now, notice how the one of the two other logged in secondary user profiles that was least recently switched to got logged out and shut down completely. If you try to switch back to it, you cannot use fingerprint to unlock, but need to put in the encryption PIN/password. Notice how if you do login to it again, any unsaved changes have been lost. And even if you do not switch back to that user profile, notice how you are no longer getting notifications from it. It was completely shut down.

              This makes it so much clearer to me! Thank you so much. I was not aware of the three active user profile limit.

              ryrona This is what I mean with that you can only be logged in to three user profiles at the same time. Repeat the experiment with private space set to lock on phone reboot, and you will notice it takes up one of those three slots too.

              So if I use the Private Space feature in the Owner profile, I have two active running profiles. The owner profile itself + the owner's Private Space. Therefore, I could only use one other active slot, which would be a secondary user profile. This way, I would not be able to easily switch between secondary user profiles because there is no forth free slot. When switching in such a setup, I would always shut down my previous secondary user profile. Is this correct? Please confirm.

              Is this an Android, GrapheneOS, or device limitation? Are there any plans to increase the number of active users in the future? Why is there a limit at all? Is 3 active users the default for all Pixel devices?

              ryrona At least assuming you select to use separate credentials for your private space when setting it up, it will have files and app data separately encrypted in the same manner as a secondary user. GrapheneOS developers have confirmed this.

              Where? Can you please point me to the developers' confirmation?

              ryrona This means private space unlocking will be protected with its own weaver slot for unlock attempt throttling, and assuming you have set a strong password, not even the most advanced adversary can break into your private space, even if they get hold of your phone when main profile is unlocked and they immediately disassembles your phone to get access to the still powered on raw chips. As long as your private space is locked that is.

              That's why I'm asking if the new Private Space feature will be treated as a secondary user profile. Titan M2 is amazing and brings great benefits. That's what I was looking for. Good explanation! Thank you very much!

              ryrona The privacy tradeoffs are rather what apps can do, not a physical adversary. As I mentioned, clipboard is shared between main profile and private space, so apps in the private space can read text you copied in your main profile and other way around.

              Thanks for the information! Clipboard access is only granted to the focused application, right? Is there an auto-clear feature for the clipboard? Or is the best way to clear the clipboard contents to focus a trusted application and copy something new that is generic/non-sensitive?

              ryrona Community member and beta tester.

              Thank you for testing! Thanks for helping the community!

                ttmp12 GrapheneOS limits the number of active user profiles to three? This is the case outside of the Private Space feature and is the default for all devices?

                I have never run the experiment, but that is the persistent rumor on the street.

                RAM on the devices is not infinite, so the system includes complicated heuristics for shutting down apps (even if only one profile is active). Battery life is also not infinite, so having many apps running in profiles that are not visible is probably not a good idea. Since each profile can have its own VPN client, each active profile sort of implies that at least the VPN client is active.

                My understanding is that the limit on the number of active profiles comes from AOSP and has not been adjusted upward by GrapheneOS. Google might raise it at any time (or replace the active-profile limit with a different approach), or GrapheneOS might raise it. Perhaps Google raised the number to four due to Private Spaces, or perhaps it is 3 + 1. If they didn't make either change, they might do so next month!

                  ttmp12 So if I use the Private Space feature in the Owner profile, I have two active running profiles. The owner profile itself + the owner's Private Space. Therefore, I could only use one other active slot, which would be a secondary user profile. This way, I would not be able to easily switch between secondary user profiles because there is no forth free slot. When switching in such a setup, I would always shut down my previous secondary user profile. Is this correct? Please confirm.

                  Yes, correct. As long as the private space is configured to lock (ie shut down) on phone reboots. The default is that the private space is locked (ie shut down) whenever the owner profile is locked. In that case, it seems the private space does not count towards the limit at all.

                  ttmp12 Where? Can you please point me to the developers' confirmation?

                  I don't remember where. Sorry.

                  ttmp12 Thanks for the information! Clipboard access is only granted to the focused application, right?

                  I don't know. But GrapheneOS will popup a notification whenever an app reads the clipboard, so you are alerted about what app just did that. So if you never get such notifications, you can feel confident no app is spying on your clipboard.

                  But there is always the risk of you yourself accidentally pasting sensitive content from another profile into the wrong app.

                  ttmp12 Is there an auto-clear feature for the clipboard? Or is the best way to clear the clipboard contents to focus a trusted application and copy something new that is generic/non-sensitive?

                  I have noticed myself that there does not seem to be any auto-clearing, not even clear on paste. So I always copy some generic word afterwards to clear the clipboard.

                    de0u Thanks for the explanation and clarification. I think a user who is technical enough to use multiple user profiles should be able to decide how many of those profiles to keep running. So the only technical limitation should be RAM. Battery tradeoffs should be managed by the user.