GrapheneOS Are there any good use cases to using user profiles now that Private Spaces is out? I'd like to know the pros and cons.

    GrapheneOS GrapheneOS users choose to use the OS in different ways. A lot of people largely use open source apps and not sandboxed Google Play. Others use sandboxed Google Play in their main profile. Many use sandboxed Google Play in a dedicated profile to choose which apps use it.

    Hi, could you please better explain "not sandboxed" google play store? I know that any google softwares in GrapheneOS run sandboxed and without elevated privileges, so non sandboxed play store is confusing me.
    Thanks

      Hey, sorry english is not my first language and I am sorry in advance for poor wording. First of all, thank you for the A15 update and I really appreciate the work done in past few days by all devs. I am really liking the new Private Space feature and planning to replace 'Payments', one of my secondary profile with it which I use most.

      My bank applications requires Play services, so I had to install them in a separate secondary profile. I tried out the Private Space with one of my bank app and play services installed in Private Space, it failed. Reason : My bank application verifies mobile number by sending an SMS from the registered mobile number to their server. But, as there is no SMS application installed in Private Space, I tried Fossify SMS from playstore, it installed but refused to open.

      Request : Could you please add AOSP SMS/Messages application in Private Space as you have already added other GOS apps.

        An idea on how to utilize them: If you want to edit a file, but don't leave any remnants or trace of it afterwards, until now you'd have to erase the whole user profile the file was saved in. Doing that with a private space should be much easier, but provide a similar level of protection against threat actors which might get access to your device after the fact.

        • Edited

        @GrapheneOS How does the security of the isolation between different user profiles compare to the isolation of a private space inside a user profile?

          hi,
          I currently have the problem that I cannot reinstall protonvpn in Private Space. It does not install via F-Droid and APK and Aurora Store report package conflicts (although I had temporarily uninstalled the app in the main profile). Is there a way to route the traffic from Private Space through my VPN in the main profile?

          Thanks in advance.

            fxnn It's similar, but they run within the same overall SystemUI and also have a shared clipboard. We can likely easily add a toggle for isolated clipboard but it's still less separate than users due to shared UI. We haven't checked exactly how an accessibility service in Owner interacts with a Private Space, but that's one example of a case where it would be much less isolated.

            It doesn't look like users other than Owner can create Private Spaces. I only use the Owner for app installation and updates and everything else happens in a main user profile. Would it be possible to add Private Space functionality to non-Owner users?

              @randallont The claim on Reddit is unsubstantiated and doesn't make any sense. The described symptoms are a low level hardware failure that's not possible to trigger with software bugs alone. There is no real risk of bricking the phone at a low level using Private Space. It could trigger OS bugs but it's not going to break the hardware, and we haven't seen any indication of any kind of corruption or other issue triggered by it anywhere. News organizations spreading unsubstantiated and unverified claims based on anecdotes on social media are irresponsible spam sites.

              Hawk_Tuah F-Droid incorrectly reuses app ids for their own builds signed with their own keys. You can't install multiple variants of an app with the same app id such as app.organicmaps from the Play Store and app.organicmaps from F-Droid in separate profiles because the OS enforces key pinning across profiles. Each variant of an app SHOULD have a separate app id such as how our Play Store releases of our apps use a suffix (app.grapheneos.camera.play instead of app.grapheneos.camera). You're likely trying to install different variants from what you have elsewhere. The version also has to be equal or greater than what you already have installed. It works the same as a work profile or user profile in this regard.

                Hawk_Tuah
                fortunately it seems to be a rare occurrence similar to the android 14 storage bug with multi users that only effected some pixel 6 devices.

                  randallont The described symptoms are a hardware failure, not data corruption. GrapheneOS was not impacted by those series of data corruption bugs due to having newer kernel LTS revisions with the patches for them. We've also avoided shipping any serious data corruption regressions impacting any significant number of users in the newer kernel LTS revisions, which is something we're always worried about. The LTS kernel revisions have very poor testing and the f2fs changes scare us. We're cautious about them.

                  • Edited

                  @GrapheneOS Is it possible to install apps into private space from the personal space as described here:

                  https://support.google.com/android/answer/15341885?hl=en

                  In “All Apps:”

                  1. Touch and hold an app.
                  2. Tap Install app in Private space.
                  3. To complete the installation, follow instructions on the installer app.
                  4. The new instance of the app is installed. The previous instance isn’t copied or modified.

                  I wasn't able to find "Install app in Private space". If this isn't possible rn, is there another way to install apps into private space from personal space?

                    d0ckR

                    If there is no SMS app and possibly no phone app in the private profile, what about apps who ask for phone permission?

                    Will those apps still be able to read the sim cards phone number if phone permission is granted?

                      GrapheneOS I had uninstalled protonvpn again, cleared aurorastore and droid-ify cache and memory and tried to install protonvpn in the main profile via aurorastore. Again, it still gives “Conflict with existing package INSTALL_FAILED_UPDATE_INCOMPATIBLE: Existing package ch.protonvpn.android signatures do not match newer version;ignoring”

                      Is there a way to delete the old signatures?