• Edited

dext Do I understand correctly, that locking the private space is an equivalent of stopping a user profile? This means that after locking, apps in private space won't run and receive notifications?

That's correct.

dext So if I'd use Play Services on both, the only benefit would be a separate VPN, right? It doesn't make sense to use it to add extra protection for some critical apps, like e-mail, banking, gov id, etc.?

You can use it for its two use cases, 2 separate VPNs and sensitive applications in Private Space, it's also useful for users who don't want to install Google play services in the main profile, even though it runs completely sandboxed with no privileged access in GrapheneOS.

Private space is a more powerful and efficiant workspace, it doesn't require a third-party application and isolation is much more robust.

Is it possible to have several Private Spaces in the same profile, the main one?

    Is Private Space limited to the default launcher, or is there a way to access from a custom launcher?

      What is the process of installing the same app in both owner and private space, to avoid signature/versioning conflict? I dont see an "Install available apps"-feature like in theuser profile management menu.

        A few questions

        Will there be a way to sync apps or update them locally, how Shelter allows with the work profile?

        Will private space apps be possible to be placed on the home screen?

        If there will be a permissions to lock syncing the clipboard, what is the difference to a work profile here? Would this work here too?

        Couldnt the work profile be used just like the private space, without needing to fully trust a 3rd party, possibly outdated app?.

        In some 15 alpha versions there was a context menu for adding apps to the private space. This is now gone. Was this a bug, will it be added back?

          Hawk_Tuah is it maybe installed in other profiles? You have to uninstall it from all of them.

            privsec

            privsec what about apps who ask for phone permission?

            most likely they also will not work. Without phone permissions and SMS permissions, banking apps are rendered useless in Private Space. Also, those applications which required offline database are also problem on Private Space as I cannot use cable for data transfer from my PC. Syncing over the network is alternative. But, transfer of 50-60 GBs files on the wifi seems too slow, plus deleting private space will delete offline data and will have to repeat it from scratch.
            I liked the feature and idea of accessing the apps which i had to store on another profile from Owner profile itself, but ig i will have to continue to install separate user profiles for my needs.

            Can apps in Private Space know what apps I have in the owner profile, or vice versa?

              fxnn is there another way to install apps into private space from personal space?

              matchboxbananasynergy Simply install the app stores you want in the private space and install the apps as you would normally.

              TrustExecutor What is the process of installing the same app in both owner and private space, to avoid signature/versioning conflict? I dont see an "Install available apps"-feature like in theuser profile management menu.

              missing-root Will there be a way to sync apps or update them locally, how Shelter allows with the work profile?

              As of now, it doesn't seem possible to set up a Private Space in a manner that doesn't put any trust in the local network - you cannot move your VPN app there in the same way as you can do it for separate profiles from Owner. You would need to use Vanadium inside Private Space to download an APK.

              Note for high threat models: Vanadium (and other apps in Private Space) might ping GOS' servers directly as PS has its own VPN slot. Bear that in mind if your threat model includes ISP not knowing that you use GOS.

              I think I tried every possible method to see if it's technically possible. Files app inside PS is not capable of viewing a usb stick.

              The closest I got to installing an app from Owner to Private Space: have .APK downloaded in Owner > go to Files > long press the file > tap on three dots > open with > Private > Installer (inside PS). Selecting it doesn't do anything. Might be a bug. It would be a decent workaround.

                • Edited

                @GrapheneOS Maybe dumb question: apps inside the Private Space can’t see what other apps are installed in the main profile right? Like it is in user profiles?

                  IcyScroll Private space can still access localhost so you could share the vpn apk file with a http server app in the Owner profile and then open it in the private space with vanadium (with wifi/internet disabled).

                  Hmm
                  Also can app in the owner profile see what apps I have in Provate Space?

                    @GrapheneOS Could you please give an option to hide that +Install button in the private space. It doesn't need to always be there. Its not there in the main profile or work profiles either. You just open the app store of choice to install apps. Also, if i use aurora store for example and press the + sign i can't select it.

                    I have installed Google related apps, banking apps, and WireGuard in my private space.
                    I am very happy to have all of my invasive apps together in a tightly isolated space.
                    I have nothing but gratitude for the GrapheneOS developers.
                    I will be donating money to the cause.

                    I hope that someday there will be the ability to impose restrictions on clipboard sharing.
                    Thank you.

                      Renewably3997

                      I can't tell whether apps (including Sandboxed Google Play) in the Owner Profile can see those in the Private Space and vice versa.

                      But apparently you can not only work with two different Google accounts ( if your setup requires Google Play in Owner Profile and Private Space) Google also seems to encourage this:

                      Since private space is a completely separate space and profile on your device, it doesn’t automatically read the accounts in your main space. You need to sign-in to any accounts you want to use in private space, even if they’re already signed-in on the device. If you sign in to your private space with a Google Account that you use on your main space or any other device, some data will be available outside your private space. This includes data such as: Synced photos, files, emails, contacts, calendar events, and other data.
                      App download history and recommendations.
                      Browsing history, bookmarks, and saved passwords.
                      Suggested content related to your activity in private space apps.
                      To help prevent these kinds of unexpected leaks to your main space, it’s recommended you use a dedicated Google Account for your private space that hasn’t been signed in elsewhere.

                      source: https://support.google.com/android/answer/15341885#different_google_account

                        Hawk_Tuah You safed my day dude, I really forgot about the fact that I have 2 more profiles with protonvpn on my phone. Makes sense and now it works everything as intended. Thank you so much!

                        Best regards

                          The setup page for PS says, at least in Google stock OS: "Anyone that connects your device to a computer or installs harmful apps on your device may be able to access your private space". This doesn't occurs with separate profiles, that are not accessible from apps. Seems that PS is less secure than to have separate profiles, no?

                          • dext replied to this.