some questions regarding the new "private space" feature

rarelyrare

There is a new Private Space feature that came out in Android 15.

Does private space work like a work profile?

Where files are seperate even if you gave a file manager full access to files on that profile?
Apps in private space can't see apps outside private space?
VPN connections inside private space only happen inside the private spaces apps if you have a VPN app running in the private space?
Google play services installed inside private space can't touch apps and all in main?

I haven't used private spaces yet so I don't know if you can backup the private space inside the normal backup area and have it all in 1 backup file. Because when you use a seperate work profile you have to backup and restore that seperately.

My all around question I guess is should I switch from using work profile for my Google play services required apps and apps I don't want on my main profile, or is it a lot different than work profile?

ryrona

rarelyrare Where files are seperate even if you gave a file manager full access to files on that profile?

Yes, they are separate. No app running in private space, no matter what permissions you gave them, can access files in main profile. And same other way around. In fact, they cannot even see the existence of files cross-profile.

But you as the user can grant an app running in private space temporary access to a single file in main profile, and other way around, using share file functionality or the file picker. The share file functionality and file picker are privileged system components only you as the user can interact with, no app can use them by themselves, so you are still in full control about what files you share or send cross-profile.

rarelyrare Apps in private space can't see apps outside private space?

True, they cannot. And same other way around.

Only Settings app and Launcher in main profile can see apps in private space, but they are privileged system components. Regular apps cannot. Or so I heard, I haven't tested it myself yet.

rarelyrare VPN connections inside private space only happen inside the private spaces apps if you have a VPN app running in the private space?

True, the main profile and private space have their own VPN slots. So if you configure a VPN only in the private space, all private space apps will use the VPN, but no apps in main profile would.

rarelyrare Google play services installed inside private space can't touch apps and all in main?

True, it cannot. Google Play Services is just a regular app with no special permissions at all. So just like no other app in private space can talk to apps in main profile, Google Play Services also cannot.

But there is a known bypass bug where an app can use localhost connections to communicate with apps running in other profiles that agree to that, but as far as we know Google Play Services is not exploiting this bug.

rarelyrare My all around question I guess is should I switch from using work profile for my Google play services required apps and apps I don't want on my main profile, or is it a lot different than work profile?

The GrapheneOS project just recently made an official
announcement recommending to use private space instead of work profile, because private space has better security and privacy than work profiles, while also offering better system integration.

rarelyrare

ryrona announcement recommending to use private space instead of work profile, because private space has better security and privacy than work profiles

I wanted to switch but then i noticed that i can't add shortcuts from private space apps on homescreen which work profiles actually had ability to do. Hopefully android or maybe graphene if possiblez adds the ability to add homescreen shortcuts in the future.

Open_Source_Enjoyer

ryrona But there is a known bypass bug where an app can use localhost connections to communicate with apps running in other profiles that agree to that, but as far as we know Google Play Services is not exploiting this bug.

How to we know if an app is exploiting this?
Are they plans to fix this bug?

ryrona

Open_Source_Enjoyer How to we know if an app is exploiting this?

I don't know. Theoretically one could make an app that scans for open localhost ports I guess.

Open_Source_Enjoyer Are they plans to fix this bug?

I am a bit uncertain about that. A proper fix would be very hard, as the networking layer in Android would have to be reworked from scratch. It is quite poorly done, which is also why we had VPN leaks and such. But maybe a blacklist approach could be implemented that block the connections if cross-profile. It may still have side channel leaks though, so still bypassable by an app trying really hard.

Either way, I know it is not a priority, so we won't see a fix for at least a year, probably not in many years. Maybe if malicious apps actually start exploiting this design flaw in the network layer we might see it becoming higher priority. As far as I know, it is only exploited by a few apps that implements a way for the user to share files between user profiles, so with good intentions. But such file sharing should be provided by the operating system itself, apps should not be able to communicate cross-profile.

Open_Source_Enjoyer

Carlos-Anso There are various port scanning apps available where you can scan for open ports on localhost 127.0.0.1
For example
https://github.com/CodeDead/Advanced-PortChecker-android

Thank you, does this app only show if a app open a port, or also which other app is connecting to this?

Open_Source_Enjoyer But there is a known bypass bug where an app can use localhost connections to communicate with apps running in other profiles that agree to that, but as far as we know Google Play Services is not exploiting this bug.

Isn't the network permission required to create a localhost?
I assume this because app who rely on creating a localhost crash if they don't have a network permission.

Open_Source_Enjoyer

ryrona I don't know. Theoretically one could make an app that scans for open localhost ports I guess.

So it could be detected if an app does this and it can not hide this activity?

ryrona I am a bit uncertain about that. A proper fix would be very hard, as the networking layer in Android would have to be reworked from scratch. It is quite poorly done, which is also why we had VPN leaks and such. But maybe a blacklist approach could be implemented that block the connections if cross-profile. It may still have side channel leaks though, so still bypassable by an app trying really hard.

Either way, I know it is not a priority, so we won't see a fix for at least a year, probably not in many years. Maybe if malicious apps actually start exploiting this design flaw in the network layer we might see it becoming higher priority. As far as I know, it is only exploited by a few apps that implements a way for the user to share files between user profiles, so with good intentions. But such file sharing should be provided by the operating system itself, apps should not be able to communicate cross-profile.

Thank you for the explanation.
I hope that its possible to find a solution for this.

ryrona

Open_Source_Enjoyer So it could be detected if an app does this and it can not hide this activity?

Yeah, it should be possible to detect, since the app need to open a localhost port, which any other app in any user profile then can connect to. They should be able to detect the difference of a port that is not open, and a port that is open (whether connection was refused or not).

Carlos-Anso

Open_Source_Enjoyer So it could be detected if an app does this and it can not hide this activity?

There are various port scanning apps available where you can scan for open ports on localhost 127.0.0.1
For example
https://github.com/CodeDead/Advanced-PortChecker-android