• General
  • User/work/shelter profiles and Google Play Store app/services question

dimyself If you use the "end session" feature, the Google apps in that profile (or anything else for that matter) won't be running. The profile goes back to rest completely.

Now, as you're seeing the "Sandboxed Google Play is running" notification on your owner profile, there only two things that I can think of as to why that is:

  1. You also have Sandboxed Google Play installed on the owner profile
  2. You use the notification forward feature and that notification was somehow forwarded from the secondary profile to the owner profile.

    I created a "naked" Owner profile, the one that starts with the phone. It has a total of six apps available: Apps, Clock, Filer, Messaging, Phone, and Settings. My user profile has all the goodies: Google Play, all my apps, etc. When I want to return to the "naked" profile, I simply hold the power button and touch "End Session." I have verified that nothing from my user profile runs in the background.

    I did this for a few reasons: 1) To create a very battery conservative profile. (Owner Profile); and 2) To add a layer of security to my phone. The Owner profile requires a Password and so does my User profile.

    CAVEAT
    ALL SMS reflects through the built-in Messaging app in the Owner profile and it's the ONLY app that will "forward" messages through the Owner profile to the User profile. I'd read this and thought it wasn't true, but after much experimentation and reading, it's a failure of the AOSP implementation that it relies on such an outdated app for texting. Also, I have a special Notification for incoming texts, but when text messages are "reflected" through the Owner profile, they appear in the User profile as a standard notification, not an inbound text, hence whatever special notification I set up in the Messaging app in the User profile, it never sounds, but instead, the default notification sounds.

    If you want a rich text application in a User profile, my experience has been that it's not possible... yet.

      matchboxbananasynergy I checked and I only have Google services framework installed on my owner profile (under "Work" apps).

      Under "Personal" apps on my owner profile, it does shows Google Play, but it says "not installed for this user". I use Aurora and fdroid on my owner profile.

      Notification Forward was default checked option when i set it up, so I left it checked. I still don't really understand what its for? If the apps aren't working when the sessions is ended, why is the notification popping up on my owner profile saying "Play services are running"?

      Thanks again i appreciate it!!

        dimyself The notification is generated and then passed on to the other profile while the profile in which sandboxed google play is active. (This is my guess)

        This would likely then persist even if you end session, as the notification was already forwarded.

        Furthermore, regarding the notification forwarding feature and its usefulness:

        While it's true that you can use the "End session" option to put a profile at rest, you can also not do that.

        If you unlock a profile and then switch to another one without ending that session, it's running in the background, and can forward notifications to whatever profile you're currently using to let you know that something's going on :)

          matchboxbananasynergy Thank you for the explanations, they help a lot!

          If i end session on my Play profile, then swipe and remove the notification in my owner profile....and then it comes back again on my owner profile (without me going back to my Play profile)...does this mean Play is still running somehow? Because thats happening to me and i'm not sure why the notification is still there after I remove it? It has happened a few times (though its not showing now)... It is coming through gmsCompat

          One other question please... If i keep my Play profile open (without ending), i assume that means whatever apps are active on that profile (google play, crypto.com app, etc) will run with whatever permissions are allowed in the background even when i'm switched over to my owner profile (and also use extra resources)?

          Thanks you!

            dimyself If i end session on my Play profile, then swipe and remove the notification in my owner profile....and then it comes back again on my owner profile (without me going back to my Play profile)...does this mean Play is still running somehow? Because thats happening to me and i'm not sure why the notification is still there after I remove it? It has happened a few times (though its not showing now)... It is coming through gmsCompat

            In order for me to get a better idea of exactly what you're experiencing, I'd need to know your exact setup, the notification forwarding settings of all of your profiles and what apps are installed there.

            If you end session for a profile, that profile is dead. It can't produce notifications.

            If you feel comfortable, you can send me a video of your setup and this behavior via Matrix (it has end-to-end encryption if you DM me - you can find my mxid in my bio) and I can take a closer look, however what you're describing doesn't sound possible.

            dimyself One other question please... If i keep my Play profile open (without ending), i assume that means whatever apps are active on that profile (google play, crypto.com app, etc) will run with whatever permissions are allowed in the background even when i'm switched over to my owner profile (and also use extra resources)?

            That is correct, they'll still be active in the background, and they'll have access to the same permissions/resources.

              dcd-graphenediscuss Thanks for this, it gives me some ideas.

              Do you primarily use your naked owner profile or app profile? The reason i put google Play (and google services) in its own profile was for a few reasons. I only use it for 1 app thats required, I only want Play running when i update my crypto.com app (otherwise its not needed), and because Play requires Network permission, I dont want Play constantly "phoning home" (in case it does) sending things to google except when absolutely necessary.

              I feel like if i were to have an app profile, I'd always be logged into the app profile, since I'm constantly using apps (newpipe, fritter, different browsers, vlc, notes, chat/mail clients, etc). Wouldn't that kind of defeat the purpose of a setup like you have?

              Why dont they update the SMS client? If its that old, is it possible it could be a security weakness?

              You're saying if you set an app to forward notifications from your owner profile to your user profile other than your SMS app, it won't forward notifications?

              Are you saying they use the old SMS client, because if they were to use a newer SMS app, it wouldn't forward notifications from owner to a different profile due to an AOSP issue?

                dimyself I set up the "naked" Owner (Admin) profile for a few reasons:

                1. Enable a second layer of security between an intruder and my information. They must get through the Owner (Admin) profile in order to be able to access my User profile.
                2. The "naked" profile is setup with MAXIMUM battery optimization so that in case of an emergency, I can expect to have a phone available for as long as 30 days (depends on the model and the results of my tests).
                3. The "naked" profile is always able to send/receive phone calls and texts, so that's never a problem.

                I'm not sure about SMS and why AOSP hasn't changed or updated the app. It's terrible: bright green top, white background; absolutely nothing to customize; no GIFs... YUCK! And I'm not sure why an SMS in the Owner profile is sent to the User profile as a standard notification vs. an SMS text notification.

                For SMS, if you install a different SMS client, say Pulse SMS, QKSMS, etc., in the Use profile and then disable the Messages app in the same User profile, you will NOT receive texts in the User profile. I've already tried that. I also installed QKSMS in the Owner (Admin) profile and QKSMS in the user profile, and I received no texts in the User profile. Kinda sucks if you ask me.

                Just to be clear, the ONLY SMS app that works is the Messages app in BOTH the Owner (Admin) profile and the User profile. That's it. That's the only combination I could find that actually worked.

                dimyself As for profiles, I installed Google Play Store (GPS) in the User profile but never logged in. I installed my apps through F-Droid (for my FOSS apps) and Aurora (for GPS apps).

                Even though GPS is installed, it has no privileges to view any data, so even if it could (and probably does) communicate to Google, Google is unable to associate any of the information it gathers with my userid. That's one of the HUGE benefits of GrapheneOS and sandboxed GPS. The ONLY privileges, permissions, and rights GPS has are those that it must request. Otherwise, it has no access to my data. For that reason alone, I don't see any security risk of having GPS available.

                As a side note, during my battery optimization techniques, I reset the Google Play Services Battery to Optimized from Unrestricted, and the ONLY permission it had was to read SMS so that an app would auto-fill verification codes from SMS texts, but now that I've installed everything I intended, I've removed the SMS permission. For verification of which permissions Google Play Services used, go to Settings > Apps > All Apps > Google Play Services > App permissions, and there you'll see which permissions it used an how long ago it used them.

                As a weird side note, the Discover credit card app wanted Google Play Services to have permission to my Contacts and the Phone. Discover doesn't explain why it needs the Google Play Services needs those permissions , so I denied them, but Discover still complains that it wants the Contacts and Phone through Google Play Services.

                  • [deleted]

                  dcd-graphenediscuss Did you have to change anything in the permissions for GPS so it has no privileges?

                  matchboxbananasynergy Thanks! I'll see if i can reproduce it...if i remove the notification on my Owner profile by swiping it away, it doesn't come back right away and doesn't always come back I dont think. But it has happened a few times now where I swipe it away, and later I come back to my phone and there it is again after I swipe it away.

                  Can you please tell me where i can find the notification forwarding settings? All i'm seeing is "Send notifications to current user". Is that what you're referring to?

                  Here's my profile setups:

                  Owner profile:

                  "Send notifications to current user": turned off

                  Has shelter setup with "Personal" and "Work" profiles:

                  • Personal apps (some, not all):
                    Apps (installed: Auditor, Apps, Camera (disabled), GmsCompatConfig, PDF Viewer)
                    Web browsers
                    Auditor
                    Shelter
                    Google keyboard (no permissions allowed)
                    fdroid
                    fdroid installed apps
                    crypto.com ("Not installed for this user" - installed on Google profile only)
                    Google Play ("Not installed for this user" - installed on Google profile only)
                    Google Play services ("Not installed for this user" - installed on Google profile only)

                  • App Personal Notifications:
                    Apps (all notifications turned on for Apps)
                    Messaging
                    fdroid
                    some fdroid installed apps

                  • Work apps
                    Apps (installed: Apps, GmsCompatConfig, Google Services Framework (for Google Camera) )
                    GmsCompatConfig (no permissions allowed)
                    Aurora Store,
                    Google Services Framework (for google camera) (no permissions allowed)
                    Google Camera (camera, microphone permissions)
                    Google keyboard
                    GmsCompatConfig (no permissions)

                  • App Work Notifications
                    Shelter
                    Apps (all notifcations turned on for Apps)

                  Google profile:

                  Almost everything in this profile is default
                  "Send notifications to current user": turned off
                  GmsCompat notification in the drop-down menu of this profile: "Sandboxed Google Play is running"

                  App Notifications:
                  Apps (all notifications turned on for Apps)

                  Device & app notifications:
                  GrapheneOS launcher allowed (all checked/turned on)
                  Google Play services Not allowed (nothing turned on)

                  • Apps (no shelter profiles)
                    Apps (installed: Auditor, Apps, Camera, GmsCompatConfig, Pdf viewer, Google Play Store, Google Play Services, Google Services Framework)
                    Crypto.com app
                    Other default standard apps (like messaging, phone, etc)

                  • App permissions
                    Apps (network, notifications, sensors all allowed)
                    Auditor (network, notifications, sensors all allowed)
                    GmsCompatConfig (no permissions)
                    Google Play services (no permissions)
                    Google Play store (no permissions)
                    Google services framework (no permissions)
                    GrapheneOS launcher (notifications, sensors allowed)
                    Settings (all allowed)

                  • Sandboxed Google Play settings (under settings -> apps menu, but NOT in the apps list. Has its own menu)
                    Reroute location requests to the OS: turned on (should this be on or off?? This might be the setting causing the notification on my owner profile??)
                    Google Location Accuracy (turned off)
                    Geolocation: "location access if off for all apps"
                    Push notifcations: "When device is idle, push notifications will be delayed to improve battery life.

                  Interestingly enough, while i was writing this out...I took a phone call, and after the phone call i noticed the GmsCompat notification is back "Sandboxed Google Play is running"!! I hadn't rebooted at all, and I haven't opened my google profile at all since I last swiped the GmsCompat notification away. Also, last time i used the google profile, i ended session...

                  **Another interesting thing...while stilll typing out this reply the GmsCompat Google Play notification is gone now! I didn't remove the notification. I noticed it came back (like i said above), and continued typing out this reply, and now its just gone. I never swiped it away.

                  I will look into doing a video, if i can find a way to make the notification come up on my owner profile. It seems to come and go on its own randomly, all while having my Google Profile session not running

                  Please let me know if any other settings are needed if any!

                  Thank you so much!!

                    dimyself I'll provide the steps for SMS and phone call access...

                    Create a new user profile

                    • Settings > System > Multiple users > Add user > Add new user? > OK > User info
                    • <Enter the name of the new user profile.>

                    At the "<user profile name you entered>" screen

                    • Turn on phone calls & SMS > On
                    • Install available apps (if desired)
                    • Switch to <user profile name you entered>

                    The KEY setting is "Turn on phone calls & SMS".

                    Enabling "Send notifications to current user" is only meant to forward locked screen notifications of the Owner (Admin) profile to the active User profile. I don't believe this is the issue with the Messages app. SMS Texts and Phone calls use a different permission/setup as stated above.

                    I think the most secure setup is for the Owner (Admin) profile to have NO applications whatsoever. I don't want any Owner (Admin) notifications forwarded to my User profile. It's not very useful anyway.

                    According to the Multiple Users screen, "Only the user's name, the app's name, and the time received are shown" to the current User profile. Not sure how much help that is, but it would mean to me that I need to switch to that other profile to see the notification and use its app so I could read its message.

                    dimyself You have Google Services Framework in the work profile. That's what's generating the notification. :)

                    To reproduce, create a new profile and only install GSF. You should see that notification.