• GeneralSolved
  • Question about the "Install Available Apps" feature for user profiles

how does it works?
I just installed Sandboxed google play in my owner's profile and when I was creating a second user for school, saw that I could install "available apps" (apps that where already on the main user profile)for it.
This apps installed in this way for the second profile, are cover by theSandboxed google play in the main profile or are they sandboxed in other ways, are the updates in parallel with their main profile counter part?

    Noob12 changed the title to on "install available apps" that are in the owner profile to other users. .
    matchboxbananasynergy changed the title to Question about the "Install Available Apps" feature for user profiles .

    Noob12 Hi there! Great question!

    With the "Install available apps" feature, you can install apps that you have installed in your "Owner" profile in other profiles.

    If an app requires Sandboxed Google Play, you will need it on that secondary profile as well, as apps cannot communicate across profiles, so Sandboxed Google Play doesn't see the app in the new profile unless you install it there too.

    I would recommend first installing Sandboxed Google Play, and then using the "Install available apps" feature to install whatever apps you wanted into the profile that depend on it.

    Furthermore, if you update an app in any profile, it will get updated in all profiles.

    I hope that answers your questions!

      matchboxbananasynergy Furthermore, if you update an app in any profile, it will get updated in all profiles.

      How does this work? I thought the profiles are completely seperated from eachother. Do they still share diskspace somehow?

        wonder75 Profiles are separate in the sense that they have separate app data, and in the sense where apps in one profile can't communicate with apps on another profile.

        That said, the OS knows about all profiles, and which apps you have installed, I'm afraid that I'm not technically adept enough to fully explain how it works, but the bottom line is this: apps are updated across profiles, you can't install an older version if you have a newer version of an app in any profile, and you can't install an app with same same app ID but a different signature across profiles either.

        4 months later

        Are there currently any known problems with this feature? Couldn't find something in the issue tracker nor in the forum.
        I used it successfully once when it was released. A couple of days ago I tried it again but the list of available apps is just empty.
        Both current and previous release for P7 seem to be affected.

          ReadOnlyUser Keep in mind that it only enumerates apps you have installed in the owner profile, not others.

          Pixel 6 here, can see the list fine.

          Edit: I also consulted various people in the Matrix community with Pixel 7 and 7 Pros just in case it was model specific, they could all see their apps.

          Thanks for clarification, wasn't aware that it's restricted to the owner's apps. Was it like this all the time? My owner profile is empty but I'm sure I used it anyways.
          The global app settings menu shows all apps in owner profile.

          Would be great to have one secondary profile to collect whatever app is needed and share these apps on demand from the owner profile to other secondary profiles. These profiles would not need app installation permission.

            ReadOnlyUser Thanks for clarification, wasn't aware that it's restricted to the owner's apps. Was it like this all the time? My owner profile is empty but I'm sure I used it anyways.

            There was one release (2023012500) without the restriction:

            • extend the install available apps feature (allows Owner user to install apps in other users) to apps only installed in secondary profiles

            But since the following release (2023020200) the GUI has been restricted again:

            • drop our extension to the install available apps feature (which is still available, without this extension) making it work for apps not installed in Owner since this is risky in a situation where there are actually separate people using secondary users and while we want to provide this feature, we'd need to come up with a way to address this to add it back

            ReadOnlyUser Would be great to have one secondary profile to collect whatever app is needed and share these apps on demand from the owner profile to other secondary profiles.

            It's still possible with ADB: adb shell pm list users to get the numerical ID of the user for which to install the app, then adb shell pm install-existing --user ID com.example.app

              Its also possible (and safer) not to use adb. Use some app to extract the apk and plug in usb storage to transfer it between profiles. Or just download the app/apk again in the other user profile.

              By connecting a PC to the phone via adb you give the PC highly elevated privileges over the phone and for the sake of the phones security its best avoided if at all possible.

                dazinism Its also possible (and safer) not to use adb. Use some app to extract the apk and plug in usb storage to transfer it between profiles.

                That method is not all roses either though: Unless one is diligent about checking that the app ID turned out to be the same in the destination profile after installation, the extractor app or the file transfer mechanism could have tampered with the .apk

                But, fair enough. I was kind of unconsciously assuming that of course nobody would even consider hooking up the phone through ADB unless at least it's in a Qubes OS disposable sys-usb VM :)

                To complete an unholy trinity of flawed methods (until the GUI can somehow push an app from one secondary profile to another again), I guess it would also be possible to run the pm commands on the phone through Shizuku.

                Unless one is diligent about checking that the app ID turned out to be the same in the destination profile after installation, the extractor app or the file transfer mechanism could have tampered with the .apk

                Can do a quick & simple check in the owner user profile as Settings > Apps lists all apps installed on all users on the device. As you point out a malicious altered app, installed on the same device as the legitimate app, would need to have a different app id. So you would see the same app listed twice when searching the app list. At the bottom of their app info page you would see different package names (something like - com.company.appname)

                Its also possible to check the apk signature fingerprint which is unique and is what the system uses to ensure that app updates can only come from the same source as the installed app.
                Theres a decent database of fingerprints at https://beta.pithus.org/

                Can check the signature fingerprint of apks and installed apps using something like https://github.com/xgouchet/Stanley (they call them signing certificates)

                Can get fingerprints from apks using apksigner verify -verbose --print-certs name_of_the.apk from a terminal

                Shizuku also requires granting access to the android debugging interface (adb) which always opens up a significant security hole and is still best avoided if at all possible. Developer options are meant for development purposes and can seriously effect the security of the device and/or break unexpected things. e.g. there has been a serious bug in the past that only hit people who had played about with the display cutout setting in developer options