Best User profile strategy for privacy

lawman

I'm trying to figure out the best user profile strategy for security that is also practical. I don't only want solutions for high competent adversaries, as low competent are the majority and should be catered for.

I had a look at but that didn't really answer this question.

Here are below strategies I considered and the problem with each.

1) Use owner as dummy profile + secondary as private profile.
a) gos doesn't allow hidden profiles, so secondary would be visible.
b) inefficient as dummy profile apps are always running, in addition to secondary profile apps. Dummy would need a believable number of apps to work.
c) Similar with using private space as private app area.

2) Use owner profile as main profile + secondary as dummy profile
a) gos doesn't allow going directly into secondary profile with PIN from initial lock screen - so owner becomes visible if providing PIN.
b) gos doesn't allow to toggle "End Session" in power/locked mode - so even if you entered dummy profile then gave phone to adversary, they would see the owner profile almost immediately.

There doesn't seem to have been a thought out strategy by GOS developers to result user profile privacy on a privacy focused phone, which seems strange.

Could you please advise how you get around the problems listed above for either strategy? or if this something the developers need to reconsider with purpose.

thanks

n3t_admin

lawman low competent are the majority and should be catered for

That is likely true. However, it's unclear which threat model you have specifically.

Strategy 1 seems like the better option. It is easier to delete profile 2/secondary profile in case you have around a minute of time, which would only show up in forensics. For low competence adversaries, this is likely the way to go.
Is it inefficient? Yup, but that's the compromise you have to make for increased security.

lawman There doesn't seem to have been a thought out strategy by GOS developers to result user profile privacy on a privacy focused phone, which seems strange.

That's because GrapheneOS focuses on security first and foremost. Tricking law enforcement with fake profiles is not really part of their mission. In fact, that's a rather niche use case altogether, if you look at the general needs of GOS users here on the forum.

lawman or if this something the developers need to reconsider with purpose.

I don't think the developers need to address this issue. It makes far more sense to use duress pin/password for these types of problem; that might as well trick low competence adversaries. The project already said that there's no easy way currently to hide user profiles and that forensics could reveal the existence of any profile - which would make all these hacks half-measures - also commonly known as security theater. (I would need to find the source and can't right now, but it's been stated multiple times)

W1zardK1ng

lawman First you need to know your threat model and what you are trying to protect against. User profiles are so powerful but gets inconvenient if you have multiple of them.
If you are a regular person with normal life, just use the owner profile and use a secondary profile or private space for apps that need isolation or you barely use.
If your threat model is low you don't have to use any complex setups, just use the phone as normal. I have tried multiple setups with different profiles but later realised that it doesn't worth the inconveniences i was having with these kind of setup.
I have owner profile with google play services installed and logged in with a throwaway email and a secondary profile with some banking apps which i barely use. Most of my apps are the open source but installed from playstore for the few apps which are not available in plays store i use obtainium.
I didn't even took time to delete the secondary account and move to private space because i barely use those apps.

Wadder

lawman there was a group of individuals within the community that started a GrapheneOS tutorial/ advise guide and the first article they produced was based on profiles and best practice, see the link below.

https://seprand.github.io/

Please note that there hasn't been much development on the project since the original piece was uploaded but there has been a number a article requests.

oci3o

I usually follow this.

Installer profile - this has apps like Accrescent, Google Play & Obtanium installed (I also have Droidify installed but this is to browse apps, not install, I will either put their F-Droid link into Obtanium if it has no releases on Github, or their Github link into Obtanium), I disable all apps after they are installed from the stores, plus some 1st party apps like Vanadium, the OS verifier runs from here also, its locked via a password, no PIN or biometrics, also I set my alarms here, because if the phone reboots (12 hours) it wont work in a profile outside owner.
Daily - This is a FOSS only profile mostly, apart from WhatsApp, this includes apps like NewPipe, Signal, Beautyxt, Proton Apps etc etc, this is locked by PIN and Biometrics, I disallow installing apps via the owner profile here.
Car - This includes Android Auto, music app, Comaps, GeoShare (for Comaps), a web version of Apple Maps, I disable any apps like Vanadium I dont need here, its purely for the car, I disallow installing apps again here.
Banking - Banking apps, once setup I do the same as the other 2 profiles, disable un-needed apps, and disallow app installs, I also turn off phone calling and notifications here.

https://www.youtube.com/watch?v=IAoCfrqxIEg&pp=ygUQU2lkZSBvZiBidXJyaXRvcw%3D%3D <- this is a good start.

lawman

oci3o very useful. thanks

where do you put social media apps like whatsapp. bummer so many apps need playservice like whatsapp.

the banking/crypto apps need to be kept in separate profile, but pity I won't then get banking notifications. Can't be helped I suppose.

mmobder

oci3o what's the justification of such a complexity? Not the generic "it's obvious", but fact-based justification

mmobder

oci3o , I disallow installing apps via the owner profile here.

what's the benefit? none of 3rd party app will be able to silently setup another app anyway

lawman

W1zardK1ng

is private space less secure than profiles?

thanks

oci3o

lawman WhatsApp goes into my daily profile because I use it so much.
Only social media I use is mastodon, and then I only browse, I just use a PWA for that site, I would have a seperate profile if I used say Facebook, keep the profiles to the owner, so Meta includes Facebook / Instagram etc.

mmobder

lawman no, instead it's more convenient from usability point of view

lawman

mmobder In the current GOS state, I could see the following benefits:

1) Isolating apps which rely on google services.
2) Isolating private apps such as banking/crypto which you want to keep offline moreso
3) Reducing the number of running apps at one time to increase battery / decrease data usage / decrease heat
4) Reduce visible apps if owner profile access is required by an adversary

There would be a far greater number of benefits if
5) hidden profiles was permitted by GOS developers.

mmobder

Wadder on profiles and best practice

unfortunately, the article is rather a collection of how people are typically setting up their profiles and doesn't really question if certain claim is valid or not.
There are few exceptions - a too generic "For most use-cases, using secondary user profiles to further isolate apps is unnecessary", and few others like fast non-owner profile deletion and putting data at rest. It doesn't really mention all the downsides of multi-profile setup (like expectedly failing alarms in non-owner) and doesn't really details what are the negatives of "work-profile" (apart from it's not being "mainstream" compared to PS).

So that site is the dead one.

newbie24689

Wadder WOW! A well-written, succinct article about things to consider when configuring your phone. Obviously, no pat answers - but I need an overview like this and some time using the phone before I can hone in on a "best for my use" setup.
When/IF IPC can be scoped, the user will have LOTS of possibilities.
I don't travel internationally any more, but the possibility of "cloud computing" should enter the mix as well.
Obviously, using a minimal number of apps reduces the complexity of the solution.
Thanks for noting this article!!

de0u

lawman There would be a far greater number of benefits if [...] hidden profiles was permitted by GOS developers.

The GrapheneOS developers have not disabled an existing hidden-profile feature, so "permitted" seems like a very inaccurate characterization. You are asking them to design and implement and test and maintain a hidden-profile feature.

mmobder

lawman Isolating private apps such as banking/crypto which you want to keep offline moreso

this statement is sooo controversial - I have to receive notifications about events on my bank acc or CC, especially those like revolut so I know strange things are happening there.

mmobder

lawman Reducing the number of running apps at one time to increase battery / decrease data usage / decrease heat

this is rather a per-app expectation, not a per-profileat least for me.
Current default setting ON for per-app battery use (allow background usage) and network use (allow background data) isn't my favorite for user-installed apps. So I have to manually disable those.

lawman

de0u you are correct. I mispoke.

raevero

FWIW I've been using gos for a week now and consider myself a low threat target. I have no reason to believe that my critical info is at risk. My bigger concern has always been what is Google doing with my data?

To that end, all apps that require play services are in my private space. Everything else is in the main profile. During work hours, my private space remains mostly unlocked and the remainder of the day, it's mostly locked. My understanding is that when locked, play services is shut down.

So far, this setup works for me. Not terribly inconvenient and if I understand properly, Google is getting very little... If any.... Info from my phone now. Mission accomplished.

de0u

mmobder unfortunately, the article is rather a collection of how people are typically setting up their profiles and doesn't really question if certain claim is valid or not.

I suspect it is possible to file issues and even pull requests at https://github.com/SePrAnd/seprand.github.io

oci3o

mmobder Its just to keep things tidy, and avoids accidentally using them outside the profile.
It also helps by disabling all permissions for the app, so any potential leakage by leaving the app enabled should be mitigated.

mmobder

de0u I suspect it is possible to file issues

I've left comment in the original thread back then, with no effect, but yep, will consider registering another git acc and re-submitting it. I've linked the thread with collection of "side effects" of using PS/non-owner, etc that may be helpful to choose one scheme or another depending on their typical use case without recommending particular setup. https://discuss.grapheneos.org/d/16754-pls-help-to-collect-inputs-only-that-influence-users-scheme-setup-in-a15/26

The 2nd one could be "Please rename the article to "Collection of how various users are setting up their profiles", as for "Best User Profile Setup on GrapheneOS" it lacks reasoning for all the claims at the moment.
But I consider it "controversial" so won't submit).

I better try to first collect inputs here from knowledgeable people.

The same principle GOS is following in their official Guide is entirely missing in that profiles community guide, as there are just generic claims that IPC is blocked (though network loopback is entirely open, so I dunno if that makes any difference), so if network communication is OFF for Play Services / Store / apps, will there be a difference?
So instead of a reasoning-based guide it's rather how ppl are got used to do something according to state of their BELIEFS, not a GOS standard afaik.