A question about system / apps sandbox / isolation

CGG

Hello guys, im facing some doubts on how GOS deals with isolation between sandbox, users and applications.

One example is:
1- when i update an APP for a work user, automatically the other users who has the same APP also get updated with the same version. (Important to mention that the installation of this same APP occurs completely isolated. In other words i have made two different installation of the same apk on two different profiles. So why this process happens? Since the user profiles dont relate and are sandboxed from each other? (It wasnt installed on main account but inside each work acct)

So if this is happening can I assume that if for some reason the user1(for example purposes) suffers some kind of modification, the user2 will receive the same modification in the apk?

Why my question:
1- i have 2 whatsapps apps installed for 2 different users
2- they are from different phone numbers so they are different in their messages, profiles, etc.
3- when i update one, the both are updated even with the user separation.
4- in a case of an attack of user1 where the attacker manage in some way poison my apk with malicious code, will the other will be in risk also? Because in my ignorance in some way they are connected when i update the apk so this make me think despite the different profile in each APP, any changes on one apk could hit the other user apk.
Am i right? If not i insist, so how can one update reflect on another isolated profile but a malicious code in the apk wouldnt have the same effect?

Thanks

pxlkng

CGG

App installations are global. This does not mean that their app data is global, this is not the case. Every profile has its own app data. This also doesn't mean that an app is actually "installed" for every profile, but merely that the package is managed on a global level and not per-profile.

CGG in a case of an attack of user1 where the attacker manage in some way poison my apk with malicious code

Android enforces signing key pinning and downgrade protection for already installed apps (on upgrade). This means that with updating an already installed apk, it has to be a never or same version and have the same signing key. So this is not possible (unless the developer gets compromised or the keys leaked) and would only be a concern for the first installation.

CGG work user

If you mean work profiles, I want to note that those are legacy/deprecated and not recommended, as Private Space is much better and has fully replaced them. You can have a Private Space for Owner and every secondary user account.

CGG

pxlkng thanks for your answer. I dont know how to deal with private spaces. Im only aware of private scopes but i get some limitations on it. Where can i find more about private spaces?

pxlkng

CGG

Private Space is basically just like work profiles, just without the need to rely on third party apps and overall better, more robust and a native implementation.

You can setup Private Space in the Settings -> Security & privacy -> Private space

pxlkng

Also you should be getting your apps from secure stores, then you don't need to worry about malicious, compromised or wrong APKs, or similar. The two recommended third party stores are Accrescent (available on the GOS App Store) and the official Google Play Store (also available there).

Other sources should be avoided. This especially includes Aurora Store and F-Droid as those have security issues and reduce your overall security and privacy.

Sideloading (e.g. via Obtainium+AppVerifier) should also best be avoided in favor of secure app stores and only used as a last resort if an app is not available in the two recommended stores.

CGG

pxlkng perfect explanation. Thank you so much!

Just one point is: not my concern to get a modified apk just because as you recommended i just use them from original atores. My main concern is a flaw in a legitimate APP that could suffer some code injection inside its code by some flaw and change some lib or config file.

CGG

pxlkng thanks one more time. I think for my whatsapp may the private space wont be very useful because notifications etc but for other things it fit very well. Unfortunatelly you must have a google account... Thanks!

pxlkng

CGG

No, you do not need a Google account to use Private Space on GrapheneOS.

CGG

CGG so it if this is possible it would get the global apk compromised... Thats my concern.

If my apk for some reason gets poisoned by an attacker, in some way the other installation will be compromised. Not even the profile isolation will prevent the apk to act in malicious ways. I got whatsapp downloading model languages in a "user1" APP profile in a manner that was very suspicious to me since im heavily hacked on whatsapp. If this language model have some malicious code embedded both of my whatsapp installations are compromised. Thats my point in general

pxlkng

CGG

Something like that is technically not possible. The integrity of apps is verified, just like that of the OS.

Apps obviously can have vulnerabilities that compromise the app itself at runtime, but this would then be contained by the app sandbox (so it cannot affect/compromise other apps or profiles), unless it would additionally have some exploit to also escape the app sandbox (which is very unlikely).
Code injection is also indeed a thing, but not a malicious one. See dynamic code loading (DCL), against which GrapheneOS also has hardening toggles, as dynamic code loading can be abused to load malicious code if there are vulnerabilities or incorrect implementations of it.

CGG

pxlkng competely understood. Again, I thank you for all explanation and time helping me on this question

Best regards

CGG

pxlkng competely understood. Again, I thank you for all explanation and time helping me on this question

Best regards

pxlkng

CGG

Glad to help.