• GeneralPixel 6
  • Phone and App Crossover between Profiles and Related Privacy Concerns

I've been using GrapheneOS more and more frequently and as a result have noticed a few items of concern related to the "separateness" between profiles. Mainly, it seems as though apps in different user profiles on the phone do not seem to be walled off from one another.

For background, I have my user profiles set up such that I have an Owner profile with zero apps, a profile where I have all my FOSS apps ("FOSS Profile"), and then a separate profile with non-FOSS apps ("non-FOSS Profile"). My FOSS profile is where I also conduct my messaging through Signal and accept and receive phone calls and SMS. My non-FOSS profile has no access to any sort of messaging, phone, SMS, or otherwise.

  1. Phone
    As mentioned above, my non-FOSS profile has no access to my phone, contacts, or SMS messaging. However, when I'm logged into that non-FOSS Profile, if someone calls me on my FOSS Profile, that phone call still comes through and I'm still able to answer it in my non-FOSS Profile. I'm just curious how that would be the case when the profile does not have authority to do that.

It would separately be helpful to know how I can dedicate a profile other than the Owner profile to receive SMS messages without the Owner profile also receiving those same messages. Is this possible?

  1. Spotify

(A) I have Spotify in my non-FOSS app profile. While at work, I will log out of my non-FOSS profile and listen to Spotify on my work desktop. When doing so, I noticed yesterday that the song I'm playing will briefly show up on the locked screen of my FOSS profile. It's a split second and then disappears. To be clear, it's not the background on the phone that would display if I were actually logged into the non-FOSS profile, but rather, it essentially looks similar to how a Pixel with stock Android has the feature where it tells you what song is playing in the background. This was a bit concerning to me because it would indicate that (i) the phone was picking up audio in the background without permission or (ii) the non-FOSS profile was crossing over to the FOSS profile and providing data on the screen.

(B) What was of greater concern was that just today when I logged out of the non-FOSS profile and logged into Spotify on my desktop, I clicked to play a song on my desktop and it started playing on my device. While that would be fine if I were logged into the profile with Spotify downloaded, I wasn't. Instead, the song was playing on my FOSS profile. Again, I'm unsure how I could play a song on a device through a profile which does not even have access to the app playing that song in the first place.

Is this all easily explainable or should there be concerns about how walled off user profiles are from one another?

    I am also interested to better understand profile. I was expecting a logged out profile would be completely off, as if the phone were not turned on. But it seems some background apps can still be active...
    It would be a great privacy / security feature to be able to really shut down a profile, as soon as you're not logged in it.

      alci
      Are you using the End Session feature when you exit a profile or are you simply switching profiles? To shut down a profile (with the exception or a remaining media notification in some instances) you need to end the session by holding the power button in that profile and then choosing End Session. Otherwise the profile will remain active until you restart or shut down the phone.

      rsm
      I have also noticed the whatever media is playing on a profile may sometimes show up in the other profile when swiping down once or twice. If I hit play it takes some time and then usually plays the media from cross profile.

      In addition, if I am in the Owner profile and receive a call via Whatsapp in another profile it will ring but will not allow me to switch profiles or answer the call until it stops ringing.

      The behavior of cross profile media (music etc) and phone (normal calls or via Signal or Whatsapp) is very interesting and warrants investigation.

        rsm However, when I'm logged into that non-FOSS Profile, if someone calls me on my FOSS Profile, that phone call still comes through and I'm still able to answer it in my non-FOSS Profile. I'm just curious how that would be the case when the profile does not have authority to do that.

        It sounds like it doesn't have the authority since it can't answer calls.

        I'm just going to be blunt about this one. GrapheneOS likes profiles, other OSs don't really use them, so the Android devs at Google don't always know about or fix some of these weird issues, like this one. (And there's another thing I'll clarify later.)

        The owner profile has to be active and the owner profile has to have access to the phone. So, when a call comes through, it'll still "ping" the owner profile.

        rsm It would separately be helpful to know how I can dedicate a profile other than the Owner profile to receive SMS messages without the Owner profile also receiving those same messages. Is this possible?

        Unfortunately, no.

        rsm Is this all easily explainable or should there be concerns about how walled off user profiles are from one another?

        Not exactly.

        One thing that's clear is that there are some... things that show up between profiles. It's an upstream bug that Google needs to fix, but hasn't. Bubble notifications, some enhanced notifications, and some full screen "show over other apps" notifications (like the incoming phone call one) are known to sometimes show up in the other profile. I've seen reports of some settings carrying over as well. This is probably why you're seeing Spotify notifications when switching profiles and why you're seeing the incoming phone call but unable to actually answer in the profile without access.

        I tried to find some examples of similar issues, but only can find three.

        Clearly Google has some bugs they need to fix. Some settings or notifications just happen between profiles.

        So, does this mean your profile isolation is compromised? No. Apps in each profile are individually sandboxed and the APIs that are available to them don't let them communicate or work across the profile boundary. The issues you're experiencing are bugs either with Android's System UI or some system services not actually checking the active user before doing something.

        rsm stock Android has the feature where it tells you what song is playing in the background.

        This feature isn't available on GrapheneOS since it's proprietary Google software not included in AOSP.

        rsm Instead, the song was playing on my FOSS profile. Again, I'm unsure how I could play a song on a device through a profile which does not even have access to the app playing that song in the first place.

        This one I don't know anything about, nor do I recall reading about others having this issue. Are you sure you ended your non-FOSS profile's session? If you simply switch to another user, the non-FOSS profile will still be active.

        Lusca I didn't know about the end session feature ! That is what I was looking for. Many thanks !