Are there any security benefits to using user profiles?

workeronthewalls

Hi,

so I know, that there are privacy benefits to using user profiles like for example that apps can't see what apps you use in other user profiles.
But are there any security benefits to using user profiles?
For example in my case, a specific app that I want to use, needs it to allow using "native code debugging" to work, which can of course be a security risk, even if just a small one.

So would there be any security benefit to install this app in a custom non-owner user profile, where I would give that app the permission to use "native code debugging"?
If shit would hit the fan like they say and somehow a bad actor would compromise this app using the allowed "native code debugging", would my other profiles, especially my main owner profile be isolated security wise from this security incident?
Or would it be the same, security wise, as if I would have installed the app with "native code debugging"-permission on the main owner profile and there are no security benefits to using user profiles then, but only privacy benefits?

Because I was thinking that this user profile stuff was somewhat similar to the QubesOS-VM stuff, where you expect a VM to be infected and therefore have this VM isolated from the rest and just delete the VM if shit hits the fan and you get infected by a bad actor.

brev

workeronthewalls

Because I was thinking that this user profile stuff was somewhat similar to the QubesOS-VM stuff, where you expect a VM to be infected and therefore have this VM isolated from the rest and just delete the VM if shit hits the fan and you get infected by a bad actor.

$0.02: Computers are inherently much less secure than a modern, updated smartphone running Android variants or iOS, due to a variety of reasons like application sandboxing, lack of user-enabled root access, and so on, outside of extremely expensive and complicated exploit chains as seen in something like Pegasus malware.

In my mind, Qubes -- and immutable distros like Secureblue -- are making up for these shortfalls rather than being the model to follow on all devices.

That being said, I do isolate my main profile from my Goog Play Services profile and financial profile, but that's more of a personal choice than one based in security or privacy to be perfectly honest.

ryrona

workeronthewalls

QubesOS is running virtual machines. If one virtual machine gets compromised, the attacker is still confined within that virtual machine, and cannot access data stored in other virtual machines, and cannot compromise other virtual machines. Unless they also are able to find a vulnerability in the CPU microcode, the Xen hypervisor running all virtual machines, or the minimal communication framework between virtual machines and dom0 implemented by Qubes to support clipboard sharing, sending files to other virtual machines, and seamless mode for displaying windows.

GrapheneOS, and in fact all Androids are similar. GrapheneOS is instead running each app inside an app sandbox. If the app gets compromised, the attacker is still confined within that app sandbox, and cannot access your files (unless the app has been granted permissions to read all files), or listen to your microphone (unless the app has microphone permission granted) and so on and on. But if the attacker is also able to find a vulnerability in the CPU microcode, kernel, the app sandbox, system Android processes or similar, they might similarly break out and get access to everything, like if an attacker breaks out of a virtual machine.

The difference is that app sandboxing is a much weaker protection than virtual machines. The attack surface is much bigger, meaning the risk of an attacker finding a sandbox escape vulnerability is way higher than a virtual machine escape vulnerability. There seem to be a few such sandbox escape vulnerabilities fixed each month in AOSP and GrapheneOS, while QubesOS only have some each year.

To answer your question if separate user profiles matter, no not really. The app sandbox is per running app. But apps running in separate user profiles are forbidden from communicating with each other using intents and similar standard IPC mechanism, which might mean a compromised app cannot talk to apps in other user profiles without breaking out of the app sandbox too. But maybe you see that as a privacy advantage rather than security one.

workeronthewalls

ryrona Thank you very much for your answer.
But is there really no significant additional security layer put on top of the app sandbox, when you use an app in a separate user profile, specifically regarding the possible spread of the infection to other profiles?
Because my main concern is not that the user profile where the app is installed in, gets compromised, but that the infection will spread to other profiles that do not have that app, like my main owner-profile.

Also coming back to my personal example/use case that I mentioned: So it does not make any difference security wise, if I grant an app permission for "native code debugging" in a custom profile or my owner profile?
Or would I have at least a little bit more security, meaning that it would up my chances that the infection of that app that I granted permission for "native code debugging", would not spread to other profiles?

Djack41

Hi, I do understand the privacy interest of user profiles, but, being new on GOS, can you explain me how to push apps from my Owner profile to another one (Work, Travel ...)

And, for privacy sake, is it better to use Private Space in the Owner profile or different user profiles ?
How do I push apps in my Private Space ?

Thanks for the tips !

ryrona

workeronthewalls But is there really no significant additional security layer put on top of the app sandbox, when you use an app in a separate user profile, specifically regarding the possible spread of the infection to other profiles?

No. The app sandbox is the security layer. It already provides all the isolation you would find between profiles in eg desktop Linux and way way more. If you break out of that, there is not more. The concept of separate user profiles does not exist once you have broken out of the app sandbox, as that is enforced by the app sandbox. There isn't really any further hardening you can do that would isolate profiles in case of app sandbox escape, unless you run each profile in a separate virtual machine, but that would be too expensive for weak phone hardware.

workeronthewalls Because my main concern is not that the user profile where the app is installed in, gets compromised, but that the infection will spread to other profiles that do not have that app, like my main owner-profile.

The app sandbox is going to protect you here. It will contain the compromise to the compromised app, so it cannot spread to other apps or the system itself. Similar to if each app was running in a virtual machine, except, running each app in a virtual machine would probably be way more secure.

workeronthewalls Also coming back to my personal example/use case that I mentioned: So it does not make any difference security wise, if I grant an app permission for "native code debugging" in a custom profile or my owner profile?

No. It would not make any difference.

workeronthewalls Or would I have at least a little bit more security, meaning that it would up my chances that the infection of that app that I granted permission for "native code debugging", would not spread to other profiles?

You have more security in the sense that if the compromised app cannot break out of the app sandbox, it can only talk to other apps in the same user profile. But if an attacker is able to compromise the kernel and break the boundaries the app sandbox is enforcing, the concept of separate user profiles doesn't really even exist anymore, as that is a concept largely implemented by the app sandbox.

Clare

Hi there i’m a newbie too and want to know that when you download apps they are all in the owner user. They say to make up other user profiles and separate apps because apps talk to each other. Would they do so in the owner user? Or does the sandboxing protect that from happening? Also you must not use the apps in the owner profile only in they other users you separate the apps too? Im also confused with google play. Is the mirror google actual google and is it sandbox and safe or are you suppose to only use Aurora for google apps? Sorry im really new to all of this and especially Android.