Should I have all my stuff in owner profile or secondary?

Molasses

@DeletedUser495 mentioned one key aspect of why multiple user profiles may be problematic for everyone: Upstream Bugs in AOSP.

The worst ones from my point of view were messed up auto brightness and the fingerprint reader not working across all profiles after one specific user profile was active. Only restarting the device fixed the latter one.

Not being able to activate the Hotspot from user profiles or certain settings (like Wifi networks) not persisting, unless you add them with the owner profile, can be painful too.

I tried using multiple profiles for months and gave it up.

Just sticking to the owner profile + private space (if needed) seems to be the most practical choice:

You get all app notifications without delay
You get the best battery life
It's far more convenient in terms of real world usage
No more juggling with multiple passwords/PINs for different profiles
No need to switch back to the owner for important system notifications (like system updates)
You can still push apps from the owner into the private space for basic compartmentalization.

Molasses

2days

If you use privacy invasive apps, you can reduce data collection by:

Only granting them camera/microphone/location permission on a one-time basis
Making use of contact and storage scopes
Disable sensors permission for user installed apps by default
Restrict background usage for such user installed apps in the battery section, to prevent them running in the background altogether. This needs testing though, as it might impact functionality in real world usage. One example: Banking apps. Filling out information for a transfer might fail due to frequent switching between apps (for copy and paste).

While every GrapheneOS user should know about these options, most seem to underestimate their inpact simply because of the belief that running everything in the owner profile somehow ruins your privacy anyway.

2days

All great points.

Out of interest, what is the loss of procacy thoughts people have (real or perceived) from using all apps in owner only?

Molasses

2days

Google can fingerprint you more accurately through your installed apps compared to having a dedicated profile for Play Services/Store
Apps containing google play libraries or installed from play store can see which google account is used in play store for fingerprinting purposes (Not 100% sure on this one though)
All Apps can fingerprint you more accurately, there's no way (yet) to hide the list of all installed apps from (invasive) apps
Your browsing activity can be tied to your app activity through your IP Adress, you can get around that by using your browser of choice through private space with a different IP.

2days

Molasses

Molasses Your browsing activity can be tied to your app activity through your IP Adress, you can get around that by using your browser of choice through private space with a different IP.

Is the fingerprinting the same if you're using a VPN?

And so are you saying that say any email app or Spotify or any random installed app can see browsing history on say another app say brave?

Doesn't seem right?

brightjob4495

KitsuneNoBaka out of curiosity, when you say "work profile" and "private profile" are you talking about user profiles that you use for those purposes, or about thework profile that's enabled through an app and private space?

KitsuneNoBaka

brightjob4495 thework profile set by shelter app and private space.
And you can install apps from owner profile to private space.

mythodical

2days

It's complicated. Using split tunneling with a VPN ~~will~~ can provide IP separation between apps. Some fingerprinting is IP-based only so this would suffice.

Other fingerprinting may rely on looking at which apps are installed on your device, your known and nearby network SSIDs, the user accounts or data present in other apps (via Inter-Process Communication (IPC)), etc.

Using profiles, or the Private Space feature, along with a VPN and split tunneling can help isolate apps and activities from one another to improve privacy.

Molasses

2days

Lets say youre using a VPN in the owner profile and install the same VPN through the Private Space Settings in there as well. You could pick lets say "New York City" as the location in the Owner and "Washington" in Private Space.

It doesn't help much, but makes tracking you a little harder.

And no, apps can't access data of other apps, that's what Android's Sandboxing Model prevents. I was just talking about one of the many points where online activity across different services/apps can be easier tracked, if you only use the Owner Profile.

Only you can decide if that's bothering you enough to use more than one profile on your phone.

mythodical

2days Should I leave owner profile blank and instead put all my apps and Google play into the user profile instead?

I think this is overkill for the vast majority of users. Unless you have a specific threat model you are trying to protect against, you should be fine using the main (Owner) profile for everything.

Stock GrapheneOS already provides significant privacy and security enhancements over Google's Android OS. Per-app network toggling, optional and sandboxed Google Play Services, Storage Scopes, and Contact Scopes all offer much more control over your device and data than you would otherwise have.

You can always create a secondary profile or use the Private Space feature to isolate a few apps and/or make use of a VPN when needed.

2days

My threat model is not very high at all. It's more just added privacy so everything said makes sense and wouldbe overkill maybe. Just learning it all :)

mythodical

2days, it looks like your other post about Private Space has been removed, so I'll just put my reply here:

You can't move or copy apps to Private Space (PS) like you can with full profiles. You still have a few options though.

Install Google Play via the Apps store in PS, sign-in and install any other apps you need. These PS apps will of course be associated to your Google account
Use Obtainium, Droid-ify or some other app store to install the apps under PS. These PS apps won't be associated to your Google account, but this won't work for apps that are only available through Play, such as Gboard unless you use the Aurora store.
Install the app to your Owner profile first using the Google Play store. Extract the APK using an APK utility app (like APK Explorer or Kanade), or download the same APK version from an APK mirror site (APKPure, etc.) and install it manually in PS. Because you already have the app installed under the Owner profile, the APK will only install if the package signer is an exact match, thus providing some safeguard for APKs downloaded from the internet.

2days

mythodical
Oh I deleted post as I think I found my own answer

I may not have done it right but I was playing around and went to my private space and there was an "install button" and so I clicked it and chose the apps I wanted to install from owner to PS and seems to have worked

mythodical

2days Hah, TIL! I use a third-party launcher and haven't seen that option under Private Space. Even if I have to load up the GOS launcher to copy over apps once in a while, that will greatly simplify my workflow for the few Play-only apps I use in PS.

mmobder

KitsuneNoBaka thework profile set by shelter

A side question - why Shelter (that is rather Idle re support) and not Insular (that at least seems more alive)? Though none of them declares tested support for A16...

Nettishrin99

I also wonder if the advice should be updated. I use empty/app-pusher owner profile and secondary profiles but it is annoying to have to keep switching and there are some minor bugs. With Private Space, I wonder if the secondary profiles are mostly obsolete?

What are the real-life benefits in terms of privacy and security? If I returned to owner profile as main profile and configured PS for GoogleServices apps, banking apps and some work stuff like Outlook/Teams etc., how much privacy and security am I really giving up? From what I understand PS is essentially a separate user profile that can replace current user profiles I use for work and privacy-invasive apps with separate optional google play services?

My one reason for multiple profiles was theoretical - the ability to quickly wipe entire profile if needed. However, I would need enough time to switch to owner profile, authenticate, navigate to profile settings and delete profile, which may not be enough time and so far I did not need to do so. In addition, I don't really have that high a threat model.

I do like separate user profiles but for the mobile device it seems much, impacts battery and is inconvenient to keep switching between them. On a laptop, it would make more sense but the phone is a small device with limited battery, small screen. What are the community's opinion on this debate today?

W1zardK1ng

Nettishrin99 im my opinion people use multiple use profiles without knowing what they are really achieving through it. Its like using GrapheneOS without google play service and complaining their apps are not working.
The only advantage of using separate profiles are for stopping IPC. Apps can communicate with mutual consent if you don't want that use separate profiles but switching between multiple profiles is a hassle, i did the same mistake in my starting. But later understood i don't need such a setup for my threat model and most people don't need it, a feature exists doesn't mean you need it. For example i have duress password set but never had to use it.
I use all apps which works without Google play services in owner profile including WhatsApp and which requires Google play services in a private space. Its simple but effective.
Most people don't need to setup multiple profiles, but if you choose to use one its on you. Even if you install every single app in owner profile you are much better than using a stock Android. In Android every single app is sandboxed including the google play service in GrapheneOS. You choose what apps can access. If you dont use an app often just disable it.
Once multiple private spaces feature is available user profiles are kind of unnecessary for most most people.

IDtheTarget

W1zardK1ng

The only advantage of using separate profiles are for stopping IPC.

I disagree. I have two reasons that I use multiple profiles. The first is due to known facts, the second is due to speculation:

1) I work for an organization that is subject to FOIA requests and subpoenas. I have chosen to use my personal phone for work rather than carry a second phone. So my phone is subject to FOIA/subpoenas. By separating out all work functions into a secondary profile, I am able to comply with the FOIA/subpoena and not have to worry about some random person getting access to my taxes or any other info that would give them the ability to steal my identity.

2) This one is the speculation. I freely admit to not yet understanding the architecture of GOS well enough to evaluate it. But, it's typically a "best practice" to not use a system with elevated privileges unless necessary in case of a successful zero-day attack. So I have a "me" profile for daily driving. I use the owner profile to install apps, push them to the 'me' (or work) profile then disable them in the owner profile. If I have to install a Google Play app (Microsoft Teams for my work profile), I enable Play and Play services in owner, install the app, push it to Work, then disable Play, Play services and the app in Owner. Then I go into the appropriate profile and use the app.

My thought is that, if I inadvertently use an app with a zero-day exploit that incorporates a sandbox-escape, my Owner profile should still be safe. I hope.

Yes, it's cumbersome, and yes, I've been dealing with the notification bugs and whatnot. I'm still determining if it's worth it to go this route. I'll still need the Work profile for legal reasons mentioned above, but I didn't really know about the private space before I set up the 'me' profile. I guess I need to see how much benefit is gained from sandbox-escape in private space vs. secondary profile.

DeletedUser499

W1zardK1ng

profiles/users etc,

just because you can, doesn't mean you should

Make your phone complicated and you will be less inclined to use it.

Nettishrin99

Thanks for the reply. I am starting to lean to that opinion. I used that feature because it made sense previously and simply because it was available but, practically, I don't know if the offered protections make sense in my case. The IPC threat is valid but I don't have enough technical expertise to judge how prevalent it is and whether GOS or Android already mitigate most of it. I will keep multiple profiles for the moment but in a few weeks I will have more time and re-evaluate if it does make more sense to transfer everything back to owner profile and use PS.

W1zardK1ng

Nettishrin99 With IPC apps can communicate each other with mutual consent but what they share, we don't know. I have seen fossify's phone and sms apps can read contacts stored inside their contacts apps but no other app can see it. Blocking IPC is a planned feature but complex to implement not sure when that will be live. If your apps are from different devs generally this is not an issue but again don't know what closed source apps can do in the background.
For sure apps from meta or google will communicate each other.

Nettishrin99

W1zardK1ng thanks for clarifying. Most of my apps are from different companies and are mostly privacy focused so IPC likely is of minimal threat. I hope GOS developers implement relevant protections and continue innovating so that we no longer need to discuss multiple profile solutions

KitsuneNoBaka

mmobder is there something better? With less holes and similar functionality?
My threat level is "f##k advertisers" so I don't care much for maximum de-googling.