Private spaces and permissions

prog-amateur

Thank you for your various discussions about private spaces. However, there is one point that I did not find in the exchanges:

Can an application installed in the private space that (unreasonably) requests access to the call log, contacts, or files (photos, among other things) retrieve its data from the main space when the private space is unlocked?
The same applies to applications that use known trackers such as Google Firebase Analytics, Google CrashLytics, etc.: can they track activity in the main space once the private space is unlocked?

Thank you for your feedback.

ryrona

prog-amateur Can an application installed in the private space that (unreasonably) requests access to the call log, contacts, or files (photos, among other things) retrieve its data from the main space when the private space is unlocked?

All files access (including photos) are per profile, so apps in the hidden space, even if you grant full files access, can only see, access and modify files that are stored in the hidden space, not the main profile at all. GrapheneOS also implements a Storage Scope feature where you can grant full files access to an app, without actually granting it any files access at all or only select files you want, so you will never actually need to grant these permissions to any app ever. Actually, never do that. If the app don't work if you click deny, choose to setup Storage Scope instead.

I don't know how call logs and contacts work. But for contacts GrapheneOS implements a Contact Scopes feature that grants full access to all contacts, without actually granting access to any contacts other than the ones you want to (which can be zero). So again, you never ever need to grant contact permission to an app. If the app does not work if you click deny, select to setup Contact Scopes instead. Never actually grant contact permission.

prog-amateur The same applies to applications that use known trackers such as Google Firebase Analytics, Google CrashLytics, etc.: can they track activity in the main space once the private space is unlocked?

GrapheneOS does not implement any tracking. If there is a tracker, it is implemented in a specific third-party app you have installed yourself. The tracker will only be able to track activity in that single app, not other apps (unless those other apps specifically allow it), since the tracker will be sandboxed to the same level as the app itself.

prog-amateur

Thank you very much for your very helpful response. I would also like to share this information taken from the official Grapheneos FAQ:

GrapheneOS has a compatibility layer providing the option to install and use the official releases of Google Play in the standard app sandbox. Google Play receives absolutely no special access or privileges on GrapheneOS as opposed to bypassing the app sandbox and receiving a massive amount of highly privileged access. Instead, the compatibility layer teaches it how to work within the full app sandbox. It also isn't used as a backend for the OS services as it would be elsewhere since GrapheneOS doesn't use Google Play even when it's installed.

Since the Google Play apps are simply regular apps on GrapheneOS, you install them within a specific user or work profile and they're only available within that profile. Only apps within the same profile can use it, and they need to explicitly choose to use it. It works the same way as any other app and has no special capabilities. As with any other app, it can't access data of other apps and requires explicit user consent to gain access to profile data or the standard permissions. Apps within the same profile can communicate with mutual consent and it's no different for sandboxed Google Play.

If I understand correctly, this means that if I install Google Play Services from the Grapheneos app store in the private space, this app will not be installed in my main Space and it will not be able to spy on my main Space too, as it is confined to a sandbox like a normal app and does not have system permissions like a standard Android smartphone would. Please correct me if I am wrong.

Also according to the documentation, I understand the following :

Network and sensors (accelerometer, gyroscope, etc.) : Toggle visible upon installation, can be manually disabled.
Storage, camera, microphone, location : Permission requested upon first use

So, even in the same Space, there would be less risk of unwanted access, and the choice is given by default.

Please correct me if I am wrong here too.

Thanks again to the members of this forum and the Grapheneos team for their remarkable work 🏅

ryrona

prog-amateur If I understand correctly, this means that if I install Google Play Services from the Grapheneos app store in the private space, this app will not be installed in my main Space and it will not be able to spy on my main Space too, as it is confined to a sandbox like a normal app and does not have system permissions like a standard Android smartphone would.

Correct. In fact, many users install Google Play Services in the private space just for this reason, so it cannot access any data or talk to any app in the main profile. Google Play Services also works fine with no permissions other than Network permission granted to it.

prog-amateur Also according to the documentation, I understand the following :

Network and sensors (accelerometer, gyroscope, etc.) : Toggle visible upon installation, can be manually disabled.
Storage, camera, microphone, location : Permission requested upon first use

So, even in the same Space, there would be less risk of unwanted access, and the choice is given by default.

Correct.

Except Sensors permission is not asked for during app installation like Network permission is, but instead there is a default value Allowed/Deny that you can configure in Settings -> Security and Privacy -> More security and privacy settings -> Allow Sensors permission to apps by default. You can safely toggle this off. Sensors can be used as a microphone, so should really have been controlled by Microphone permission in my opinion. But I have not met a single app that need Sensors permission, they all work just fine without, so this is super safe to deny by default.

Sometimes apps ask for Storage permission or Camera permission or similar when you want to share a file. All apps I have met that does this works just fine if you select Deny. You can still use the system file picker to select the file you want to share, without giving the app any additional access.