If you don't have a reason to use multiple profiles, don't use them, GOS sandboxing and security mitigations still apply.

One may have concerns about inter-process communication between apps and Play Services and using multiple profiles mitigates that. But if you don't have a specific reason like "I don't want app X to be able to communicate with Google servers because Y", then it doesn't make sense to create multiple profiles just to isolate Play Services

    Something I've been wondering about: would it ever be possible to completely eliminate the need for multiple profiles? I can't see how this might even be implemented.

      Apart from Sandboxed Play Services and IPC angle, there are other aspects of user profiles that make them attractive, for example:

      • Having profile data encrypted at rest unless opened, e.g. password manager or some sensitive data
      • Separate VPN / Orbot per profile
      • Using the same phone by family members, e.g. kids
      6 months later

      Hi everyone,

      newbie here :)

      I've been reading lots of forum posts and I really appreciate the helpful and friendly community here!

      To keep it as short as possible, I'm currently still not clear on what the actual benefits of having more than one profile would be.

      What I gathered from this thread here and many related threads is that multiple profiles mainly help to prevent apps from communicating with each other and with Google Play Service.

      (The other benefits like encrypted profile data or multiple family members don't apply to me or are less important, since the data is encrypted anyway unless the phone is unlocked because it's currently in use).

      I've also understood that each person's threat model is different and has to be evaluated individually.

      However, that's not enough, because in order to make an informed decision for or against multiple profiles, I would also need to understand the benefits and downsides clearly.

      So here are my questions:

      1) Since GOS sandboxes each app anyway and doesn't allow it to "trespass" beyond it's sandbox unless I specifically allow it, what difference does it make whether the app lives in the owner profile or a separate one?

      2) If an app requires Google Services to work (like some banking apps, let's say), then they need to and probably will communicate with Google Services. Therefore, they need to live in the same user profile.
      Moreover, this communication is going to be strictly limited between those 2 apps.
      Having these 2 apps in a separate folder doesn't change anything about this situation, so again, how is it different from having them in one single owner profile along with all other apps?

      3) For clarity, let's take a specific example: What exactly would be different if I were to use, let's say:

      • Signal
      • Google Maps
      • Gmail
      • banking apps

      to name a few in one single owner profile, compared to separating the Google and banking apps into a separate profile?
      Maybe pointing out what specifically would change from a security or privacy point would help me get a better grasp on this.

      4) A lot of people here seem to be particularly "worried" about the Google Play Store and either put it in a separate folder or choose Aurora instead.
      I am probably missing something here, but isn't the "only" relevant difference that I need a gmail address to use the Play Store?
      So the main reason for choosing Aurora over the Play Store would be that Google doesn't know which apps I'm downloading?
      Because from my understanding, with GOS it still won't get any data on how I use those downloaded apps (unless I give those apps permissions to communicate with the Play Store), Google only knows that I downloaded the apps, correct?

      Thanks so much!

        Giklunewas An average user can use a single Owner profile, enjoy the simplicity of this setup and still benefit from the security and privacy improvements GrapheneOS provides. Some users choose to use multiple user profiles because some of their properties feel beneficial to their specific use cases.

        Addressing your questions:

        1) Access to files for apps in the same profile is restricted by permissions and scoped storage which is a great feature on GOS and can effectively isolate storage access between apps. However, apps in the same profile still share the same network (e.g. IP address) and, also, can communicate with each other over RPC with mutual consent.

        2) In that specific scenario, some people may have a concern that all other apps would be able to communicate with Google Play Services and it can be perceived as a privacy concern given common attitude towards Google and their privacy practices.

        3) With a single profile Signal would use Play Services for push notifications. Google won't know the content of your Signal messages but they will know the exact timestamp when you receive each new Signal message. Some people may view it as a downgrade in their privacy.

        Also, some people prefer to use Signal over VPN or Tor connection. Having Signal installed in a separate user profile with a VPN or Orbot isolates Signal network traffic from, say, your banking app network traffic to reduce the risk of correlation and eventually figuring out who that Signal user is even if Signal is used with a phone number purchased anonymously.

        4) You are right that for most users using Play Store and Play Services is totally fine and is the most convenient way to use your phone. There are some more nuanced details that matter only for users with very specific needs or high threat model, for example once Play Services are installed all apps can communicate with it, they don't need to ask user for permission. And because majority of apps are developed to work on stock OS they often use Play Services for some functionality (push notifications is common but not the only one).

          First off, thanks so much for your detailed reply!

          It seems that the following fact you mentioned is a main factor for choosing multiple profiles:

          evalda once Play Services are installed all apps can communicate with it, they don't need to ask user for permission.

          To be honest, not only did I not know this, but it's quite surprising to learn this.

          Would you mind elaborating on this, please?

          There are quite a few questions that come to mind spontaneously after learning this, like:

          1) How is this even possible? I thought GOS made a point about treating Google Services exactly like any other apps, sandboxing them the same way and not granting them any privileged permissions?

          2) How can the other apps just communicate with Play Services without asking for permission? This seems to completely undermine the control GOS promises. If I don't give an app a specific permission, how does it do such things anyway?

          3) Furthermore, in order for the other apps to just start communicating with Play Services, they must somehow know that it is installed in the first place. How could they possible know this without leaving their sandbox and scanning the OS for other installed apps?

          4) If this situation is what it is, then is there at least a way to know what kind of information and data any given app communicates to Play Services?

          5) Is this type of communication without permission by design from GOS, or is it more like a known issue that will be fixed?

          Again, thanks so much for clarifying this!

            Giklunewas It is not actually as bad as it may sound! 😀 The fact that apps can talk to Play Services is important so that Play Services can provide value to the user, e.g. push notifications. It is not "evil", bug, oversight or anything of that nature. It is how it was designed by Android team and totally normal.

            1) Apps in the same user profile can communicate with each other with mutual consent. No user permission is required for that to happen, just both apps need to agree. This is how Android works and not specific to Play Services or GOS. Sandboxing does not prevent apps from communicating with each other, it's not what sandboxing is for. Play Services on GOS is treated exactly like any other app, it doesn't have any special "superpowers".

            2) User permission is not needed for apps to be able to talk to each other. This is how Android works in general, GOS never promised to introduce a new permission for that.

            3) Any app can get a list of all apps installed in that user profile. No permission is required for that. Again, this is Android thing, nothing to do with GOS or Play Services. However this is not how apps know that Play Services are present, they use their API (app to app communication we talked above) to determine that.

            4) Technically you can look into app's manifest and see what "intents" they declare. However it's not a meaningful solution for most users who are not knowledgeable in Android technical nuances (e.g. developers). For example, you can expect most mainstream apps that have notifications to rely on Play Services for such functionality.

            5) It is by design from AOSP (Android), not from GOS. In fact it has nothing to do with GOS.

              Giklunewas To be honest, not only did I not know this, but it's quite surprising to learn this.

              Respectfully, you really should read Graphene FAQ and Usage along with the rest documentation provided on the website. Seriously. Why waste others time answering questions that you can read up on yourself? Be respectful and educate yourself.

                f13a-6c3a Not only did I spend several days reading through Graphene's FAQ and features before making the decision to switch to GOS, but also reading a lot in this forum here (as I mentioned right in the beginning).

                Apologies if I still have lingering questions despite my research, but I'm a non-technical average user and to be honest, much of the explanations on Graphene's website go over my head.

                If you do think the questions I asked were already clearly answered in the FAQ, feel free to link to the specific section - as far as I can tell with my limited understanding, that's not the case.

                While my questions may seem trivial and obvious to you and maybe some others with a tech background, I assure you that I never intend to waste anyone's time and I'm very thankful for @evalda 's patience and helpful explanations.

                  evalda Again, thanks so much for your answers :) !

                  Then I obviously greatly misunderstood both the explanation on Graphene's website here where it says

                  Apps do not have access to user data by default and cannot ever access the data of other apps without those apps going out of the way to share it with them.

                  And then here from the android sandbox explanation where it says:

                  By default, apps can't interact with each other and have limited access to the OS.

                  Can you see why that might easily be understood to contradict your explanation :) :

                  Apps in the same user profile can communicate with each other with mutual consent. No user permission is required for that to happen, just both apps need to agree.

                  That is quite different than "both apps going out of their way to share".

                  But thanks for clearing that up for me!

                  Now I know that apps are not as separated / isolated from each other as I thought!

                  Giklunewas While my questions may seem trivial and obvious to you and maybe some others with a tech background, I assure you that I never intend to waste anyone's time and I'm very thankful for @evalda 's patience and helpful explanations.

                  Thank you for kindly replying to my suggestion and clarifying that you already did that. I hope you get your questions clarified. I'd contribute but my knowledge on your questions is not as solid as others.

                  7 months later

                  evalda One may have concerns about inter-process communication between apps and Play Services and using multiple profiles mitigates that.

                  what does this exactly mean?
                  what can apps "say" to each other.
                  what kind of privacy sensitive information can they share with each other? not a lot to worry about i guess?