Disabling exploit protections on an app and user profiles

ceramics

Just a quick question. Did a quick search but couldn't find some direct discussion.

I have multiple profiles, owner only provisions apps. If an app doesn't work with exploit protections, disabling them might be an issue only for the profile it's in or system wide? Could I have a not important profile to run such apps?

Also what the general stance regarding such an app? Is it immediate uninstall in any case or more like "meh, it came form the play store and it's for a legit service so it's probably ok" kind of thing?

Normally if it's a DCL and if I really want to use it, I let it slide, but anything else I think it's pushing it. I just base this on the fact that DCL are more frequent in my experience.

Johnnyloans

ceramics

Hello,

ceramics disabling them might be an issue only for the profile it's in or system wide?

Only for that 1 profile.

Could I have a not important profile to run such apps?

Yes

ceramics Also what the general stance regarding such an app?

Depends on your threat model. The general stance for important apps like financial apps is to keep it with the disabled exploit protections to make it work. My threat model is low, so I don't mind it. Concerning the "hardened memory allocator," I believe disabling MTE is a separation option so that is still in use. (MTE is pixel 8+ which I don't have)

Novalissoide

ceramics

Johnnyloans Only for that 1 profile.

An exception from this is 'Secure app spawning", which is a system wide setting.

ceramics

Johnnyloans

Novalissoide

Thank you