• General
  • Apps in owner profile detect Play Services in work profile

I use Shelter to setup a work profile next to my owner profile for the convenience. I installed the sandboxed Google Play Services in the work profile for some apps that depend on it.

The initial issue is, that apps in the owner profile seem to be able to detect that the Play Services are installed, but obviously can't access them. I'm not sure why apps in the main profile space can detect what is installed in the work profile app space in the first place, but this behaviour leads to the main issue:

Some apps in the owner profile, when installed after the Play Services were installed in the work profile, are designed to use GCM/FCM if available and only fallback to alternative methods for push messages like polling if Play Services aren't present.

A subset of these apps refuse to fallback, since Play Services were detected, despite it not being usable in the owner profile and can't seem to be manually configured to force a fallback. This unfortunate combination of factors prevents those apps from providing push messages at all. A prominent example would be the official ProtonMail Client.

Now there obviously are a number of potential workarounds to counteract this, e.g:

  • Temporarily remove sandboxed Play Services from work profile, reinstall affected apps in owner profile, reinstall sandboxed Play Services in work profile
  • Utilize another user profile instead of a work profile

Neither of these approaches seem to be practical to me. The first one may have the potential to break existing apps in the work profile depending on Play services, though I haven't tested this, and the second one simply isn't all that convenient.

I'm quite sure this is an architectural limitation of the Android implementation of work profiles, but I'm asking for help/sugggestions on the off chance that this behaviour can be mitigated.

    ChooChoo The other option is to install Play Services in your main profile. Besides that and the options you mentioned, there isn't a way to mitigate the issue you described. Work profiles do not and cannot provide the same level of isolation as user profiles.

    Regarding the inconvenience of using multiple user profiles, GrapheneOS has cross-profile notifications if you want to try them (although I understand they don't solve all the inconveniences of multiple profiles).

    In order not to make a new thread for every bit of information:

    • widget to switch to another user profiles
    • or at least a shortcut for com.android.systemui.user.UserSwitcherActivity
    • option to default new apps to network = off*
    • secondary private DNS (instead of Cloudflare as fixed fallback)
    • 3 button navigation: options for long-press (like display-off or kill app in the foreground)

    *might also be useful in case of the bug where Android resets the permissions from time to time. Setting the default to "deny" could save you from data leaks.

    Thanks for the great work on this project!

      SquirrelMaster secondary private DNS (instead of Cloudflare as fixed fallback)

      I would love to be able to setup NextDNS as the primary for DNS... for now I use the app

      a year later

      So if this intended behaviour that apps can see what's installed in the work profile?