Security implications of weaker PINs/passwords on secondary user profiles?

bayerelm

What are the security implications of having a weaker PIN or password on user profiles? I'm asking this because right now I use the same strong password as an unlocking method for all of my profiles, but it can be a bit of a hassle when switching profiles.
Some of my secondary profiles really don't have anything sensitive in them and I wouldn't care if someone had access to them really.

So really, I suppose my question is this: if a malicious actor gets access to a secondary profile, do they access to anything else than the data on that profile? Is there any risk for the other profiles or the phone itself?

Thanks a lot in advance.

Resonate0765

bayerelm my caveman understanding is that a weak password is still secure against brute force attempts since it will be relying on the secure hardware element aka the titan m. Heres a link for more info (I think I added the link correctly haha)

bayerelm

Resonate0765 I suppose that's true for weaker but still reasonable passwords/pins, tho not for something like 1111. Of course thats never advisable to put that as a PIN and I don't intend to do it, but theoretically, if I did set up an awfully easy to guess pin for a user profile in which there is nothing sensitive (say, a profile dedicated to games, for instance), would it actually be an issue and potentially still compromise the phone and/or the other profiles?

Resonate0765

bayerelm yeah thats true about pin but like you said just dont shoot yourself in the leg. To answer the other question to the best of my ability (someone more knowledgeable chim in if im wrong) since each user profile is sandboxed, especially from the admin profile, theres really not much a normal and even advanced attacker can do if one profile gets compromised, assuming no new upstream exploit or other vulnerability is found. You can even further limit each profile to harden it for example theres a toggle for not allowing installations of applications via third party that alone will stop any crackhead or other small theives.

edebbbb

I'd like to revive this thread in hopes of getting a more comprehensive answer.

My setup is essentially different profiles for different purposes, with the primary profile not being the owner profile. So I have a second profile that I use daily as my actual profile, and several other profiles for other purposes for example Travel.

My goal behind several profiles is to segment data and apps across profiles, so the data and apps not in use are better protected. If I hand over my phone to a border agent while traveling, I would be inside the Travel profile with no personal data or apps other than what is necessary for travel.

I have strong passwords on the owner and primary profile because I use those daily and they have the most sensitive access. I wouldn't really want to use such a strong password for other profiles that I rarely use, because it would be a lot harder to remember and annoying to type when I do need it, especially if the profile doesn't have much sensitive data if at all. The primary reason I bring this back up is to gain a better understanding of the following comment from this thread.

If an attacker has access to any user profile, a huge amount of attack surface is exposed.

Could someone elaborate on this? If someone has (or gains) access to an arbitrary user profile, how much easier does it become for him to access my primary user profile and/or data within it (data at rest vs. not at rest), or any other user profile for that matter? I'd like to also consider the scenario where one has a distrust for the secure element (ie. assume it doesn't exist or doesn't work). While I do trust the secure element, my most sensitive profiles do still have passwords that don't rely on the secure element as a "just in case" or "why not".

de0u

edebbbb If someone has (or gains) access to an arbitrary user profile, how much easier does it become for him to access my primary user profile and/or data within it (data at rest vs. not at rest), or any other user profile for that matter?

If someone has access to the device they can trigger exploits. I believe there have been GPU driver exploits that have been accessible by playing malicious video. So an attacker could direct a web browser to a web site hosting such a video and potentially take control of the device. What kind of control? Potentially installing a malicious app that would be later run by one of your higher-security profiles.

Android user profiles provide some amount of app isolation, and provide separate encryption. But they just do not provide the same guarantees as a separate device, neither in terms of security nor privacy.