Help me understand the best user profiles + work profiles set up for me

drinkablederanged

[deleted] What do you mean by 'read/write perms'? Apps can talk to each other mutually without requesting any type of permission from the user

I was reading this bit here https://grapheneos.org/faq
"Apps do not have access to user data by default and cannot ever access the data of other apps without those apps going out of the way to share it with them. If apps are granted read access to user data like media or contacts, they could use it to identify the profile. If apps are granted write access to user data, they could tag it to keep track of the profile"

[deleted] What do you mean by 'manipulating administration settings'? Apps can't mess up with sensitive stuff in your system but they can still do a lot of not-sensitive stuff

Okay good to know

[deleted]

drinkablederanged I was reading this bit here https://grapheneos.org/faq

Identifying the user profile is different from communicating with other apps.

[deleted]

drinkablederanged

"Apps do not have access to user data by default and cannot ever access the data of other apps without those apps going out of the way to share it with them."

The bolded part is the key here, hence the mutual part, any app can give another app permission to talk to it without any user interaction. But both apps have to participate. It's called IPC. It does not require network permission at all. If the apps are in the same profile they can potentially IPC period.

mmmm

[deleted]

This is such an annoying aspect, aside profiles there is no way to disable this? Or even tell it’s happening? I assume that this is something that apps can do in iOS ecosystem also, or is it an Android thing?

E24

mmmm Ive heard that in the future Graphene MAY have toggles for IPC but don't take my work for it BC I'm not 100% sure

[deleted]

mmmm Something like scopes for IPC is something that's been discussed quite a bit not sure if they are planning to do it.

mmmm

[deleted] that would certainly be a cool addition to what looks like (to a layman) a glaring hole in app security

N1b

drinkablederanged just wondering: What do you need Aurora and Neo Store for on the user profiles if you install all apps in the owner profile anyway? Wouldn't it decrease your attack surface if only the owner profile has the stores and does the updates? The owner profile won't have any app containing user data (so "talking" is not much of a risk factor) and all user profiles are as minimal as possible (without app stores, therefore also less potential "talking"). You could even deactivate network permission for all user apps on the owner profile so they can share data but not send it.

In your threat model, you'd probably have autoreboot turned on or at least a good habit for updates. You could do a daily reboot, sign in to the owner (which you'll have to) and use that occasion to check for updates.

PS: You can read a lot on this forum about work profiles being inherently less secure and private, so I don't get why you'd go from only user profiles to a work profile alongside user profiles. But that's another topic.

drinkablederanged

N1b
Interesting, just so I understand you correctly, how does that look? eg.
Owner:
Aurora, Neo

User profile 1:
Apps desired

From my understanding, Owner installs and distributes to user profiles.

Today I spent time learning about RSS and Obtainium, so I'm guessing those also stay on the owner profile?

Now I'm thinking for Play Services and Play Store on User Profile 1 for notifications, then another part of me is saying "defeats the whole purpose of this profile cause of IPC" or am I thinking wrong?

N1b

drinkablederanged yes you pretty much got it right. I guess you could keep it simple by choosing only 2 "store" apps:

Play Store or Aurora for apps you need from Google (e.g. banking apps)
Optainium, Droid-ify vor Neo Store for anything else

There are many threads on here discussing the differences. Those 2 apps of your choice are in your owner profile to install and update all needed apps and then you push them to as many user profiles as you wish for your threat model. If you need Google Play Services for notifications, you should install it according to the official guide.

I don't use Sandboxed Play Services like this, but I suspect some apps will only function properly if installed after you installed Play Services first. Here's what I would do when setting up GOS from scratch with your requests:

Set up the owner profile (settings like disable sensor permission by default, screen timeout, wifi timeout, auto reboot etc.).
Set up all desired user profiles and install Sandboxed Play Services on the profiles that need them.
Install "app stores" on owner profile (I'd choose Play Store and Obtainium for security reasons) and install all your apps, disable network access right away (uncheck box upon installation).
Push the apps to their respective profiles, disable app installation on all user profiles. Set up notification forwarding however you desire.
Complete setup of user profiles (settings, logging into apps etc.).

I have not done this myself as my threat model requires me to use 2 devices, but each without user profiles. Therefore this is theoretical, maybe wait a day or two for more experienced people to discover any flaws in this idea.

Skyway

drinkablederanged you don't need to install apps in owner and push them to other profiles . you can install in the profile you want them in .
If you install an app in user profile 2 it can be pushed to any profile besides owner via the owner setting .
The owner profile can be blank if you wish .
Which apps do you need push notifications for ?

drinkablederanged

N1b

N1b Set up notification forwarding however you desire.

If an app in the owner profile doesn't have network perms and an account signed in, wouldn't that mean there's no notification to push to the user profile? Or am I misunderstanding?

As far as I understand, if I want an app (that depends on google services) in a user profile to get notifs, they need the google trio (services, framework, store)

MrStreisand

N1b
hey! I've been looking on the forum for different options on how to intially set up my new gos device, and this suggestion from you looked the most interesting for my usecase, I really appreciate the time you took to write it out detailed enough for anyone to understand, also appreciated ur comment on keyboard+ offline speech to text suggestion in a different thread. I was hoping you could help me clarify a couple of things on this version of set-up.

When i'm looking at the suggested layout - it seems perfect to me, what are some downsides of this approach if any ? (inconvenience is negligible fo rme here, so i don't really care.)
If i have gPlay & Obtanium (i went with them after some research) on what logic do i base from which source i download the app, eg signal - i can have it through both, but in my head it doesn't really make much sense to download it from obtainium because the app will be used in a profile without google services anyway.
Is my understanding correct, none of the apps downloaded from play store will be able to communicate to google if they are used in a different profile?

P.S It is my intent to disable all 3 elements of the gPlay on the owner profile and re-enable them only when performing updates

Would really appreciate your or anybody else's input.

Cheers!

88dotorg

drinkablederanged

Your last "thinking" set-up, has the banking apps in a profile without Google, you get push notifications? I thought banking apps need Google to work, mine does.

You can download Obtainium in another profile, no need to download in the owner profile for look and download apps you want. Easy to understand is that each profile is like another phone you have, that's why need to set-up all settings from start in a new profile. And in the owner profile you can see all apps downloaded in your phone, meaning in all profiles, but if for your example you have download Tor in profile 2, you can see this in the owner profile, but you can't use this app in the owner profile. Apps downloaded in the owner profile can if you enable them, "push" to another profile so you no need to download them again, this is only for the owner profile, and not the other way around.

drinkablederanged

88dotorg Your last "thinking" set-up, has the banking apps in a profile without Google, you get push notifications? I thought banking apps need Google to work, mine does.

For my needs, I don't require notifications for my banking apps, all I need them to do is to check and manage my balance, I don't think I remember if my banking apps even send me notifications for anything, they always send through SMS (yeah I know, real bad).

drinkablederanged

Skyway Which apps do you need push notifications for ?

Sadly some mailing apps and social chatting apps that require GSF, play services

N1b

Skyway you don't need to install apps in owner and push them to other profiles

This is true, hopefully I didn't communicate the wrong idea here. My point was that OP wants as little "talking" between apps and therefore it would be best to have as little apps per profile installed. Using the owner profile as command center to install and update all apps for every profile provides simplicity and the smallest amount of apps per profile.

If you do install/update apps on every user profile, it's worth mentioning that you should install it from the same source. You cannot install different versions of the same app, e.g. install Mullvad from Play Store on one profile and from Obtainium or Neo Store on another (the second install will fail).

[deleted]

mmmm I think the reason it's not more widely considered a hole in security is because it requires the explicit intent of the developer of whatever app you're using to allow a specific app to access that data, then the other developer to program their app to access it. Another app couldn't just access the data by itself. However I would also appreciate the option.

N1b

drinkablederanged yes in this setup, notification forwarding makes only sense for Play Store and Obtainium on owner profile (and for whatever apps you need notifications from on user profiles). Not all apps need internet access for notifications to be useful (calendar, alarms, games with timer based reminders, productivity apps like todoist etc).

drinkablederanged

N1b

Would that defeat the purpose of security and privacy of the User profile if I install google's tro + sign into accounts I need notifications for in the owner profile?

N1b

drinkablederanged I can't really answer this. You need to define security and privacy in your threat model, and on GOS everything is more secure and private than on AOSP or Pixel OS by default.

There are things that Sandboxed Google Play Services can do to enable apps to see more stuff about you and also Google will see some stuff, but I'm no expert on the details. My general understanding is that you limit the privacy invasion of Google and other apps substantially and most people wouldn't worry about privacy with Sandboxed Google Play.

If you can find a way to live without the notifications find alternatives, this is of course the privacy cherry on top. For example: I use Tutanota instead of Protonmail exactly because I want notifications on my private GOS device but no Google Play Services, and Protonmail depends on GSF for notifications unfortunately.

So in short: With your idea of segregating apps over different user profiles and only installing Sandboxed Play in some of them, you should be within most thread models on this forum (maybe you're even overdoing it for your own needs). In the end only you will know, you can check out privacyguides for basic threat modeling if you're not sure where to start.

drinkablederanged

N1b

Thank you for taking the time for the thorough replies, I really appreciate it.

Sometimes I have been thinking of other models that fit with me that I haven't mentioned here and reading more on other's setups to get a better idea, so I'll think I've settled a comfortable setup for now, and if I just need something specific, instead of wiping my main profiles again I'll just make a new profile for it