[deleted]
mmmm Something like scopes for IPC is something that's been discussed quite a bit not sure if they are planning to do it.
Help me understand the best user profiles + work profiles set up for me
- Edited
drinkablederanged just wondering: What do you need Aurora and Neo Store for on the user profiles if you install all apps in the owner profile anyway? Wouldn't it decrease your attack surface if only the owner profile has the stores and does the updates? The owner profile won't have any app containing user data (so "talking" is not much of a risk factor) and all user profiles are as minimal as possible (without app stores, therefore also less potential "talking"). You could even deactivate network permission for all user apps on the owner profile so they can share data but not send it.
In your threat model, you'd probably have autoreboot turned on or at least a good habit for updates. You could do a daily reboot, sign in to the owner (which you'll have to) and use that occasion to check for updates.
PS: You can read a lot on this forum about work profiles being inherently less secure and private, so I don't get why you'd go from only user profiles to a work profile alongside user profiles. But that's another topic.
N1b
Interesting, just so I understand you correctly, how does that look? eg.
Owner:
Aurora, Neo
User profile 1:
Apps desired
From my understanding, Owner installs and distributes to user profiles.
Today I spent time learning about RSS and Obtainium, so I'm guessing those also stay on the owner profile?
Now I'm thinking for Play Services and Play Store on User Profile 1 for notifications, then another part of me is saying "defeats the whole purpose of this profile cause of IPC" or am I thinking wrong?
- Edited
drinkablederanged yes you pretty much got it right. I guess you could keep it simple by choosing only 2 "store" apps:
- Play Store or Aurora for apps you need from Google (e.g. banking apps)
- Optainium, Droid-ify vor Neo Store for anything else
There are many threads on here discussing the differences. Those 2 apps of your choice are in your owner profile to install and update all needed apps and then you push them to as many user profiles as you wish for your threat model. If you need Google Play Services for notifications, you should install it according to the official guide.
I don't use Sandboxed Play Services like this, but I suspect some apps will only function properly if installed after you installed Play Services first. Here's what I would do when setting up GOS from scratch with your requests:
- Set up the owner profile (settings like disable sensor permission by default, screen timeout, wifi timeout, auto reboot etc.).
- Set up all desired user profiles and install Sandboxed Play Services on the profiles that need them.
- Install "app stores" on owner profile (I'd choose Play Store and Obtainium for security reasons) and install all your apps, disable network access right away (uncheck box upon installation).
- Push the apps to their respective profiles, disable app installation on all user profiles. Set up notification forwarding however you desire.
- Complete setup of user profiles (settings, logging into apps etc.).
I have not done this myself as my threat model requires me to use 2 devices, but each without user profiles. Therefore this is theoretical, maybe wait a day or two for more experienced people to discover any flaws in this idea.
Your last "thinking" set-up, has the banking apps in a profile without Google, you get push notifications? I thought banking apps need Google to work, mine does.
You can download Obtainium in another profile, no need to download in the owner profile for look and download apps you want. Easy to understand is that each profile is like another phone you have, that's why need to set-up all settings from start in a new profile. And in the owner profile you can see all apps downloaded in your phone, meaning in all profiles, but if for your example you have download Tor in profile 2, you can see this in the owner profile, but you can't use this app in the owner profile. Apps downloaded in the owner profile can if you enable them, "push" to another profile so you no need to download them again, this is only for the owner profile, and not the other way around.
drinkablederanged you don't need to install apps in owner and push them to other profiles . you can install in the profile you want them in .
If you install an app in user profile 2 it can be pushed to any profile besides owner via the owner setting .
The owner profile can be blank if you wish .
Which apps do you need push notifications for ?
88dotorg Your last "thinking" set-up, has the banking apps in a profile without Google, you get push notifications? I thought banking apps need Google to work, mine does.
For my needs, I don't require notifications for my banking apps, all I need them to do is to check and manage my balance, I don't think I remember if my banking apps even send me notifications for anything, they always send through SMS (yeah I know, real bad).
- Edited
Skyway Which apps do you need push notifications for ?
Sadly some mailing apps and social chatting apps that require GSF, play services
Skyway you don't need to install apps in owner and push them to other profiles
This is true, hopefully I didn't communicate the wrong idea here. My point was that OP wants as little "talking" between apps and therefore it would be best to have as little apps per profile installed. Using the owner profile as command center to install and update all apps for every profile provides simplicity and the smallest amount of apps per profile.
If you do install/update apps on every user profile, it's worth mentioning that you should install it from the same source. You cannot install different versions of the same app, e.g. install Mullvad from Play Store on one profile and from Obtainium or Neo Store on another (the second install will fail).
N1b Set up notification forwarding however you desire.
If an app in the owner profile doesn't have network perms and an account signed in, wouldn't that mean there's no notification to push to the user profile? Or am I misunderstanding?
As far as I understand, if I want an app (that depends on google services) in a user profile to get notifs, they need the google trio (services, framework, store)
- Edited
drinkablederanged yes in this setup, notification forwarding makes only sense for Play Store and Obtainium on owner profile (and for whatever apps you need notifications from on user profiles). Not all apps need internet access for notifications to be useful (calendar, alarms, games with timer based reminders, productivity apps like todoist etc).
Would that defeat the purpose of security and privacy of the User profile if I install google's tro + sign into accounts I need notifications for in the owner profile?
[deleted]
- Edited
mmmm I think the reason it's not more widely considered a hole in security is because it requires the explicit intent of the developer of whatever app you're using to allow a specific app to access that data, then the other developer to program their app to access it. Another app couldn't just access the data by itself. However I would also appreciate the option.
drinkablederanged I can't really answer this. You need to define security and privacy in your threat model, and on GOS everything is more secure and private than on AOSP or Pixel OS by default.
There are things that Sandboxed Google Play Services can do to enable apps to see more stuff about you and also Google will see some stuff, but I'm no expert on the details. My general understanding is that you limit the privacy invasion of Google and other apps substantially and most people wouldn't worry about privacy with Sandboxed Google Play.
If you can find a way to live without the notifications find alternatives, this is of course the privacy cherry on top. For example: I use Tutanota instead of Protonmail exactly because I want notifications on my private GOS device but no Google Play Services, and Protonmail depends on GSF for notifications unfortunately.
So in short: With your idea of segregating apps over different user profiles and only installing Sandboxed Play in some of them, you should be within most thread models on this forum (maybe you're even overdoing it for your own needs). In the end only you will know, you can check out privacyguides for basic threat modeling if you're not sure where to start.
Thank you for taking the time for the thorough replies, I really appreciate it.
Sometimes I have been thinking of other models that fit with me that I haven't mentioned here and reading more on other's setups to get a better idea, so I'll think I've settled a comfortable setup for now, and if I just need something specific, instead of wiping my main profiles again I'll just make a new profile for it
a month later
N1b
hey! I've been looking on the forum for different options on how to intially set up my new gos device, and this suggestion from you looked the most interesting for my usecase, I really appreciate the time you took to write it out detailed enough for anyone to understand, also appreciated ur comment on keyboard+ offline speech to text suggestion in a different thread. I was hoping you could help me clarify a couple of things on this version of set-up.
- When i'm looking at the suggested layout - it seems perfect to me, what are some downsides of this approach if any ? (inconvenience is negligible fo rme here, so i don't really care.)
- If i have gPlay & Obtanium (i went with them after some research) on what logic do i base from which source i download the app, eg signal - i can have it through both, but in my head it doesn't really make much sense to download it from obtainium because the app will be used in a profile without google services anyway.
- Is my understanding correct, none of the apps downloaded from play store will be able to communicate to google if they are used in a different profile?
P.S It is my intent to disable all 3 elements of the gPlay on the owner profile and re-enable them only when performing updates
Would really appreciate your or anybody else's input.
Cheers!
- Edited
also a quick question - just now setting up a 2nd profile and the settings said that i can update and install apps from any profile.
so the 4th question would be - why manage all the apps on the owner - wouldn't it be more logical to create an 'app manager profile' and use that to do the updates?
Thanks!
eddit:
i think the settings notification is wrong or I misunderstood as i don't see a way to install the apps from the secondary profile to the owner
MrStreisand thanks for the kind words!
I lack the experience to know all the downsides to a "many user profiles" approach. You'll definitely miss some settings on user profiles compared to owner (e.g. WiFi and Bluetooth timeout are set globally in the owner profile, developer settings can't be unlocked etc.), but that can also be a good thing since it increases security (and dev settings are not recommended in general). Maybe using many profiles have some significant storage or battery usage impact since they can stay active in the background. And you'll have to set up a VPN per profile which is intentional, but it uses up your device slots in your VPN subscription (e.g. 5 profiles would use up one entire Mullvad license). There's probably more downsides, let's hope someone else can point them out.
Often the app is the same on gPlay and via Obtainium (it is with Signal). When this is the case, I'd use the gPlay version for convenience and security. Obtainium is a great complementary tool for when you want to use apps like Newpipe, replace or extend Signal with Molly (or get a beta version of Signal), use the full IVPN feature set or have apps like Simple Gallery Pro for free. There are many good reasons to have both sources, but I'd say more often than not gPlay would be my main source.
No every app can decide for itself what it collects and sends out. You can control the borders the app operates in (with storage and contact scopes, network and sensor permission, DNS firewall etc.) but if an app uses Google trackers and can send stuff to Google, it will do so, independently of its installation source or whether you use Play Services or not. At least that's my understanding and why I prefer FOSS software with no Google implementations whenever possible and reasonable.
As I understand it you can install and update apps on any profile (and identical apps will be updated for every profile simultaneously), but you can only push apps from the owner profile to user profiles. So in order to have this "one profile is the control and update center" approach, it must be the owner.
Hope this helps you and also triggers more educated people than me to comment and add ideas or correct me if I got anything wrong.
a year later
N1b hello, I too am researching about profile set ups. There seems to be a lot of good posts about this, however how exactly does one set up different profiles in graphene?
Specifically how would I log out and in to each profile?
Apps like Facebook messenger I don't like sitting right next to Signal app (for instance). Is this a legitimate concern, or would creating another profile on the same phone not help?
Thank you.