akc3n 3.1 - Temporarily disable secure app spawning.
Setting ➔ Security ➔ Enable secure app spawning
3.2 - Restart device. Launch app to see if this GrapheneOS feature caused the compatibility issue. The app may be refusing to run if it detects a different spawning mechanism.
Significant security loss and directly affecting some privacy using Zygote
Disabling exec-based spawning reverts to using the traditional Zygote spawning model AOSP's app processes
Spawned as a clone of the Zygote
Each app process has the same random secrets for ASLR, SSP, memory tagging, pointer authentication, setjmp canaries, and heap randomization
Half of the userspace is made of app processes
Applies across all profiles
App in profile A and profile B have same random values, which they can see
3.3 - Revert to secure spawning by enabling it again and restart device.
See step 3.1 above.
I suspect I wouldn't be the first person to suggest this, and I also wouldn't be surprised if the devs have already rejected the idea, but does anyone know if there's any consideration of adding, in the future, Per-app Secure Spawning?
I imagine this would work by following the normal Secure Spawning process for most apps, but somehow caching whatever's the default (insecure) Zygote spawn process. Then if an app does misbehave, the user can disable Secure Spawning for that app only, in which case that app will use the cached insecure process. No idea if this would work in practice, but it would be a real nice compatibility feature. I currently have Secure Spawning disabled because a single app (that I can't live without) crashes when it's enabled. It's a waste, and a big security hole.