How Securely do User Profiles Contain/Sandbox Viruses?

ironwindow

What safeguards are implemented by GrapheneOS that prevent a malicious app in one user profile from breaking free and infecting other owner/user profiles? Should I ever treat user profiles in a way similar to how one would use Qube VM's in QubesOS?
For a hypothetical, let's say I install an app in a user profile, and this app turns out to be malicious.
Assume that I use Storage Scopes. Also assume that I don't grant the app any special system permissions, but it still has access to most other usual permissions, including but not limited to:

Having full network access
Record audio
Take pictures & videos
Run at startup
Run foreground service
Prevent phone from sleeping
Etc

How difficult would it be for the app to compromise other user profiles and the owner profile?

And btw, yes, I'm aware that the FAQ states that "The owner profile does not have access to the data in other profiles", but it doesn't specify anything else about data transfer and sandboxing between user profiles and how strictly it is enforced, if at all.

de0u

ironwindow How difficult would it be for the app to compromise other user profiles and the owner profile?

I don't think it's feasible to put a number on this, except maybe by collecting 200 Android CVE's and counting which ones don't work cross-profile, which is hard because very few users use multiple profiles.

But the attack surface is larger inside a profile.

ironwindow

de0u
So is it true then, unless if I'm the target of a highly-motivated state actor, that the chances of such an exploit taking place is negligibly low?

de0u But the attack surface is larger inside a profile.

Does it really matter much though? If what I understand above is true, that the risk of a cross-profile exploit is incredibly small, then one should be perfectly fine with having a somewhat larger attack surface inside their profiles just as long as their user profiles are compartmentalized correctly, since even if one of the profiles ends up compromised, all the other profiles should remain safe and untouched.
This is the kind of premise that underlies Qubes. You can't assume that the software you install will never contain buggy and/or malicious code. It will inevitably happen. The best way to mitigate this is just to keep apps/software/data separated in different VM's/profiles as a form of damage control.

What I wanted to find out from writing this post is if the cross-profile safeguards in GrapheneOS are robust enough for this sort of behavior to translate well into GrapheneOS.

de0u

ironwindow If what I understand above is true, that the risk of a cross-profile exploit is incredibly small, then one should be perfectly fine with having a somewhat larger attack surface inside their profiles just as long as their user profiles are compartmentalized correctly, since even if one of the profiles ends up compromised, all the other profiles should remain safe and untouched.

There are two issues (that I'm aware of):

The user-profile system is designed to leak information - hopefully tastefully. For example, some people want to be notified of an incoming call to Profile A while Profile B is active. Some people want contacts to be shared. And so on.
The user-profile system has multiple known bugs related to leaking information that it shouldn't.

One approach to apps that are plausibly malicious to be would be not running them. Another approach would be running them on a separate device that doesn't contain private information. It would be convenient to run lots of apps on one device with reliable information compartmentalization, but that isn't really a solved problem. VMs leak, Intel SGX leaks, etc.

So if somebody says something is probably less reliable than something else, or less reliable than one might like... that may well be true.

ironwindow

I've been reading into this a bit more, but I've only encountered more confusion in the matter, with forum members giving conflicting answers.
According to one mod, "Profiles don't provide any additional sandboxing"
But according to another mod, "in Android user profiles are separated via SELinux MLS (multi level security)"
So then, does the security system known as SELinux MLS not count as additional sandboxing/security?
It'd be greatly appreciated if somebody knowledgeable about the Graphene project, or Android security in general, could chime in here.

doublefree

ironwindow

So then, does the security system known as SELinux MLS not count as additional sandboxing/security?

Didn't gave you the second linked post the answer?

Any exploit that could cross the boundary between apps would likely be capable of crossing between user profiles.

ironwindow

de0u
Alright, so then if this is the state of things, then my best bet would be to not use different user profiles solely for security.
Was really hoping to use GrapheneOS similar to Qubes, but I guess it is what it is. :/

de0u

ironwindow Was really hoping to use GrapheneOS similar to Qubes, but I guess it is what it is.

There are multiple threads on this forum discussing Qubes and GrapheneOS. And a search for Qubes CVEs does not come up empty. GrapheneOS has a very solid verified boot implementation. Overall, it's not clearly prudent to run plausibly-malicious apps on GrapheneOS or on Qubes. Both platforms do provide additional security compared to their peers, but neither is perfect.

Please note that I do not speak for the GrapheneOS project.