n00b user - am I using Profiles & Google Play Services correctly?

numbersinthenamefield

Just switched to GOS.

I have a Owner profile, and Sandbox profile.

Only Sandbox has Google Play Services & Google Services Framework installed.
I then run Google Maps and Uber from the Sandbox account only. GMaps usage not logged in.
Only Sandbox account has Location Services on.
I have Network & Sensor permissions on both Google Play Services and also Google Service Framework.

Questions:
I see all mention of "google stuff is sandboxed - its safe"... OK... Do I need to remove network permission on either/both of these for that to be true? I'm guessing GMaps & Uber won't work if I do that, right?

When I log out of Sandbox profile, and back in to Owner profile - is the stuff (services I guess) in Sandbox still running?

Am I correct in thinking this is the right way of using the Google services and Sandbox profile?

Thanks guys :)

yore

numbersinthenamefield

I see all mention of "google stuff is sandboxed - its safe"... OK... Do I need to remove network permission on either/both of these for that to be true? I'm guessing GMaps & Uber won't work if I do that, right?

For most use cases it is fine to leave it as it is. If you want to go the extra mile you can disable Google Play Services and see if apps work correctly. If not, you can leave it enabled and instead revoke Network permissions and see if apps work properly. Generally, it is OK to leave things as they are by default.

When I log out of Sandbox profile, and back in to Owner profile - is the stuff (services I guess) in Sandbox still running?

If Google services are installed in that profile, they will stop running when you press "End session." By doing this the whole profile is halted and put to rest, including anything running it.

DeletedUser115

numbersinthenamefield just a quick note, Google Maps work fine without Play Services if you're okay with GPS-only location that generally needs unobstructed view of the sky. It works for navigation inside a car too for me, but doesn't work in buildings.

raccoondad

"When I log out of Sandbox profile, and back in to Owner profile - is the stuff (services I guess) in Sandbox still running?"

If you end the session (press and hold power, the option will be on the bottom) then all applications related to that profile will be stopped, its encryption keys dropped, and to the profile itself it is as if the device restarted

Hope that answers your question, an actual restart will also do this

numbersinthenamefield

raccoondad
Oh! thanks for showing me that.
I usually swap profiles from the pull-down menu...
Are these the same?
Or does the "end session" _kill more stuff?

GrapheneOS

Sandboxed Google Play runs in the same app sandbox as other user installed apps and has the same permission model. The apps you're using from the Play Store mostly include Google Play libraries. You rely on the same app sandbox for those apps too. It doesn't work any differently for sandboxed Google Play.

A dedicated user or work profile for sandboxed Google Play is completely option. It doesn't work differently with profiles than other apps. Apps installed in the main profile are sandboxed the same way as apps installed in a secondary user or work profile, they're just in different workspaces. Apps in Owner don't have more access than access in other profiles, the Owner user just has more options available in the Settings app and other OS interfaces. Since we have Storage Scopes and Contact Scopes, the main benefit of profiles in general (either work or user) are that each one has a separate VPN configuration and apps can only see and communicate with apps in the same profile. Even within a profile, apps need to agree to communicate with each other. User profiles also have their own encryption keys.

The apps are each sandboxed themselves. The profiles are an overall workspace of apps and data. Apps can't access the data of other apps within the same profile and require your consent to access your data via permissions or the system file/photo/contact pickers, etc. Profiles have separate app instances, app data and profile data like your contacts and home directory (shared storage).

GrapheneOS

Am I correct in thinking this is the right way of using the Google services and Sandbox profile?

There is no right way to use profiles. Sandboxed Google Play is still sandboxed if you only use the Owner profile and have it installed there. The benefit of having it in a secondary user is having control over which apps can use it and which apps it can see. This also applies to any other apps. There's nothing unique about how it works with sandboxed Google Play. You could decide to use dedicated profiles for other groups of apps too.

The configuration you're using is a common configuration for GrapheneOS users, but so is using sandboxed Google Play in the main profile. Neither is right or wrong. They're just different and both take advantage of the sandboxed Google Play compatibility layer.

de0u

numbersinthenamefield I usually swap profiles from the pull-down menu... Are these the same? Or does the "end session" kill more stuff?

If you just swap sessions, the apps in the other session may keep running for a while, and thus their filesystem encryption key remains available. They may consume battery and/or network. The idea is for them to be ready to go when you swap back. If that's not what you want, use "End session".

numbersinthenamefield

de0u
Thanks!

The thing I'm kinda wondering about (or maybe misunderstanding) - are the services I guess.

All the Google bits we install to make it compatible with the few apps we need... I'm sure there are service actions that come with those "apps".

And further, I'm guessing the services have the same permissions we can set on the "app" itself (Google play services, GmsCompatConfig, Google Services Framework, Google Play store).

Some of the apps force you to log into Google play services (like Chat GPT's app - though I decided against it).

And for the services (and "apps") to work - you need at least certain permissions - like network, and I guess location (hmm - I see none of those have location currently...)

So... if you use it in that manner - you are logged in, and the services are running in the background, and network and location (and whatelse) permissions are granted.... then how is this much different from a vanilla android phone? (except that you have the ability to tweak the permissions).
I feel like the persistent G is still there...

Am I not understanding something here? paranoid? (I have developed android apps before - I have a rough understanding...)

Anyway - so my thinking was - if you only log into the sandbox account to use these things, and then log out properly at the end, then at least those services would terminate.

Thanks

numbersinthenamefield

Thank you @GrapheneOS , I really appreciate your replies :)

numbersinthenamefield

DeletedUser115
Ah, thanks.
I think its needed for Uber and 1 or 2 other apps

de0u

numbersinthenamefield So... if you use it in that manner - you are logged in, and the services are running in the background, and network and location (and whatelse) permissions are granted.... then how is this much different from a vanilla android phone? (except that you have the ability to tweak the permissions). I feel like the persistent G is still there...

There are lots of Android variants! Some commercial Android variants don't include Google Play Services (e.g., some phones from manufacturers in China). So it's hard to answer the question with respect to all possible meanings of "vanilla Android phone".

On a phone running Google's official Android, the Play Services (etc., e.g., the Play Games code) are running in all user profiles (of which there is typically only one), and they have lots of privileges. So if your device has Play Services (etc.) running in a second profile they are running with reduced privileges and without the ability to invoke apps in the owner profile via IPC.

numbersinthenamefield Anyway - so my thinking was - if you only log into the sandbox account to use these things, and then log out properly at the end, then at least those services would terminate.

If by "log out properly" you mean holding down the power button and selecting "End Session", yes. Note that "End Session" is a GrapheneOS addition.

Overall, if you isolate Play Services (etc.) code in a secondary profile, you are better off in three ways: reduced privileges for Google's code, increased app isolation, and the ability to stop everything in the secondary profile whenever you want to. Swapping from one profile to another without "End Session" is faster but does not stop the code in the other profile from running (and does not put the data at rest). It's up to you.