I'd need to avoid receiving calls and SMS in my Owner profile and only allow them in a secondary, stripped-down, least-privileged profile.
Is there a way to do that? It seems like the safest solution and a basic function, but I haven't managed to find a way. There have been posts about this here, but I haven't found a clear answer. Removing the permissions of the Phone and Messages apps in the Owner profile meant that people calling me got a busy signal, despite the fact that the app had all the necessary permissions in the secondary profile that was active at time. SMS messages seem to get through to the secondary profile... but only if Owner also receives them.

If not possible as a built-in function - which I still hope it is - , is there a sandboxing app that could help?

Also: how can I allow mobile data ONLY in a secondary profile? I don't want to have mobile data on all the time in my Owner prodile just be able to use it in a secondary profile.

Call forwarding does not seem to work in my secondary profile (the menu line is missing). Is there a way to resolve that issue?

    desperatemouselives Is there a way to do that?

    Not that I know of.

    desperatemouselives It seems like the safest solution and a basic function

    Can I ask why? SMS and Phone access are already protected by permissions in AOSP. Being careful with those permissions is the safest solution. If you still want to keep calls and SMS isolated from other apps, maybe keep them in the Owner profile and otherwise keep the Owner profile completely empty.

    desperatemouselives is there a sandboxing app that could help

    All apps already run from within the app sandbox.

    desperatemouselives Also: how can I allow mobile data ONLY in a secondary profile? I don't want to have mobile data on all the time in my Owner prodile just be able to use it in a secondary profile.

    This kind of setting is global, so it's not possible to change it for just one profile.

    A workaround could be installing a VPN in the Owner profile, then disabling the VPN from within the app. By default, all connections from within the profile will be routed through the VPN that's set up, but since it's disconnected, no internet traffic will be allowed through.

    desperatemouselives Call forwarding does not seem to work in my secondary profile (the menu line is missing). Is there a way to resolve that issue?

    It's possible only Owner can do that (though I don't actually know this and I'm just guessing, but there are some settings that, apparently, only Owner can set, including those found in the Phone app).

      desperatemouselives I'd need to avoid receiving calls and SMS in my Owner profile and only allow them in a secondary, stripped-down, least-privileged profile.

      There is a structural reason why this might not work. When the phone reboots (by accident or design), until the owner unlocks with a password or PIN the device is in a special state called "BFU" (before first unlock). In BFU many functions work only partially, and the apps need to be coded specially to work BFU.
      In the BFU state all secondary profiles are at rest and can't run at all.

      If you were successful in isolating phone functions to a secondary profile, it would not be possible to receive calls after a reboot, or even to place emergency calls. In your case this may be exactly what you want, but in general regulatory agencies strongly encourage phone manufacturers to make emergency calls possible at all times. So the behavior you are hoping for may well be untested, or there might have been a conscious decision inside AOSP to not support it.

        de0u Thanks, that really makes sense.

        I think calls would be acceptable, come to think of it. It's SMS that would be important to block in Owner. Could that work?

        • de0u replied to this.

          desperatemouselives It's SMS that would be important to block in Owner. Could that work?

          I haven't tried. My hunch, though, is that it hasn't been designed to work and hasn't been tested, so it may well not.

            UPDATE: looks like calls do not get through to the secondary profile and the caller gets a busy signal. I had to reset the network settings after getting back into Owner to make it work again. What's that about? SMS messages got through.
            Looks like there are some issues with profiles in general.

            • de0u replied to this.

              other8026 The why is simple. I need to be particularly conscious of my data security and privacy.

              I want to make sure that I can just shut down that profile, even delete it, and start a new one.

              The Owner profile has privileges (such as mobile data management, and device-wide settings), which could be exploited. Not saying GOS has been breached, though. Calls are less of a concern... SMS really are. So I can keep calls in Owner, but SMS need to be contained as much as possible.

              I'm aware that GOS has much better app sandboxing than stock Android, but as I say, I need to be absolutely sure. The point is to simply rule out any exploit over SMS. If not by using profiles, than by other means.

              I was wondering whether I could use a VPN app to do what you say, and I'm glad to hear it could be an option. Thanks!

              I could keep call forwarding in Owner along with the calls. That could work. But I'd need to get a notification from the secondary profile containing the messaging app that I have a message.

              de0u Thanks, noted.

              At the end of the day, Profiles are just a means to an end. If there is any other way to avoid even the possibility of exploits via SMS, I am more than happy to go for it... (other than using a 'dumb' phone, as that is unfortunately not an option these days)

              There are data only Sim cards , from jmp.chat ( and others ) you could port your number to jmp.chat this would move calls and texts to the cheogram app which can be installed to a profile and not the phone .
              But I'm not sure how the Sim is restricted, could it be possible for someone to force an SMS through a data only Sim ? This is beyond my knowledge.
              You wouldn't have emergency calling , just a thought .

                desperatemouselives Looks like there are some issues with profiles in general.

                Quite. It might make sense to scan the GrapheneOS issue tracker. If you have repeatable issues which aren't already filed, you might file some - be sure to give exact reproduction steps. They'll likely get marked as "upstream" and sit for a while, but as the project grows maybe new developers will be looking for getting-started projects.

                  de0u I do think that some issues with profiles have been flagged. Mine may be a variation on the same theme. I'll look at the tracker, thanks!

                  I also identified two possible factors that may have contributed to my issues: forcing all apps to use VPN, and removing some permissions which seemed unrelated, but perhaps they weren't. I have made some changes, let's hope they work out. I will only use secondary profiles without calls and SMS for now.

                  In general, I think there should be a way to leave only emergency calls in the owner profile, and otherwise route all calls and SMS through a neatly isolated secondary profile. Having the main channels of attack - SMS and calls - in the profile with the most extensive privileges including ones involving/affecting other profiles, the whole device and Graphene itself is counterintuitive to say the least. The fact that you have to leave your mobile data on in the owner profile in order to be able to use it in other profiles is also counterintuitive in an OS focusing on privacy and security. I also noticed that if you turn off mic and camera access, but an app asks you for them and you grant the permission just that one time, you still have to separately disable access again. Access should be blocked again automatically once eg. your call is over.
                  These things seem trivial to me.

                  • de0u replied to this.

                    desperatemouselives I suspect that the key issue is that Google wanted to set up a mechanism for a parent to let a kid play games on a phone without being able to delete the parent's photos, view work documents, etc.

                    I don't think Google was (at least initially) aiming to contain malware in secondary profiles, or set up a system for tightly limiting Google's ability to track a phone.

                    And I think on the stock OS very few people use multiple profiles, so the system doesn't get tested a lot.

                    Overall, I think there is a way to go before the profile system does what many GrapheneOS users want it to. When something seems very wrong, filing an issue may be productive, especially if very clear steps for teproducing the problem are included.

                      de0u Thanks for the info. It looks like profiles are barely scratching the surface of what they could achieve in terms of data security and privacy. Or actual functionality...

                      Another weird thing just happened. A call came through to my secondary profile, but an SMS did not (the notification about it did). Both calls and SMS are turned OFF in that profile, AND the Phone app has no permissions at all (only Notifications). How's that possible? I even got the usual request to grant mic permission. The call does NOT show up in the call history in the secondary profile. It only does so in the owner profile.

                      Skyway Thanks for the tip.

                      It looks like Graphene functionality hasn't yet caught up with the changing landscape of exploits, There should be a built-in way to actually protect the owner profile from SMS-based exploits without resorting to a separate app (which I have yet to find... something like converting SMS into a different format before I receive them, or chopping them up, or setting some form of size limit on them /assuming any malicious package will be bigger than a simple SMS/ could be a solution).

                      • de0u replied to this.

                        desperatemouselives It looks like Graphene functionality hasn't yet caught up with the changing landscape of exploits.

                        Is there a platform that has caught up?

                        Is there a platform that is more "caught up" than GrapheneOS? How would one measure that?

                        Is it better to be "caught up" with respect to SMS attacks in particular, or better to spend time on MTE-based hardening of all app code on the device? How would one measure which is better?

                          de0u If I thought that there was any better option, we wouldn't be having this conversation. :-)

                          I am fed up with stock android even without considering privacy and security as I like simplicity and efficiency coupled with decent practical functionality, to be honest. But I am also becoming more conscious of cybersecurity - the only plausible thing I can do, I think, So I appreciate GOS as it is. I am aware of some possible threats, and thought that developers may have those in mind too. What approach they take, how they achieve things... that's not for me to judge (not an expert). Just hope GOS works well against most already known threats. SMS-based ones have been in the news for years.

                            desperatemouselives Just hope GOS works well against most already known threats

                            GrapheneOS patches the OS and firmware very quickly as soon as updates are made available by Google. Security updates protect us from the known threats. You can read this part of the website for some more info about how GrapheneOS always patches quickly and is in other ways way ahead of other OSes.

                            The other, and I'd argue, bigger issue is the unknown threats. Here's a relevant page from the website about protecting against unknown threats.

                            It's my understanding that malicious actors usually use social engineering to trick people into actually installing malicious software. It's also my understanding that zero-click exploits generally send payloads that can exploit some sort of memory defect. GrapheneOS's hardened_malloc helps protect against the most common classes of memory defects. So finding exploits that work on GrapheneOS is much harder than on the Stock OS.

                            Finally, it's important to consider the likelihood of being targeted by a sophisticated attack. Reportedly, exploits can go for millions of dollars on the black market. These kinds of exploits are not just used on tons of people (which would make the exploit easier to detect), but instead would be used to target high-profile and influential people. Any exploit that makes it out into the public and is spread out everywhere would be one that does basically nothing, like one that makes an app crash and nothing else. A nuisance, sure, but not one that puts your personal data at risk.

                              5 days later

                              other8026 After careful consideration and further reading, I agree on all points.

                              I'm new to all this, but - hopefully - learn fast. I'm theoretically not of any particular interest to any authority and of zero significance internationally, but that's what I think. There have been cases where people's phone's were targeted with military grade spyware in what seems like a total overkill. Somebody somewhere found them interesting. I find it irritating that both Android and iOS are even possible to target so easily with whatever tool even if you are very sensible about your data privacy and security (don't open links, don't leave comm channels open, turn off data/wifi/bluetooth, manage permissions reasonably, don't install any old shite, etc).

                              This is my first experience with GrapheneOS, but I'm already looking at the next device to buy (second-hand, preferably) if support for this one stops. Which I find appalling by the way, as it is very wasteful.