I got a new phone. Skipped a few generations and now I’m running the current GrapheneOS, based on Android 15. I’ve moved most of the apps, but now I’d like to install my 3 banking apps and 5 discount program spyware apps. I guess I best separate them from the rest of the arbitrary stuff. Banking apps so they can’t be messed with, and shady discount programs so those apps can’t mess with me and my data…
The internet has a lot of information about Shelter, work profiles, the new(?) private spaces… But I don’t know what is current advice and what’s outdated advice… What’s the current best practice?
Did no one mention the multiple users feature on grapheneos? Especially apps you need seldom you can just run under a different user.
Which is what apps like shelter and island use - they just make it more convenient.
Shelter and island use the work profile, which is different from user profiles
No that is not correct. I actually use both. Island etc enables the work profile. Likely, the work profile uses internally a different, additional user account. But for the device owner there are some differences. Work profile apps you can configure, launch and access directly from the main account. Also there is some limited sharing possible. The notifications are also shared. If you use (multiple) additional user accounts very little is shared. I think the cell phone functionality maybe. Apps are also shared internally but that is not transparent to the user.
Up through Android 14 everything boils down to different programs to manage a work profile. I’ve always used Shelter or just straight up used the built in work profile support in LineageOS.
I don’t know if it’s possible to create more than one separate space.
Edit: the only way I’ve found to make two separate app containers on android <= 14 is a combination of a work profile and Samsung’s secure folder. I don’t know of any other sandbox technique.
Hmmh, I was looking for info on Android 15 and the future. But you’re right. I’ve enabled the private space now and it seems it’s just one. I might have to use a combination of techniques anyways, or something like Shelter… I had hoped there is a single and clear answer to my question 😆
I saw this thread which has some discussion
https://discuss.privacyguides.net/t/android-private-space-vs-work-profile/21101/4
Which to me sounds like ‘private spaces’ is made for this purpose, while shelter + work profile was a workaround for some time. Since it is new, it might take some time for FOSS apps to implement related features, like being able to launch those apps from your homescreen.
Hopefully someone else comes with better advice :)
Edit: these ones suggests that private spaces is better
https://discuss.grapheneos.org/d/16569-android-15-private-space-please-explain
Thx for all the links. I’ve enabled the feature now. I’m not sure if it’s meant for both use-cases but I think I’ll put the dicount apps from the supermarket there.
As I understand it, the banking apps should benefit most from the default sandboxing in GrapheneOS. I’m not sure there’s much benefit in further separation of them is there?
Good question. I mean that’s why I wrote exactly what I’m trying to do… And on second thought… I don’t want to bury them completely, since I need the bank and PayPal to send me notifications and pop up once I need to confirm some transaction…
Maybe I should just install them as is, and use that private space feature for random stuff that collects my data and sells it to third parties.
Yeah that sounds like the best solution.
Just FYI some banking apps don’t work on GrapheneOS (ones that check for strict SafetyNet support I think).
Yeah, F them. I got some hardware TAN generator because I had that issue before. If they force me to use some stock version of Android, I’ll just delete their app… So no issues there. 😉 I can live the old-school life without Google Pay… Seems PayPal and my current bank do work without issues.
Thanks!
Can’t you just run them when you expect a notification? How many times a week do you do online shopping that this is a chore
Yeah, I could do that, too. I’m usually aware of when I click some “order” button… And I’m not sure if I’d miss the push notifications when I finished the supermarket check-out and swiped my bank card… I guess I could do both. After yesterday’s advice, I just installed them into my main profile. Maybe I should check the permissions of PayPal and the other app and see if I like my current approach.
I was going to use the new Private Space on A15 for my banking app, until I discovered the apps inside the private space are stopped when you lock it.
This makes it completely useless for me since I need to get notifications from my bank.