I got a new phone. Skipped a few generations and now I’m running the current GrapheneOS, based on Android 15. I’ve moved most of the apps, but now I’d like to install my 3 banking apps and 5 discount program spyware apps. I guess I best separate them from the rest of the arbitrary stuff. Banking apps so they can’t be messed with, and shady discount programs so those apps can’t mess with me and my data…

The internet has a lot of information about Shelter, work profiles, the new(?) private spaces… But I don’t know what is current advice and what’s outdated advice… What’s the current best practice?

  • Quereller@lemmy.one
    link
    fedilink
    English
    arrow-up
    11
    ·
    14 days ago

    Did no one mention the multiple users feature on grapheneos? Especially apps you need seldom you can just run under a different user.

    • BearOfaTime@lemm.ee
      link
      fedilink
      English
      arrow-up
      6
      ·
      14 days ago

      Which is what apps like shelter and island use - they just make it more convenient.

      • Quereller@lemmy.one
        link
        fedilink
        English
        arrow-up
        4
        ·
        14 days ago

        No that is not correct. I actually use both. Island etc enables the work profile. Likely, the work profile uses internally a different, additional user account. But for the device owner there are some differences. Work profile apps you can configure, launch and access directly from the main account. Also there is some limited sharing possible. The notifications are also shared. If you use (multiple) additional user accounts very little is shared. I think the cell phone functionality maybe. Apps are also shared internally but that is not transparent to the user.

  • seaQueue@lemmy.world
    link
    fedilink
    English
    arrow-up
    8
    ·
    edit-2
    12 days ago

    Up through Android 14 everything boils down to different programs to manage a work profile. I’ve always used Shelter or just straight up used the built in work profile support in LineageOS.

    I don’t know if it’s possible to create more than one separate space.

    Edit: the only way I’ve found to make two separate app containers on android <= 14 is a combination of a work profile and Samsung’s secure folder. I don’t know of any other sandbox technique.

    • hendrik@palaver.p3x.deOP
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      1
      ·
      edit-2
      14 days ago

      Hmmh, I was looking for info on Android 15 and the future. But you’re right. I’ve enabled the private space now and it seems it’s just one. I might have to use a combination of techniques anyways, or something like Shelter… I had hoped there is a single and clear answer to my question 😆

  • Otter@lemmy.ca
    link
    fedilink
    English
    arrow-up
    6
    ·
    edit-2
    14 days ago

    I saw this thread which has some discussion

    https://discuss.privacyguides.net/t/android-private-space-vs-work-profile/21101/4

    Which to me sounds like ‘private spaces’ is made for this purpose, while shelter + work profile was a workaround for some time. Since it is new, it might take some time for FOSS apps to implement related features, like being able to launch those apps from your homescreen.

    Hopefully someone else comes with better advice :)

    Edit: these ones suggests that private spaces is better

    https://discuss.privacyguides.net/t/are-there-any-situations-where-private-space-is-available-but-work-profile-is-still-used/21971

    https://discuss.grapheneos.org/d/16569-android-15-private-space-please-explain

    • hendrik@palaver.p3x.deOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      14 days ago

      Thx for all the links. I’ve enabled the feature now. I’m not sure if it’s meant for both use-cases but I think I’ll put the dicount apps from the supermarket there.

  • gid@lemmy.world
    link
    fedilink
    English
    arrow-up
    3
    ·
    14 days ago

    As I understand it, the banking apps should benefit most from the default sandboxing in GrapheneOS. I’m not sure there’s much benefit in further separation of them is there?

    • hendrik@palaver.p3x.deOP
      link
      fedilink
      English
      arrow-up
      4
      ·
      edit-2
      14 days ago

      Good question. I mean that’s why I wrote exactly what I’m trying to do… And on second thought… I don’t want to bury them completely, since I need the bank and PayPal to send me notifications and pop up once I need to confirm some transaction…

      Maybe I should just install them as is, and use that private space feature for random stuff that collects my data and sells it to third parties.

      • gid@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        14 days ago

        Yeah that sounds like the best solution.

        Just FYI some banking apps don’t work on GrapheneOS (ones that check for strict SafetyNet support I think).

        • hendrik@palaver.p3x.deOP
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          14 days ago

          Yeah, F them. I got some hardware TAN generator because I had that issue before. If they force me to use some stock version of Android, I’ll just delete their app… So no issues there. 😉 I can live the old-school life without Google Pay… Seems PayPal and my current bank do work without issues.

          Thanks!

      • oldfart@lemm.ee
        link
        fedilink
        English
        arrow-up
        2
        ·
        13 days ago

        Can’t you just run them when you expect a notification? How many times a week do you do online shopping that this is a chore

        • hendrik@palaver.p3x.deOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          13 days ago

          Yeah, I could do that, too. I’m usually aware of when I click some “order” button… And I’m not sure if I’d miss the push notifications when I finished the supermarket check-out and swiped my bank card… I guess I could do both. After yesterday’s advice, I just installed them into my main profile. Maybe I should check the permissions of PayPal and the other app and see if I like my current approach.

  • LiveLM@lemmy.zip
    link
    fedilink
    English
    arrow-up
    2
    ·
    14 days ago

    I was going to use the new Private Space on A15 for my banking app, until I discovered the apps inside the private space are stopped when you lock it.
    This makes it completely useless for me since I need to get notifications from my bank.