I got a new phone. Skipped a few generations and now I’m running the current GrapheneOS, based on Android 15. I’ve moved most of the apps, but now I’d like to install my 3 banking apps and 5 discount program spyware apps. I guess I best separate them from the rest of the arbitrary stuff. Banking apps so they can’t be messed with, and shady discount programs so those apps can’t mess with me and my data…

The internet has a lot of information about Shelter, work profiles, the new(?) private spaces… But I don’t know what is current advice and what’s outdated advice… What’s the current best practice?

  • @[email protected]
    link
    fedilink
    English
    105 days ago

    Did no one mention the multiple users feature on grapheneos? Especially apps you need seldom you can just run under a different user.

      • @[email protected]
        link
        fedilink
        English
        44 days ago

        No that is not correct. I actually use both. Island etc enables the work profile. Likely, the work profile uses internally a different, additional user account. But for the device owner there are some differences. Work profile apps you can configure, launch and access directly from the main account. Also there is some limited sharing possible. The notifications are also shared. If you use (multiple) additional user accounts very little is shared. I think the cell phone functionality maybe. Apps are also shared internally but that is not transparent to the user.

  • @seaQueue
    link
    English
    7
    edit-2
    3 days ago

    Up through Android 14 everything boils down to different programs to manage a work profile. I’ve always used Shelter or just straight up used the built in work profile support in LineageOS.

    I don’t know if it’s possible to create more than one separate space.

    Edit: the only way I’ve found to make two separate app containers on android <= 14 is a combination of a work profile and Samsung’s secure folder. I don’t know of any other sandbox technique.

    • hendrikOP
      link
      fedilink
      English
      1
      edit-2
      5 days ago

      Hmmh, I was looking for info on Android 15 and the future. But you’re right. I’ve enabled the private space now and it seems it’s just one. I might have to use a combination of techniques anyways, or something like Shelter… I had hoped there is a single and clear answer to my question 😆

  • Otter
    link
    fedilink
    English
    6
    edit-2
    5 days ago

    I saw this thread which has some discussion

    https://discuss.privacyguides.net/t/android-private-space-vs-work-profile/21101/4

    Which to me sounds like ‘private spaces’ is made for this purpose, while shelter + work profile was a workaround for some time. Since it is new, it might take some time for FOSS apps to implement related features, like being able to launch those apps from your homescreen.

    Hopefully someone else comes with better advice :)

    Edit: these ones suggests that private spaces is better

    https://discuss.privacyguides.net/t/are-there-any-situations-where-private-space-is-available-but-work-profile-is-still-used/21971

    https://discuss.grapheneos.org/d/16569-android-15-private-space-please-explain

    • hendrikOP
      link
      fedilink
      English
      25 days ago

      Thx for all the links. I’ve enabled the feature now. I’m not sure if it’s meant for both use-cases but I think I’ll put the dicount apps from the supermarket there.

  • gid
    link
    English
    35 days ago

    As I understand it, the banking apps should benefit most from the default sandboxing in GrapheneOS. I’m not sure there’s much benefit in further separation of them is there?

    • hendrikOP
      link
      fedilink
      English
      4
      edit-2
      5 days ago

      Good question. I mean that’s why I wrote exactly what I’m trying to do… And on second thought… I don’t want to bury them completely, since I need the bank and PayPal to send me notifications and pop up once I need to confirm some transaction…

      Maybe I should just install them as is, and use that private space feature for random stuff that collects my data and sells it to third parties.

      • @[email protected]
        link
        fedilink
        English
        24 days ago

        Can’t you just run them when you expect a notification? How many times a week do you do online shopping that this is a chore

        • hendrikOP
          link
          fedilink
          English
          14 days ago

          Yeah, I could do that, too. I’m usually aware of when I click some “order” button… And I’m not sure if I’d miss the push notifications when I finished the supermarket check-out and swiped my bank card… I guess I could do both. After yesterday’s advice, I just installed them into my main profile. Maybe I should check the permissions of PayPal and the other app and see if I like my current approach.

      • gid
        link
        English
        35 days ago

        Yeah that sounds like the best solution.

        Just FYI some banking apps don’t work on GrapheneOS (ones that check for strict SafetyNet support I think).

        • hendrikOP
          link
          fedilink
          English
          2
          edit-2
          4 days ago

          Yeah, F them. I got some hardware TAN generator because I had that issue before. If they force me to use some stock version of Android, I’ll just delete their app… So no issues there. 😉 I can live the old-school life without Google Pay… Seems PayPal and my current bank do work without issues.

          Thanks!

  • LiveLM
    link
    fedilink
    English
    25 days ago

    I was going to use the new Private Space on A15 for my banking app, until I discovered the apps inside the private space are stopped when you lock it.
    This makes it completely useless for me since I need to get notifications from my bank.