this post was submitted on 22 Oct 2024
51 points (100.0% liked)

GrapheneOS [Unofficial]

1687 readers
14 users here now

Welcome to the GrapheneOS (Unofficial) community

This feed is currently only used for announcements and news.

Official support available on our forum and matrix chat rooms

GrapheneOS is a privacy and security focused mobile OS with Android app compatibility.

Links

More Site links

Social Media

This is a community based around the GrapheneOS projects including the hardened Android Open Source Project fork, Auditor, AttestationServer, the hardened malloc implementation and other projects.

founded 3 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
51
GrapheneOS Fully Supports Private Spaces Feature Introduced In Android (grapheneos.social)
submitted 1 week ago* (last edited 17 hours ago) by [email protected] to c/[email protected]
12 comments fedilink hide all child comments
 

GrapheneOS fully supports the Private Space feature in Android 15, which is essentially a separate user nested inside of the Owner user.

We strongly recommend it as a replacement for a work profile managed by a local profile admin app. It has better OS integration and isolation.

Private Space is an isolated workspace (profile) for apps and data similar to both user profiles and work profiles. All 3 forms of profiles also have entirely separate VPN configuration which is very useful even if you connected to the same VPN, since exit IPs can be separate.

All forms of profiles have separate encryption keys. You can keep a Private Space at rest while the Owner user is logged in just as you can with a secondary user.

Private Space makes it easier to share data than users. The clipboard is shared, but we could add a setting for it.

GrapheneOS users choose to use the OS in different ways. A lot of people largely use open source apps and not sandboxed Google Play. Others use sandboxed Google Play in their main profile. Many use sandboxed Google Play in a dedicated profile to choose which apps use it.

Regardless of how people choose to use sandboxed Google Play, they're regular sandboxed apps without special access. Private Space makes it easier to use a dedicated profile for sandboxed Google Play though.

It's also worth noting you can still use a work profile alongside it.

All of our features including Contact Scopes, Storage Scopes and sandboxed Google Play have full support for Private Space. We added support for it significantly before the release of Android 15, even before the initial early release of the source code was published in September.

top 12 comments
sorted by: hot top controversial new old
[–] [email protected] 6 points 1 week ago (1 children)

Very nice. Thanks for the update!

[–] [email protected] 2 points 1 week ago

You're welcome

[–] [email protected] 2 points 1 week ago (2 children)

I'd really like to try GOS on my 7 but may local bank app is failing to load. As per github, it is the bank's dev to make it compatible with gos

[–] [email protected] 2 points 1 week ago (1 children)

This is common with bank apps. They basically use google as their security instead of programming their own. That's typically why people run a secondary profile with play services enabled.

[–] [email protected] 2 points 1 week ago (1 children)

I havent tried gos yet, but afaik users can enable play services in a sandbox without using a different profile. Are you saying there's another way to fully run play services so sensitive bank apps will work?

[–] [email protected] 2 points 1 week ago (1 children)

GOS play services are sandboxed by default, it's how they implement it. The sandbox just keeps it from having full system root integration so its not in everything by default like normal android. It still is full play services though.

What I'm saying is that if you don't want that on your phone but you do want to use apps that rely on it then you can set up a secondary profile. On the second profile install play services and any apps that need it. That way its segregated from your main activity. Other profiles are essentially viewed as their own phone installation so they dont talk to each other.

[–] [email protected] 1 points 1 week ago (1 children)

Oh ok. But just to be clear (IIUC) if the app uses or requires Play Integrity api, it won't work in GOS even if I use a 2nd profile for play services?

[–] [email protected] 1 points 1 week ago

Correct, if the profiles are separate. They only share key hardware aspects (like WiFi and Bluetooth settings). The profiles can not talk to each other.

So if the first profile does not have google services it can't run anything that relies on it even if a second profile has google services installed. For all intents, they are "separate phones".

[–] [email protected] 1 points 1 week ago

Yes, bank would need to add compatibility. They may follow these instructions to do so.

I'd also recommend you read this, if not already done: https://grapheneos.org/usage#banking-apps

[–] [email protected] 2 points 1 week ago (1 children)

Gos needs to let us put on our desktop the private space apps, so we can quick launch them. Its a huge pain in the arse to scroll all the way down to unlock the space then to click on chosen app.

[–] [email protected] 1 points 1 week ago

May you please report this issue here?

[–] [email protected] 1 points 1 week ago

This is fantastic