I’m picking up a new Google Pixel and want to put GrapheneOS on it. Heard about Graphene since before their splits at CopperHead, but I havent had the chance the try the OS out. So I searched around and GrapheneOS allowed Google Play sandbox.
Does this function similar to a “Private Space” on newer Android or “Secure Folder” on Samsung? So I can enjoy the Graphene stuff but whenever I need Google Play specific apps, I use the sandbox environment?
Mostly, I will be using bank apps under the sandbox. Are there problems with OTP in this environment? In Samsung’s Secure Folder, my bank app will have problems sending OTP unless I send it outside, i.e. out of Secure Folder.
Play services work great, even Android auto works.
Personally, I don’t bother with seperate profiles. I want push notifications for somethings. However if you only want bank apps, a separate profile may fit your use.
There is a “compatibility mode” you can turn on for apps that don’t work. This relaxes the restrictions the app has and sometimes works.
OTP works fine for google account 2fa and MS authenticator. I don’t think you’ll have an issue with an app’s 2fa as long as whatever other app needed are also part of the profile, be that SMS, email or notification.
Create a private space. Install sandboxed google play in there. Install banking app or any other google play dependant app in private space.
That’s the most reasonable and less hassle method in my opinon. Lock it down when not in use. Cons? no push notification when locked down.
This is the way
Strongly recommend reviewing the compatibility of apps you can’t live without, especially finance ones. And you won’t be able to use Google Wallet with tap to pay. Those are often not happy about you having any amount of security or privacy in the name of security, but really usually because they’re too lazy, or want to violate your privacy themselves.
I never really used it so it was fine with me. And the few apps I had to dump I mostly found open source alternatives for other than finance ones which I just use the websites instead now.
I installed curve pay to replace google wallet as suggested elsewhere, works fine.
It works in a container under the hood. You can separate two profiles: one personal, and the other for everything else. When you install apps from Google Play, they are also installed in this container with Google services.
A cool thing is that Google services run in user space, like regular apps, and don’t have the elevated permissions they usually have on standard Android, where they operate almost as root with hundreds of permissions. This means you can delete them anytime, just like any other app.
While you can setup a second profile to put the Google services into, I don’t recommend it.
The version of Google Services on GrapheneOS thinks it has root, but it does not.
So there’s no dramatic need to setup a second profile, unless you want it for other reasons.
I personally think the second profile feature is one of the things people think they want/need from GrapheneOS, but really are happier without.
(Sure it’s safer, but GrapheneOS is already so much better than other mobile OSes - and I hate to see someone quit GrapheneOS just because they didn’t like the optional profiles.)
An exception I have seen is for apps mandated for a job. I’m happy to bury that stuff deep.
The opposite happened for me. Separating out Google services to another profile made me realize how little I need to interact with Google Play Services to use my phone on a daily basis.
Might be worth having a look at this list of banking app compatibility: https://privsec.dev/posts/android/banking-applications-compatibility-with-grapheneos/
It isn’t really an environment. You can install the Google apps without granting them a single permission and it will still work. What the sandbox does is trick it into thinking it has full root access like it’s supposed to have. While remaining like any other installed app: you’re in control.
You could make a second profile and run it solely in there if you like none of that.
An alternative to the Play Store to install apps from is Aurora Store which is basically Google Play but without needing an account. (Though some have pointed out this is insecure and unsafe, but I find that to be over the top. It really depends what your security thread level is.)
You can use banking apps in the private space included only in the stock launcher (which I ditched because it lacks customisation). Not sure if you can put the Google sandbox in there though. Why not make a second profile on the phone only for banking/google use? It’s practically the same as secure folder and you can even apply 2FA if you want to login to the profile.
As someone else mentioned: do check for your bank app’s compatibility here.
Does this function similar to a “Private Space” on newer Android or “Secure Folder” on Samsung?
No. Unlike those, you dont have to unlock the app nd use them, the sandbox is just a normal apk but it dosent allow gservices root access and blocks most telemetry, leaving only the necessary APIs
If you want a total user sandbox, you create another user and install gservices there.
Are there problems with OTP in this environment?
There are like 30 ways to send/generate an OTP.
