I’m picking up a new Google Pixel and want to put GrapheneOS on it. Heard about Graphene since before their splits at CopperHead, but I havent had the chance the try the OS out. So I searched around and GrapheneOS allowed Google Play sandbox.
Does this function similar to a “Private Space” on newer Android or “Secure Folder” on Samsung? So I can enjoy the Graphene stuff but whenever I need Google Play specific apps, I use the sandbox environment?
Mostly, I will be using bank apps under the sandbox. Are there problems with OTP in this environment? In Samsung’s Secure Folder, my bank app will have problems sending OTP unless I send it outside, i.e. out of Secure Folder.
While you can setup a second profile to put the Google services into, I don’t recommend it.
The version of Google Services on GrapheneOS thinks it has root, but it does not.
So there’s no dramatic need to setup a second profile, unless you want it for other reasons.
I personally think the second profile feature is one of the things people think they want/need from GrapheneOS, but really are happier without.
(Sure it’s safer, but GrapheneOS is already so much better than other mobile OSes - and I hate to see someone quit GrapheneOS just because they didn’t like the optional profiles.)
An exception I have seen is for apps mandated for a job. I’m happy to bury that stuff deep.
The opposite happened for me. Separating out Google services to another profile made me realize how little I need to interact with Google Play Services to use my phone on a daily basis.
It isn’t really an environment. You can install the Google apps without granting them a single permission and it will still work. What the sandbox does is trick it into thinking it has full root access like it’s supposed to have. While remaining like any other installed app: you’re in control.
You could make a second profile and run it solely in there if you like none of that.
An alternative to the Play Store to install apps from is Aurora Store which is basically Google Play but without needing an account. (Though some have pointed out this is insecure and unsafe, but I find that to be over the top. It really depends what your security thread level is.)
You can use banking apps in the private space included only in the stock launcher (which I ditched because it lacks customisation). Not sure if you can put the Google sandbox in there though. Why not make a second profile on the phone only for banking/google use? It’s practically the same as secure folder and you can even apply 2FA if you want to login to the profile.
As someone else mentioned: do check for your bank app’s compatibility here.
Does this function similar to a “Private Space” on newer Android or “Secure Folder” on Samsung?
No. Unlike those, you dont have to unlock the app nd use them, the sandbox is just a normal apk but it dosent allow gservices root access and blocks most telemetry, leaving only the necessary APIs
If you want a total user sandbox, you create another user and install gservices there.
Are there problems with OTP in this environment?
There are like 30 ways to send/generate an OTP.
Might be worth having a look at this list of banking app compatibility: https://privsec.dev/posts/android/banking-applications-compatibility-with-grapheneos/
It works in a container under the hood. You can separate two profiles: one personal, and the other for everything else. When you install apps from Google Play, they are also installed in this container with Google services.
A cool thing is that Google services run in user space, like regular apps, and don’t have the elevated permissions they usually have on standard Android, where they operate almost as root with hundreds of permissions. This means you can delete them anytime, just like any other app.
