The private space introduced in Android 15 is more isolated than the traditional Work Profile-based approach used in Shelter and other products.
My question here is, if Android 15 were to become fully popular, would the use case for Work Profile disappear at all in terms of privacy?
Also, I’m confused about the two features and it seems that Private Space is superior to Work Profile in all use cases, not just privacy, isn’t it?
No, you could use both if you have a use case for it. Like using nothing on the owner profile, using Tor in Private Space, and using a VPN in the work profile.
The work profile is just that a work profile and the way it is implemented intentionally grants the app which configures it a lot of control for BYOD use cases. Work profiles definitely aren’t going anywhere but otherwise you are correct that the private space is a better choice if you only need the one nested profile.
Can’t we use a different VPN in the Private Space?
You can.
I believe this is one of the reasons why private space are recommended over work profile from a privacy perspective. And at the same time, I am confused by this part of the risk assessment.
At least as I understand it, work profile and private space differ in terms of whether or not the intent is redirected (perhaps that is the only difference?). It seems to me that there are very limited privacy concerns that could arise with the availability of Intents, am I missing some point?
only sort of “problem” with work profile is, you are using a 3rd party to access the AOSP work API’s to create the profile,
which I personally don’t see any problem while I use Shelter.
you can’t put a lock on the work profile?
private space provide compartmentalization i think in addition to the work’s.
so you can run 3 profiles at once with compartmentalization.
lol need to update my take on compartmentalization after this festure release.
Unless your use case requires using 2 profiles inside your Owner profile, then yeah there would no longer be a need for a Work profile.
The main downside of a Work profile is the fact that it requires a third-party application to setup and you need to trust that application with your Work profile data. The third-party application is also what determines the level of isolation between the Work profile and the Owner profile. For example, Shelter allows some intents to cross between the Work profile and the Owner profile. On the other hand, the Private Space blocks all intents except for the telephony intent.
Apps in the Work profile are also able to identify what apps you have installed in the Owner profile which could be a concern for you. Not sure if this is a general limitation of a Work profile or if it is dependent on the third-party app you choose to use.
You can also choose to have different encryption keys for the Private Space by setting credentials for it rather than using the existing device credentials. Not sure if a Work profile has different encryption keys or not.
In conclusion, just use the Private Space.
From what I read in the Android documentation, I didn’t read that Work Profile can read apps with Owner profiles; is there such an API for third-party apps that manage Work Profile? Or is it only possible to know indirectly through some trick (by intent you mentioned)?
The profile admin can choose which intents are allowed to cross from one profile to another. Since the IT admin makes this decision, there’s no way for you to know in advance which intents are allowed to cross this boundary. The IT admin sets this policy, and is free to change it at any time.
In this scenario, the “IT admin” is the Shelter app.
You can’t even set shortcuts on home screen with Private Space. Or easily clone an app from main profile to private space. So definitely the answer to your question is yes
I overall prefer work profiles. In terms of isolation/privacy (Work Profile with Shelter vs Private Space) it’s pretty much identical, the main argument against the work profile seems to be that you don’t need to trust the Shelter app.
I’ve written about it here but in short:
Private Space: differences compared to work profile
For me personally, all of these points, except maybe the last one, are downsides that just add additional friction when using the apps. I think the Private Space is really meant to be for “secret” apps and files, like a second copy of the gallery app for your homemade sex videos or something, rather than for compartmentalisation.
For now I’m using this setup:
Something to be aware of.
- Files in Private Space always seem to be stored with their own unique encryption key and their own weaver token, regardless whether you choose to use the same credentials or separate credentials when setting up the Private Space. That is to say, Private Space do not share encryption key or weaver token with the owner profile even if you choose to share unlock credentials when setting up the Private Space. Login attempts are also throttled for the Private Space the same way like it was any other user profile, that is, throttling is per profile, or per weaver slot to be more precise. This was tested by using “adb shell” on a userdebug build to print the encrypted keys in “/data/misc/vold/user_keys/ce/USERID/current”, and the number of weaver slots enabled in “/metadata/password_slots/slot_map”, and by manually trying out when throttling is hit for the various profiles. I did not test that the weaver slot for Private Space or any other profile is actually used for the key derivation, I just assume so.
- The Private Space files are only available in unencrypted form in the file system after the password has been entered into the Private Space unlock screen. This is the same whether the Private Space was configured using same credentials as owner profile or separate. This means that even if the owner profile is fully unlocked, there should be no way for an attacker to access the files in the still locked Private Space unless they know the password. Not even if they can perform advanced forensics or disassemble the device. However, once the Private Space has been unlocked once, only a device reboot will make the files unavailable again. Locking the Private Space does nothing, see “Issues found” below. This was tested by using “adb shell” on a userdebug build to list the content of directories and files in “/data/media/USERID” and “/data/user/USERID”.