Best way to isolate an android app - Island, Insular or Shelter

I need to install some rather intrusive company apps (Microsoft intune + teams/outlook).

If I install these in an isolating app would it be able to access contacts or what apps are installed. Also after I am done with it can I just wipe out the space containing there apps with no residue left over.

According to Microsoft if I installed it directly on to my device I wouldn’t even be able to uninstall it unless I unenroll my device. I do not like the idea of not being able to uninstall the app when ever I want.

The device is a Samsung s23 running android 13 if that matters.

All of these use more or less the same mechanism to achieve isolation from the main profile: Using Android‘s built-in “Work profile“.

Android treats the work profile essentially like a second useraccount, seperating out file and app access, as well as permissions and app data. Installed Apps on the main Profile can be mirrored to the work profile, having two different versions installed won‘t work.

Some data is shared between the two profiles, like Light/Dark mode state, ringtone preferences, Monet-Generated color scheme (Android 12+) and whether location is enabled, just to name a few. Some data that isn‘t shared is default choice of apps, like your default keyboard for instance. That will have to be mirrored to the secondary profile manually.

TL;DR:
As all of these rely on the same mechanism, the isolation on that front is practically the same.

1 Like

Is there a list of what data is accessible from the work profile? Tried looking for documentation on the android dev site but I couldn’t find it

I don’t think anybody made a comprehensive list, no.

It is literally written on the website. Please read before asking questions.

“Shelter is recommended over Insular and Island as it supports contact search blocking.”

I installed Shelter to setup a work profile (literally for my work apps in my case).

But I would like to have additional profiles similar to the work one:

  • One for snoopy apps, like social media or streaming video subscription players.
  • One for map apps, so that they are the only thing that connects when I plug into Android Auto (which has been reported to suck in tons of data from your phone and report it back to Google and the automaker), so that it can see no other data.

The problem is that Shelter only allows ONE work profile. And the other option I know is to setup Multiple Users, but that literally shuts down the other users, so that any apps isolated that way would be shut down and of course I’d get no notifications if a work email or personal chat message arrived.

Are there any options for true “multiple” work accounts?

No. They all use Android’s Work Profile under the hood, which is limited to one. You can use normal user profiles instead. Btw, many people use profiles for the wrong reasons, because they don’t understand what access apps have and what they haven’t. Are you sure that you need different profiles?

1 Like

Yes, I want these apps to be totally encapsulated and not see my real contacts, location, or other activity. I can’t stop them from seeing their own data, but that’s it… I don’t even want to use the same account for them, so that they can’t farm and cross-reference my information to sell to the highest bidder.

That’s the whole point of using a deGoogled distribution of Android, to reclaim some of your privacy and your personal data to not be “the product”. For many apps I already switched to privacy-respecting apps, but there are quite a few that I can’t quite get replacements for. Many of those apps demand permissions far beyond what they really need to operate, so letting them see a sandboxed environment with no data… is the perfect way to let them have the permissions but not the real access to your data.

I haven’t used Shelter, or any other apps designed for this, but if you’re talking about the built-in Multiple Users, I have multiple user profiles on my phone using GrapheneOS and the standard android profiles and get notifications from my secondary profile on my primary one. The secondary profile continues running in the background just fine.

Things do start to add up at some point, though: WhatsApp in a profile without Play Services + VPN + profile running in background = sometimes you won’t get your message notifications.

Reminder that all apps can see your MCC/MNC along with a bunch of other information without any permissions.

Give this app a spin: kDI Device Info system permission | F-Droid - Free and Open Source Android App Repository

2 Likes

@Voln I am on CalyxOS (the best of the two privacy distributions that support my ancient Pixel 3, as Android 13). It came with only Multiple Users (which is “one at a time”, with the other off) and Work Profile that didn’t work. Installing Shelter was the best option I could find but it only seems to support one “shelter/work” profile.

I plan to buy a new Pixel during Black Friday, so I should finally be able to install GrapheneOS. If that one is capable of multiple profiles for ONE user, it will be great.

1 Like