Remove Shelter

Now that Android 15 has private space, I don’t really see a need for Shelter. Private space is superior and doesn’t need a third party app.

Shelter is still useful as an additional ‘private space’ - allows for even more isolation of different types of apps (e.g. you could have main apps in main profile, social apps in private space, and work apps in Shelter).

FYI - Someone was doing some testing in the GOS Matrix channel, and although I can’t recall exactly what they found, they did conclude that private space does a better job of keeping app data/app communications separate than Shelter does. Their conclusion was, in terms of ‘strength’ of isolation: Different user profiles > private space > Shelter.

5 Likes

This might be a bit to early, most people do not have android 15 yet and older android versions still get security patches.

4 Likes

I think that recommendations should be made around the latest GrapheneOS, PixelOS, and iOS versions if we want to have high standards.

definitely, but the recommendation could easily just be use private space for a profile. If you do not have this or need another profile you can use shelter.

1 Like

Its a balance thats always tricky. While I see your point and also want to keep to the highest standard.

The reality is is that you shut out the majority of people with this mindset, especially outside the USA where iphone usage is way lower.

Only providing info for folks already on those platforms does not seem to be the most productive stance.

What if we provide a guide explaining how one can use the private space if you are on a platform that supports it, and point to alternatives if you are unfortunately still on older platforms. We could always remove the recommendation for shelter once the android versions without private space are end of life.

6 Likes

Yes, we should talk about Private Space and make it clear that this is the preferred method.

1 Like

How is private space superior? Shelter can freeze apps, and I don’t think private space has this functionality.

Also shelter has file shuttle. Can you even transfer files to private space in as convenient a way?

The biggest benefit seems to be that shelter wasn’t able to stop all intents between profiles. Private spaces seems to be able to stop all intents across profiles. The common clipboard seems to be the only major issue/feature that bypasses isolation.

You can lock and shutdown private spaces.

You can use file picker and share menu to choose, shift, or share any files in private space. This is superior to the File Shuttle flow when trying to choose files to share with apps.

2 Likes

In my opinion, removing Shelter makes sense once Android 15 and above have approximately 50% of device adoption. Historically, this likely means around the time that Android 17 is released, or roughly 2 years from now. I think this creates a reasonable end-of-life standard, though discretion can be used to remove it earlier or later.

It doesn’t make sense to continue to recommend another app to be a device administrator if the OS provides similar functionality already.

4 Likes

I’m marking this proposal as rejected for now since a lot of people are likely not using Android 15 at this moment.

Android 15 has not yet been released on the stable channel for GrapheneOS at the time I’m writing this.

We can always revisit this whenever there’s a critical mass of Android 15 users, as @sgp noted.

In the meantime, I opened a PR to add an introduction to the Shelter card which provides a reason for using a private space over Shelter if the former is available.

As always, any feedback regarding the language on the Shelter card is welcome.

Side note

The above PR is currently marked as draft since I’m currently waiting for Android 15 to reach the stable channel for GrapheneOS so that I can test the Private Space feature and write about it. However, if you have already tested Private Space and wish to contribute to the Android Overview page, feel free to open a Site Development thread or offer feedback on GitHub directly!

8 Likes

Statement from GrapheneOS saying that private space is recommended over a work profile.

3 Likes

Installing F-Droid in Private Space is a royal pain compared to Shelter. And you can’t add shortcuts on the launcher either

1 Like

There’s still some merit to a work profile:

  • can be used in addition to a private space (so you have 3 spaces for your apps: main profile, private space, work profile; and then secondary users but those are less integrated)
  • can add the launchers to the home screen (apparently not possible with the private space)
  • apps will run in the work profile after a reboot while you first have to unlock the private space (this can be good or bad depending on your use case, but makes it useless for apps you want to autostart)
  • (also apparently apps installed in the private space automatically get the network permission on GOS?)
1 Like

I think that’s a bug, they are pushing a solution.

off topic usage discussion

Work profile is also useful in certain scenarios. Like I was thinking of using up all 3 (owner, private space, work profile) to segment apps better. Like putting browsers and media apps in private space so that any browser based attacks are confined to private space. Then putting messenger apps and mail apps in work profile. Finally offline apps in the main profile. Then another user for banking apps. Defense in depth and all…

There is no difference when it comes to sandboxing. User profiles, work profiles, and Private Space don’t work like VMs, there is no added security in using them.

1 Like

I am fairly certain it hit the Stable Channel with release 2024101600, so at the very least people on the Stable channel of Graphene and users who are still on the stock Pixel OS will have had some time to play with it. You are correct though, a majority of Android users are not in that camp

Ah, thanks for clarifying. Will read about it further then.

1 Like

I mean I don’t think that’s completely true. There kinda is a difference. Because some apps can communicate with each other with mutual consent. Splitting them across profiles prevents that. E.g. like apps that use google play services stuff.

Also if you’re not on GrapheneOS using different profiles lets you do a similar thing to what storage and contact scopes does.