Sandboxing applications

Is anyone here sandboxjng applications for further privacy. If so, how is it done?

My understanding is with the work profile you can sandbox/shelter apps. Essentially a partition. I haven’t tested it yet though.

Yes, I use “Shelter” downloaded from F-Droid for a few apps I don’t want continually running in the background and to keep them away from my personal data.

It will set up your “work profile” on your phone. In Shelter, it shows “Main” (normal apps). I then tap “Aurora Store” and “Clone to Shelter”, and launch that version to then install other apps in Shelter. All the apps I add to Shelter (that I want to disable when not using them) I then tap and tick “Auto Freeze”. Then I also select “Create Unfreeze and/or Launch Shortcut” which adds a launcher to that app on my home screen. Then if you click “Freeze” the actual app will be force stopped and removed from you app menu, but tapping that “Launch icon” will unfreeze and launch it again. Finally, in Shelter I tap “3 dots > Create Batch Freeze Shortcut” and put that on my home screen. Tapping that will freeze all apps that you set to auto-freeze at once.

Once all this is set up, you don’t need to open shelter itself to launch or freeze the apps, the shortcuts to launch and “auto freeze all apps” will be sufficient.

Thank you all for the detailed instructions.

Thanks @rik - that’s great info. I’m in a similar boat looking at sandboxing as I will be migrating from a iPhone with work and personal sims and for the former I have to have 2 Microsloppy apps installed (Outlook & Teams) as well.

And I don’t want to resort to carrying a seperate non-private device for work… So hoping to lock those 2 apps down tight so they can’t see res of device or do anything other than their most basic function(s)…

Assuming I will have a challenge sharing contacts from Outlook to phone for the work sim without opening up all contacts and such to it…

You have a few options, by default you are right, the “work profile contacts” won’t interact with your main / “personal profile” contacts. I don’t want my “Shelter profile” apps knowing anything about my personal contacts, so I have the hassle of maintaining WhatsApp & Telegram contacts separately than my personal profile contacts.

Or if you do want to share your contacts between work and personal profiles, in Shelter when you tap the app, there is an option to “Allow Cross-Profile Interaction”. I am not certain if you do it there or instead if you make sure the “Contacts app” in your Shelter profile is set to share “cross profile” (or if you need both). It may take a bit of trial-and-error.

Lastly on this front, for me I use DavX to sync contacts and calendar events across devices with Nextcloud (or you can use other caldav / cardav providers, I would guess even MS could be directly synced with DavX). So for you, you can add DavX to Shelter (either install normally, then “clone to shelter” or instead put f-droid inside Shelter, then install from there). Then use “Shelter DavX” to setup contact syncing.

Thanks @rik that’s much appreciated! Gives me a good head start.

And yeah I’d sooner have a hassle syncing the work contacts than end up with those MS apps able to access other data or contacts on the device - the MS ones seem to be getting more and more insidious (virtually) by the day…

On a related note what’s your thoughts or approach on home & utility apps that ideally need sandboxing or is using a profile sufficient ‘isolation’?

Ones I’m thinking in my case are Home Alarm System, Home CTV Security, Home AirCon System, Home Solar Power (Fronius & Tesla in my case - latter makes me squirm a bit as always feels intrusive), and Home Irrigation System. Others like my Gas Fireplace can be worked around if needed (use a remote instead of app), but all the others listed an app is the only practical way to manage them day to day…

P.S. as an aside I was big on home automation a while ago (10-15 years back, and even used to manage a retail business selling C4 for a couple of years); but have gone completely off it now (at least for any main basic home/house functions) for a couple of reasons (1) privacy & security, and (2) robustness (e.g. unusable in natural disaster, no power, etc) - hence why I have all those seperate apps above and not one centralised solution (like Control 4, Lutron, Homey or that Apple HomeKit thing).

Add my thanks as well. I appreciate most things that save me time!

I came across this DPS Blog post the other day that I found helpful in a general way, it’s not specific about Sandboxing (or Sandboxing apps like Shelter or Insular) but is a good general intro to profiles so thought I’d link it here for anyone reading this thread in future and new to the subject:

So I’ve got Shelter installed with the 2 key work apps I need to have on my phone (Microsoft Outlook & Teams) - what I am finding is every time I freeze them, then reopen them (from my home screen), it recreates a second app shortcut for the same app - so I have the one Shelter created (with the ‘humpty-dumpty’ icon) but it then keeps recreating a second Work Profile one with ‘briefcase’ icon as well - and if I delete it it recreates it again next time I open the app (via the Shelter app shortcut).

I’m wondering if I have done something wrong, or if its supposed to behave like that? Or is there a setting somewhere to disable auto-creation of shortcuts on the home screen for the work profile?

EDIT: Just an update - I’ve noticed the additional shortcut appears when you launch the app from the Shelter ‘unfreeze & launch’ app shortcut, then disappears again when you use the ‘freeze all’ shortcut from Shelter. So maybe it is expected behaviour? But still seems a bit odd so presume you must be able to turn it off somewhere…

Just confirming this is continuing to happen for any apps - it seems to vaguely match the description of the process however that you provided - if that’s what you meant:

EDIT: 28 September - Due to no more that 3 consecutive posts limit (so can’t post this as a new post):

@rik - your help please if that’s okay - should iodé app be showing in Shelter Work Profile (or should it have cloned itself there), or do you need to install a separate copy there - do you know?

I am finding none of my Shelter Work Profile apps activity show in the default iodé app so I’m suspecting they are getting full access to internet, there is no cloned copy in Shelter, and in Shelter Main there is no iodé app listed to clone into Shelter?

So is the correct action to ‘install’ another copy of iodé app into Shelter Work Profile?

[quote=“rik, post:3, topic:1515”]
Yes, I use “Shelter” downloaded from F-Droid for a few apps I don’t want continually running in the background and to keep them away from my personal data.

It will set up your “work profile” on your phone. In Shelter, it shows “Main” (normal apps). I then tap “Aurora Store” and “Clone to Shelter”, and launch that version to then install other apps in Shelter. All the apps I add to Shelter (that I want to disable when not using them) I then tap and tick “Auto Freeze”. Then I also select “Create Unfreeze and/or Launch Shortcut” which adds a launcher to that app on my home screen. Then if you click “Freeze” the actual app will be force stopped and removed from you app menu, but tapping that “Launch icon” will unfreeze and launch it again. Finally, in Shelter I tap “3 dots > Create Batch Freeze Shortcut” and put that on my home screen. Tapping that will freeze all apps that you set to auto-freeze at once.
[/quote]to remind you @rik since it is a very bad advice you are giving there.
Work profile has been advised against by google themselves. They have modified their code to do so accordingly and that from the beginning of android 13 to 14. They after reverted back the changes in android 15 by pressure of major actors who wanted to keep their work profiles running for their employees. Let’s say more accurately their neighbours of Alpahabet Campus.

So your shelter app which is working… well not so good for privacy.

@Mycenius
There is no real sandboxing on android.
That’s the short answer. Not as understood by cybersec experts as me and working the field. There is “some” sandboxing which is not exactly the same thing. Even if the dictator, yet competent, from grapheneOS is banning everyone having a counter expertise as his from his matrix server. A real sandboxing would mean that the OS layer can’t have access to any information from the APP and vice verca. That it would be 2 black boxes with some input and output. That there would be no interconnection or requirements to check up with the play store for example, or maybe just with heavily ressourced software infrastructure distirbuting tokens for that effect.
With also randomnized IDs so you could have even cloned apps on that thing without having to ressource to “partitions” ans whatnot. etc
For all that reasons, you don’t have cybersec firms or agencies running malwares in “sandboxes” as browser companies and phones companies pretend to do sandboxing. Or else you can easily understand that we would live in a very nice world where you could have 10 tabs of META products opened with 10 different profiles and META would not be able to recognize you.
This is not the world we live in. META is able to, Google is, Apple is not even trying to do anythign about it with good reasons, even github you can’t have their system detecting that you have several profiles even on 2 different browsers running on the same OS. For that you would need a VM.

The advised way by graphene and by google is to create another user on your phone.
But as you will be able to see, the system has still knowledge of all the apps installed and installers do too. If installers do, then every bit of software having some kind of request having some kind of ressemblance to the android API of those installers have also knowledge of what is installed on your phone. And that even with another user partition activated.
This is really easy to check out by the way.

So believe what you want from the iodeteam and others, on phone there is no real “sandboxing”. This is the same debate over and over we have about “sandboxing webbrowsers”, same debate same joke.

You will see in this thread, people have not even bothered verify what was exactly in the code and what were the API calls being made and how it is being done. But still you will be able to read about work profile and why it is even worst than user profile, which is exact, not same encryption key etc.

So the bullshits about apps being siloed and so forth and so forth… Well there a big fucking long “IFs” to add to that bit.

On a separate subject just to prove a point which is purely software wise as would be silo§ing apps
Actually they have that bad implementation about mostly everything that even randomizing MAC wifi address is a challenge for them:
that was the case in 2017

a study 3 years later

still the case in 2023

And I am pretty sure I found somewhere a study about Apple being better than android at mac randomnization in 2025

Thanks - oddly enough I was starting to suspect that the sandboxing was not exactly as I had assumed, as I was seeing some behaviour I wouldn’t expect. It does sort of work but inter-connectivity is still easily present in some ways (e.g. iodé app in main profile seems to be able to see activity of apps in work profile - but don’t know android and the system architecture well enough to be able to speculate why). While not can expert I ran a Corporate IT team for many years and my basic knowledge and expectations of sandboxes (from a server environment, etc) isn’t the same as what appears to happen on the phone, but as mentioned I can’t tell if that’s just from convenience functionality or the sandbox effect not being fully encompassing.

Yes, well, that kinda speaks to some of the concerns I’ve developed around Graphene.

Yep - my original plan was this, with about 3 secondary ‘user’ profiles for different groupings of apps - but as per your second sentence realised this didn’t achieve the root objective of stopping cross pollination of data…

Hoped Work Profile with Shelter would do that, or at least as close as possible as you can on Android. I’m not expecting to be Edward Snowden and be untraceable, just want to make the phone as secure as is reasonable but more importantly get control on the privacy and shut down all the tracking and data sharing.

That’s (last comment) is good to know - is it covered on one of the links you shared?

Is that different if you have a company controlling the phone’s work profile, or just across the board with work profile regardless of user implementation/situation?

e.g. in my case I don’t have a company accessing the device in anyway, other than 2 Microsoft apps that are connected to company servers/network.

I recall a commentary somewhere relatively recently saying something like that (Apple is better) but don’t recall where and don’t know if there was any reference for it. I have not thought much about randomised mac addresses, assumed they were good practice now as I do recall some concerns expressed originally back whenever (2017?) but assumed that had long since been resolved.

sandboxing is a larger term which has been deployed broader than its original and current use by security services for example.
So no we should not have called that sandboxing. Because they are calling the fact of pooling fingerprinting together as sandboxing also → which is not.

So work profile → no good. User profile → a bit better because different encryption key different password etc.
And It’s not about being Edward Snowden here. It is about the fact that you are being lied to by a technical term which was relevant to very specifically things.

You don’t need a link to verify that.
Do a simple test.
Use an intaller tool on user profile one and user profile 2. Try to install the same app with the same ID. You should get an error from this. If not, good that means they have finally accepted to implement cloned ids of the same app. But that was still current one year and a half.

As mentioned in the link I have given ,but you can read the whitepapers about it which are freely available on privacy guides for the average people.
Different encryption key etc. This is not the case for the work profile. Work profile it’s ACLs basically.
Let’s say you have Pegasus infected your phone or one of the dozen derivatives in circulation at this very moment including poisoning malware on whatsapp coming in. And no you don’t need to be a spy to be infected by those. This is used by local police in western europe on regular basis. The head commissionner from several western european countries of different capitals have been invited to Israel during the last 2 months and they had to decline because of the public outrage because of the palestinian genocide. That was directed for NSO’s and other firm new products presentations. This include new cellebrite version, briefcam etc etc.
So really we are not talking about being Snowden here, this is for the average commoner. And I won’t even mentionned the US with their yottabytes of datacenter in Utah here created by the NAVY for the main purpose of the NSA + all the similar DC who have popped up around that same datacenter from big Tech(doing mostly the exact same thing but that’s for another debate).
So back to our story, when the DI have a doubt about you and your activities, they will ask the equivalent of the DA here in Europe for a communication interception and following procedure through camera. Which is done by infecting your phone by some cases and following you through ANPR camera with the briefcam software which uses AI to follow you camera by camera.
So those piece of software, like Pegasus, will have access to your entire phone whether or not it is a work profile, another user profile or whatever.
That’s why sandboxing you can just trash that word in that context.
I don’t have a real problem with that per se, I have problem with that because :
1/ crippeling cryptography
2/ Interpol database, same as the NSA
3/ no judicial oversight. done by executive branch. Officers are abusing their powers most of the time and don’t even have a degree, so no knowledge of the penal code.
4/ corruption of those same police officer having those tools at hand.

no Randomization of MAC address have not been resolved. This is a complex algorithmic issue. And should I remind you since you have worked in tech, that we are still not mitigating all the risk of precticable branches on CPU after now, more than 8 generations of CPUs. There are even more and more breaches being discovered.
Wifi is still not secure since even wpa3 is crackable.
And only the Chinese have broken the barrier of the 8,5Gb limit that we have on consumer fiber with their OTN up to 10Gb. And they know have a better algorithm of Djikstra that I am sure yo uhave used for years thinking this is the best we can do because this was considered as a Neperian logarithmic problem → so unsolvable according to us. Well they did solve it.

So really no, don’t assume things. Ask people who actually knows in depth the fields you are researching.

P.S.: one last bit of pointers @Mycenius you need to understand that we are in the timeframe of “store and decrypt later” . If you don’t know what I am talking about, you can search about it or participate to actual non profit who organizes such talks every months in most western countries. Or talk to people like me.

Oh yes, absolutely! I am fully across that - talked about it extensively, especially a lot a couple of years ago when LastPass had that massive data breach and many of the vaults stolen had older levels of encryption - people were all “its okay its encrypted they can’t get in” - trying to explain to them its a ticking time bomb and eventually (sooner or later) that data will be cracked was a lost cause!! Not helped by LP’s incompetence (or rather negligence) where some customers vaults were only hashing a handful of times as they weren’t auto updating to latest level of encryption (or at least notifying customers to manually change it)!

I am not worried about hackers having the capabilities to decrypt those data dump any time soon.
There are more urgent matter than this honestly.

Yeah, ditto - but they will one day - I really just mentioned it as a simple example of how all encryption will eventually be broken - just needs enough time and enough computing power in some combination, etc, if the level of encryption remains static…

Wow…my lack of fear (being able to undo whatever I did) bit me in the donkey.

I didn’t follow what you were saying…those steps are either different now (we’re on iode 6.9), or you didn’t show your work. Either way, I just gave it a go…big mistake. And uninstalling, then re-installing the Shelter app leads to errors, now (I guess I have to delete my work profile…wherever that menu combination is located).

In any case, if anyone can point to a step-by-step demo or maybe a video, please share.

Edited to add…I read the rest of the thread, so it seems pretty pointless to worry about a Work profile, since the data seems to get mined regardless.

Edited to add another comment…doing a search for “work profile” on the Brax3 gets a result labeled “More security & privacy". Select it.

Scroll down and tap of “Device admin apps.” You should be able to use that to remove the work profile.

Hope that helps someone else (not commenting on the merits or lack thereof of work profile…there’s conflicting information there…this is just if you decide to un-do the Shelter app’s efforts on your behalf).

“…tap on…” not of.

iode says (or maybe implies) that separate users and profiles are a good security practice.

Maybe not sandboxing per se, but without getting in to the weeds…is what is discussed in this thread (and at that link) still a best practice? (I honestly don’t know…I’m asking)