In part 3 of this series, I’ve taken a look at how the Google Play Services (app) and closed source commercial apps from the Google Play store can be separated into Android’s private space to deny them access to any data on the device. I really like this separation, and having used it for some weeks now, I have noticed a number of additional nifty features: App termination and network separation.
Terminating All Apps With the Click of a Single Button
One of the things I really don’t like about closed source commercial apps is that I don’t know what kind of data they are collecting and if they keep working in the background when I’m not using them. The good thing: As I keep them in Android’s private space, there is 0 data to exfiltrate, perhaps with the exception of my current location, to which these apps do not have access to. So that should be fine. The only thing that apps in the private space might know about me is my current IP address. That’s bad enough, but I’ll live with it for now.
When pressing the ‘lock’ button on my phone to activate the screen saver, all apps in the normal user profile as well as in the private space continue to run. That makes sense, so apps such as banking apps in the private space can be notified over the network of live transactions. When I unlock the device again, I have to unlock the private space again with a PIN or the fingerprint reader. So far so good.
And here comes an extra twist: It is possible to lock the private space from the apps menu by tapping on the little lock icon there. When doing this, all apps in the private space are terminated! Even Google Play Services and Firebase Cloud Messaging (FCM) stop running, TCP connections get reset and everything stops. Wow! I feel empowered!
Network Separation
And the second thing I noticed is that network connectivity of apps running in the private space is completely invisible to anything running outside the private space. I noticed this when testing Wireguard. While all traffic of the normal user profile runs through the Wireguard tunnel (except the network connectivity check), the complete network traffic of apps in the private space keep running outside of the VPN tunnel. It makes sense from a privacy point of view, as otherwise apps on the outside that handle the VPN could spy on the network traffic of the apps in the private space. For my application, i.e. separating the closed source commercial apps, it is of course not ideal. But if one is aware of the consequences, i.e. the network traffic of these apps is visible to the local network as it runs outside the Wireguard tunnel, it is something I can live with as well.