1. Forum
  2. Newsgroups
  3. comp.mobile.android

  • Containment Strategies for Android Apps (No Root Required)

    From Marion@marion@facts.com to comp.mobile.android,alt.privacy on Fri Sep 5 01:42:04 2025
    From Newsgroup: comp.mobile.android

    Can we discuss containment strategies for Android apps (no root required)

    In another thread, Andy, AJL & I were discussing how to sideload with
    greater safety but with less intrusion than what Google plans on doing by blocking sideloaded apps whose developers lack Google formal relationships.

    All Android apps already run in isolated sandboxes by default. But that
    doesn't mean they can't ask for permissions to access your contacts,
    location, storage, etc. So while the OS gives you a sandbox, it also hands
    apps the keys to your data if you're not careful.

    It turns out I had already been experimenting with Android app containment lately by trying to sandbox sideloaded apps (and even system-level services like Google Play Services without root as USA Galaxies are unrootable).

    However, it's kind of like trying to tame a shark in a bedroom fishbowl.

    With that caveat in mind, I wonder aloud whether a focused sideloading containment strategy may be a topic worth discussing on this newsgroup?

    Here's what I've learned so far:
    1. Android apps are sandboxed by default, but they can still
    request invasive permissions.

    2. Shelter, Island & Insular use the Android Work Profile to clone
    & isolate apps (which could be great for sideloaded APKs).

    3. Unfortunately, Google Play Services (so far) can't be sandboxed
    without root or a custom ROM (and, in my case, Samsung Knox &
    Secure Folder can also interfere with these containment tools).

    Hence we may need to discuss how to better contain sideloaded apps.

    For example, TrackerControl & NetGuard offer no-root ways to block trackers
    and to control network access. Anyone have experience with this?

    REFERENCES:

    Shelter: Clone & isolate apps via Work Profile for privacy without root.
    <https://www.xda-developers.com/shelter-open-source-sandboxing-app/>

    Island: App cloning/isolation via Work Profile, dual accounts & freezing.
    <https://www.gtricks.com/android/how-to-sandbox-android-apps-for-privacy/>

    Insular: FLOSS fork of Island focused on privacy,
    (with no internet access and enhanced app control).
    <https://f-droid.org/packages/com.oasisfeng.island.fdroid/>

    TrackerControl: Blocks trackers and network access per app (no root)
    <https://trackercontrol.org/>

    NetGuard: Firewall-based control over app connections
    <https://netguard.me/>
    --
    Years ago, Andy turned me on to NetGuard & I've thanked him ever since.
    --- Synchronet 3.21a-Linux NewsLink 1.2
  • From Qihe@Q@invalid.invalid to comp.mobile.android,alt.privacy on Sat Sep 6 02:10:37 2025
    From Newsgroup: comp.mobile.android

    Marion <marion@facts.com> ha scritto:

    With that caveat in mind, I wonder aloud whether a focused sideloading containment strategy may be a topic worth discussing on this newsgroup?

    Thank you for sharing.


    2. Shelter, Island & Insular use the Android Work Profile to clone
    & isolate apps (which could be great for sideloaded APKs).

    This is very interesting... I'm going to read more about it.
    Island is available on f-droid so I will give it a
    try.

    |
    3. Unfortunately, Google Play Services (so far) can't be sandboxed
    without root or a custom ROM (and, in my case, Samsung Knox &
    Secure Folder can also interfere with these containment tools).

    Timeo Gms et dona ferentes!
    --
    Qihe
    --- Synchronet 3.21a-Linux NewsLink 1.2