Intro

User profiles in GrapheneOS (and other Android ROMs) are a useful mechanism for compartmentalising different use cases of a phone into isolated areas, but this isolation can make it difficult to move files between profiles when needed.

This post will show a relatively easy way to share files between profiles.

Motivation

Even heavy FOSS advocates sometimes need the convenience of their Banking apps, Travel/Airline apps and other occassionally used apps. However you may not want to install these closed source or privacy invasive apps alongside the rest of your user data and other applications.

One of the pain points of using separate user profiles in Android is how difficult it can be to share data between the isolated profiles. You may want to copy a username/profile from your password manager in your Main profile to a Travel profile, or copy a verification URL, photos/pictures, plane ticket PDF, etc.

Outline

  1. Install Syncthing on Main/Admin profile and other Profile
  2. (Admin Profile) Configure Server-side settings
  3. (Other Profile) Configure Client-side settings
  4. (Admin Profile) Accept/allow device from Other Profile

Full Steps

Installing Syncthing

Syncthing can be installed via Fdroid.

If you already use Syncthing for other usecases, you can install one of the Syncthing forks such as Syncthing Fork.

In GrapheneOS, you can install apps from you Admin profile into User Profiles via user settings in (Settings -> System -> Multiple users -> <select user profile> -> Install available apps -> toggle Syncthing).

Configure on Admin Profile

Once you have installed Syncthing on your Admin Profile, open it and go to Settings.

Under Syncthing Options:

  1. Change Device Name -> Admin
  2. Change Sync Protocol Listen Address to something like tcp://127.0.0.1:23001
  3. Disable the following checked options: Enable NAT Traversal, Local Discovery, Global Discovery, Enable Relaying since we will only be using Syncthing locally, on-device

Before starting to configure your other/client profile, note down the Device ID of your Admin Profile, you will need this later.

Since this ID is long, a quick easy method to share it is to take a screenshot, and use a secure Messenger or your own secure file server to share this to another local device/computer, so that you can simply scan the QR code later.

Configure on Other Profile

Make sure you have installed Syncthing on the Other profile (see Installing Syncthing).

First Dialogue

  1. Continue
  2. Storage Permission: Allow storage. I prefer to only allow specific storage access via Storage Scopes. I create a new folder called MultiProfile which I allowed Syncthing access to.
  3. Location Permission: I prefer not to enable this, although you can enable this to have Syncthing only try and sync when connected to certain WiFi networks, if you prefer.
  4. Notification Permission: to show when Syncthing is running + requests for initial folder sharing, I prefer to enable although it might be possible to disable this.

Initial Setup

Syncthing auto-configures a share on your DCIM / Camera folder, although if you setup Storage Scopes like I recommended above, this will show a red error. I always just delete this.

Open Settings, in Syncthing Options:

  1. Change Device Name -> Other Profile
  2. Change Sync Protocol Listen Address -> whatever you chose above when setting up the same option in the Admin Profile
  3. Disable the following checked options: Enable NAT Traversal, Local Discovery, Global Discovery, Enable Relaying since we will only be using Syncthing locally, on-device

Adding the device

On the main screen on Syncthing, go to the Devices tab and press + Add Device, fill in:

  1. Device ID as the Admin Profile’s ID we saved earlier (or scan via QR Code)
  2. Enter the name Admin
  1. Change the dynamic (link) field to your admin endpoint from earlier (tcp://127.0.0.1:23001)

Accept on Admin Profile

Go back to the Admin Profile and you should see a request from your Other Profile to add as a device.

To share folders, you should add a folder on your Admin device:

Whenever you add a new device/profile, you will need to enable it to have access to a shared folder.

This property of Syncthing can allow you to setup your shared profiles in a different way, where you only share a specific sub-folder with each profile, so that only the only way to share data between profiles is Admin <-> Other profiles and not allow shared folders between Other1 <-> Other2.

Once you accept, you should be able to seamlessly transfer files between these two profiles.

More Profiles

You can repeat the previous 2 steps for more profiles, to allow all profiles to have a shared folder.

You could create a different shared folder for each Admin/Other profile combo, if you want.

Conclusion and Alternatives

This is a relatively easy way to set up a seamless shared folder experience between different Android User Profiles.

However, you may not want to set up an always on service, or only selectively share certain files.

So here are some alternatives.

USB Stick

This is the simplest approach possible, and was my preferred method before discovering the local Syncthing method.

Simply carry around a USB C Memory Stick, and copy files on/off the USB Stick to move files between the profiles.

This is a bit clunky but highly effective, and requires 0 extra setup.

SFTP Server

This is very similar to the Syncthing steps, but instead of Syncthing, set up an SFTP Server on the Admin Profile.

You set up an SFTP server on the Admin Profile and connect to the server file from User profiles to selectively copy files over. This is a more involved set-up, and has the disadvantage of requiring each file to be individually copied over when required, whereas with Syncthing, the files will just automatically sync between user profiles as long as the file is placed in the shared folder.

There are a couple of File Manager apps (such as Material Files) which include an FTP Server, this can be a quick-and-easy method to have both a client and server within 1 app.