Private space

Figure1.The private space can be unlocked and locked to show or hide sensitive apps on a device.

Private Space enables users to create a secure, isolated environment on their device to keep sensitive apps away from prying eyes. Apps in the private space show up in a separate container in the launcher, and are hidden from the recents view, notifications, settings, and from other apps when the private space is locked.

The sandboxed space is a separate Android profile When the end user adds or installs an app inside private space, the app is installed in this new Android profile. The system treats this as a fresh app install, and no app data is copied over to the private space. When the space is locked, the private profile user is stopped, and when the space is unlocked, the user is started.

Apps in the private space are installed as separate copies of the apps in the main space. User content (user-generated or downloaded) and user accounts are separated between the private space and the main space. You can use the system Sharesheet and the Photo Picker to give apps access to content across spaces only when the private space is unlocked.

Private space is based on the Android multi-user model and adds the following profile and usertype:

Profile:
Private
User type:
android.os.usertype.profile.PRIVATE

Settings and Launcher apps

You need to update settings and launcher apps to support lock, unlock, and hidden states. When private space is locked, the launcher provides an entry point to unlock it (except in the hidden state). When private space is locked, the settings app must not reveal the existence of private space.

Use LauncherApps#getLauncherUserInfo to identify the private profile user. Launcher apps need to register the locked state and the unlocked state and change the state of private space in their UI when these broadcasts are received. Both of these broadcasts have an extra constant called EXTRA_USER that you can use to refer to the private profile user.

Launcher apps can use the UserManager.isQuietModeEnabled method to check the private profile state.

Private profile

The private profile adds the new profile type android.os.usertype.profile.PRIVATE for use with private space. The private profile can exist on the same device as a work profile and a clone profile. It is a sandboxed space separate from the main Android user. When the private space is unlocked the apps become visible in settings, Sharesheet, photo picker, and DocsUI. The apps inside private space aren't shown in any of these surfaces when private space is locked. Private space can have only one instance on a single device, and can exist only for the main user (not for secondary users or within other profiles).

Permissions

Launcher apps must have android.permission.ACCESS_HIDDEN_PROFILES permission and the android.app.role.RoleManager.ROLE_HOME role to access private profiles.

Implementations not using the AOSP launcher need to modify their launcher to add support for private profile. Read more about developing a launcher app with private space at Launcher apps on our developers site.

Intents

Telephony intents are routed to the main user and display a notification. All other intents are limited to private profile, and are not redirected.