I was wondering how/where Cryptomator stores its config files/stored webdav credentials on android, and are they protected/encrypted in any way from viewing outside the application itself.
Scenario. (Tin foil hat question!)
I have 2 email accounts.
me@google is very public. I use this with my android phone/apps, expecting google and any 3rd party app with privileges (eg get_accounts) to know how and where I use this. I have no expectation of privacy here, its linked to my phone number / social media apps etc.
me@secure is very private. I use this with a limited set of ethical people/providers. I keep it well clear of facebook/google etc. For this reason its never signed in from my android phone.
One of my cloud providers is registered with my secure email address.
If i create a https://webdav.myserver.com:443 account Within cryptomator for me@secure , is this email address or webdav password exposed in any way to the underlying android OS or file system?
Does your question go in the direction of Android OS and file system or more in the direction of other apps or Google e.g. Play Services?
When setting up the first WebDAV connection, we’re generating a password and storing this password in the android keystore. Now we encrypt the password to your cloud connection using the password stored in the keystore and save this ciphertext together with other details of your cloud connection (username, URL) in our sqlite database inside the app specific storage.
Both is necessary so that you don’t have to enter the password to your cloud every time you connect (therefore stored encrypted in the database located in the file system), but the password used to decrypt the password to the cloud is also protected against unwanted access (therefore stored in the android keystore).
We’re also using some other mechanism to prevent other apps from doing screenshots (e.g. while entering your cloud credentials) or preventing other apps from obscuring Cryptomator.
Both really, although more leaning towards Apps. I’ve been reviewing my app usage and web/cloud requirements. Despite running a very clean android One phone and a Lineage tablet- both with minimal apps - , looking at active network connections and reviewing trackers/permissions per apk( https://reports.exodus-privacy.eu.org/en/ ) never fills me with confidence!
Glad to see much thought has gone into securing the android app. Certainly for the tablet I’ll be looking at re-purchasing cryptomator as an APK and removing play services entirely in the near future!