Cloud access token storage

Here you state how the token that is used for access to a cloud account is secured in iOS

How is the token stored in the Android app?

On Android it is basically the same as on iOS.

Cryptomator uses the official SDKs of the cloud storage providers. All of them use OAuth for authentication. That means the app launches some UI not written by us but by the cloud provider and that is where you enter your password. The app then gets a so called access token, which is used by the Cryptomator app as a replacement for your password. It is not your password though.

Keep in mind that all this information always stays on your device. So even when you enter your credentials in the app and grant access to it, we do never get access to your vault but it is still only you, who is able to access your cloud through our app using your device.

When you login to e.g. Dropbox you can see which applications have access to your cloud. Cryptomator is listed there too after you granted access. You may remove Cryptomator from there anytime and afterwards the app will no longer be able to access your cloud.

There is one exception though: Cryptomator actually stores the cleartext credentials for WebDAV. But(!) the password is stored encrypted on your device. There is no other way around this. The password is needed for authentication. That’s why some cloud storage services enforce the user to create external passwords for WebDAV access.

1 Like