Struggling to use the Android app... And concerned about its security

I use Cryptomator across my devices and Operating systems. I just got it going on Android today.

My use case is that I have one particular vault which holds my KeePassXC database. This vault is then sync’d across my devices with Syncthing. this way I always have access to my passwords locally, but still encrypted, and whenever I make changes to the database, those changes will be sync’d across all my devices.

The Android app worries me a little. I was able to point Cryptomator at my local vault on my phone no trouble, But struggled to find a way to actually access the files outside of the app. I was expecting a virtual folder on my internal storage, a bit like Linux, but couldn’t find one. Eventually I realised that by clicking on the KeePass database file, from within the Cryptomator app, I got the option to open that file with KeePass2Android, and everything went ok from there.

KeePass2Android then displays the filepath to the selected database on the login screen:
content://org.cryptomator.fileprovider/decrypted/filename.ext

I couldn’t find this location by searching my files on the device, but no big deal. However, I started to notice that KeePass2Android could still access this file even when the vault was locked. On my Windows and Linux devices, if the vault is locked, KeePass can’t access the database file, which makes sense and is desired behaviour. But it would seem that on my Android, I now only have 1 line of defence to my passwords, which is the database master password itself, as it doesn’t need the vault to be unlocked and decrypted to access the file. This suggested to me that once Cryptomator on Android decrypts the files, they stay decrypted.

To complicate matters further, I made some changes to the KeePass database on Android, adding a few entries for app credentials e.t.c. But even with the Cryptomator vault unlocked, Cryptomator was still showing that the file was last modified 4 hours ago, even though I’d been adding passwords within the last few minutes.

I added a new password to the database on my Linux desktop, and sure enough, Syncthing appears to have propagated out that change to my other devices, including Android, as the database file in Cryptomator then showed that it had been modified within the last minute. But I cannot find the passwords I added on Android on any other database, and the password I added on Linux is not appearing in my Android database, despite closing KeePass2Android, locking the database, unlocking the database, and reopening KeePass2Android.

This behaviour suggests to me that Cryptomator has created an unecrypted copy of the file which is encrypted in the syncthing folder on my android device, at destination content://org.cryptomator.fileprovider/decrypted - which is now its own independent file. As despite receiving an updated database to the android device, KeePass2Android does not recognise those changes, and also retains the locally made changes.

I’m aware that this is a bit of an advanced user case- pointing 3rd party apps at files in the Cryptomator vault, and hopefully I’m overreacting, but I’d like to get a better understanding of exactly how Cryptomator is handling files on my Android, and if indeed there are unencrypted versions of my files now hidden elsewhere on the android device.

Right now, Cryptomator for Android doesn’t provide a mount point to the user. This will change as soon as #35 is implemented but for now, it isn’t possible to open a file in another app and automatically keep this file in sync with the cloud. Currently you have to upload this edited file again using Cryptomator for Android and replace the origin file.

If you open a file with an external app like Keepass, we share this file using a ContentProvider with the other application. Before, we downloaded, decrypted and saved this file as temporary file to the internal storage of Cryptomator for Android on which only this app has access (/data/data/org.cryptomator/cache/decrypted/). After that, we share this file (only!) with the selected app, using a ContentProvider and only in read mode. The other application has only read access to the file and can not modify it. This will change as soon as #15 is implemented.

This is reproducable with a lot of apps also using Keepass: open a vault, select the keepass file, open it, change something and press save:


That means, Kepass has indeed no write permission to this file. Other apps often inform you before pressing save, that the file is only readable and can not be changed. Only creating a copy, changing the content and uploading again is possible until the two features mentioned above aren’t implemented.

The problem is, until now, we are not able to know, when the other app finished reading this file because of that, we are not able to delete the shared file as soon as it isn’t used anymore. Because of that, we implemented a workaround to clear the complete internal cache folder every 5 hours.

To summarize: If a file is shared with another app, we create a decrypted copy in internal, protected, app specific storage, share this file in read only mode and after max 5 hours, this decrypted file is removed.

@lockbot are you sure that you not used the export function, stored the file on the device and made changes in this file?

Afaik that’s the standard procedure for keepass2android (at least for the sync-enabled version), it caches the kdbx and works against that.

Also, I’d advise against using block-based sync for a keepass database.

You want all the changes to merge if working from different peers, a sync app like syncthing or resilio will only respect the file-version with the last modification time stamp.

Just be aware… If you want increased security use a keyfile in addition to the password or even better, a hardware key with a secure element such as yubikey, works very well with KeePassXC and keepass2android :+1:

EDIT: While KeePassXC is awesome with YubiKey, it doesn’t contain its own logic for sync. One could argue that it’s better for security. If you however want to sync the database on a item-level, you could always give KeeWeb a try. It too is open source and cross-plattform and works awesome. Doesn’t provide YubiKey support yet but keyfile-support. It’s AutoType-functionality works great to so that you can store long and complex passwords for Cryptomator and have KeeWeb unlock them without using the Clipboard (which is baad).

1 Like

If you try the 1.4.0-beta2 version of Cryptomator for Android you should be able to open a Keepass file with write access and changes will be propagated back to the cloud as soon as you navigate back to Cryptomator by closing Keepass because Store changes on files opened with Cryptomator directly back to the cloud is implemented.

Using Keepass, I personally like the combination of a key file, a yubikey and the password :sweat_smile:.