I use Cryptomator across my devices and Operating systems. I just got it going on Android today.
My use case is that I have one particular vault which holds my KeePassXC database. This vault is then sync’d across my devices with Syncthing. this way I always have access to my passwords locally, but still encrypted, and whenever I make changes to the database, those changes will be sync’d across all my devices.
The Android app worries me a little. I was able to point Cryptomator at my local vault on my phone no trouble, But struggled to find a way to actually access the files outside of the app. I was expecting a virtual folder on my internal storage, a bit like Linux, but couldn’t find one. Eventually I realised that by clicking on the KeePass database file, from within the Cryptomator app, I got the option to open that file with KeePass2Android, and everything went ok from there.
KeePass2Android then displays the filepath to the selected database on the login screen:
content://org.cryptomator.fileprovider/decrypted/filename.ext
I couldn’t find this location by searching my files on the device, but no big deal. However, I started to notice that KeePass2Android could still access this file even when the vault was locked. On my Windows and Linux devices, if the vault is locked, KeePass can’t access the database file, which makes sense and is desired behaviour. But it would seem that on my Android, I now only have 1 line of defence to my passwords, which is the database master password itself, as it doesn’t need the vault to be unlocked and decrypted to access the file. This suggested to me that once Cryptomator on Android decrypts the files, they stay decrypted.
To complicate matters further, I made some changes to the KeePass database on Android, adding a few entries for app credentials e.t.c. But even with the Cryptomator vault unlocked, Cryptomator was still showing that the file was last modified 4 hours ago, even though I’d been adding passwords within the last few minutes.
I added a new password to the database on my Linux desktop, and sure enough, Syncthing appears to have propagated out that change to my other devices, including Android, as the database file in Cryptomator then showed that it had been modified within the last minute. But I cannot find the passwords I added on Android on any other database, and the password I added on Linux is not appearing in my Android database, despite closing KeePass2Android, locking the database, unlocking the database, and reopening KeePass2Android.
This behaviour suggests to me that Cryptomator has created an unecrypted copy of the file which is encrypted in the syncthing folder on my android device, at destination content://org.cryptomator.fileprovider/decrypted - which is now its own independent file. As despite receiving an updated database to the android device, KeePass2Android does not recognise those changes, and also retains the locally made changes.
I’m aware that this is a bit of an advanced user case- pointing 3rd party apps at files in the Cryptomator vault, and hopefully I’m overreacting, but I’d like to get a better understanding of exactly how Cryptomator is handling files on my Android, and if indeed there are unencrypted versions of my files now hidden elsewhere on the android device.