When the vault is created in /sdcard all files and images inside it are accessible to other apps —the image files in vault become visible in gallery app and file manager app.
From my knowledge this is not a problem if the vault is created in Obsidian’s app-specific directory on Android.
Problem: Shared storage allows other apps to read ObsidianMD vaults.
Current workaround: None. Fatal.
Solution: Allow the paid sync service to sync to the app’s data storage area, which is not readable by other apps.
For what it’s worth, I think this should be a priority feature request. It’s good for the users privacy and clarity, but it’s also good for Obsidians growth as a business.
We should able to use the private app data area for secure notes rather than only being able to sync notes to the locally shared/public areas that other apps have access to.
Using the private area for notes would be a huge privacy and security benefit for Obsidian mobile - especially for attracting more paid users, and providing for the existing paid Sync service users.
I understand that it’s important for some users to have the option to store notes in the locally shared public areas of their phone so that a third party synchronisation app can be used, however, not being able to use the private isolated app data area undermines the benefit of using the paid Obsidian Sync service, especially the end-to-end encryption privacy.
I would argue that having your notes stored unencrypted locally on your computer is acceptable, but far less acceptable on your phone, as users have less technical control over their phones data when compared to computers, along with the unavoidable accessibility/insecurity of a portable device like a phone. I’m not suggesting app level encryption-at-rest or anything major but at least being able to use the private app data area seems like a super important step.
I can’t seriously consider using Obsidian Android until this is available.
+1 I would love to see an option to keep plaintext note files private. I have a large number of Android apps on my phone with access to shared storage that I don’t trust to access sensitive information.
All the other data in Android shared storage I consider non-sensitive, so right now this prevents me from putting especially private notes in Obsidian on Android.
Any news? It seems like a simple thing to implement but does that show my ignorance to this?
Even though I’m on GrapheneOS, some apps also demand full storage access as well so I either have to trust them to play fair or try to find another app.
Because of this, I use StandardNotes for very sensitive stuff but when I think about it, my data isn’t just my data; but other people’s in a way and I’d really like to improve that.
Quick question: What other apps do you use that require full filesystem access and network connectivity? It would be good to get an idea of the scale of the threat to us all as a group.
+1
I’m not comfortable allowing other apps peek into my private life.
Private storage should be the default, it’s a standard practice on Android since years.
An application that wants access to my whole filesystem, especially when it’s not open-source, is just a no-go.
+1
I think this is a critical issue too. At the moment i don’t dare to write everything down in my notes.
Unless I’m wrong, but even if you create an app specific folder (which is currently supported), a file manager app that for example would have the “all files access” would still be able to see that. I just tested this.
They’d have to implement their own encryption system to store the files in an encrypted state so that other apps couldn’t see it.
So what I do is just make sure that only open source / trusted app have the ‘all files access’ permission.
No, the private location is not accessible by file Managers (unless you root the device)
Maybe there’s a miscommunication here. But see this video, where I create a new vault in a new folder. But an app with ‘all files access’ like I have give to ‘files by google’ here, can just read those files. Not rooted, Android 13. https://youtu.be/4tIRHDWynMI
@WhiteNoise
Again the private section is not accessible even if you add the permission to file manager. This FR stands.
Any update on this?
This is the only reason I haven’t subscribed yet to Obsidian Sync for my personal notes.
iOS
Android
Currently the vault is saved in plane text in the share folder. I understand, that this is nessesary to offer sync with third pary ( maybe even nessesary for your sync), however this gives all apps access to my partly very private notes. Which is unacceptible. At this point i cant use the mobile app with a good feeling.
Possible Fix / Feature:
Save the Vault in the Aplication storage, where it is protectet by android sandboxing. You can then safe an optional “backup” / sync dummy to the shared file system which can be used by external programs. To make this option usefull, this backup file should be encrypted by a user set password. Idealy in a file based manner, so that only changed files will be synct.
For the desktop app you could add the same feature.
Hi @Diamant please search the forum before making a new feature request. I’ve merged your request here.
In my personal experience, the only way to achieve something like this at the moment is by utilizing : GrapheneOS.
With this you can enable Storage Scopes for app that you want limited access to your storage.
I believe you cant just add a storage scope to obsidian and call it a day but u need to add storage scopes to all the apps you want to restrict they access.
Hope this helps,
b.
Is there any update on that front?
I love using Obsidian on my computer and from what I have seen, the Android app has really improved in leaps and bounds.
However, I am currently still forced to used Joplin on my phone (which is decent but just not able to compete when it comes to UX) out of privacy concerns.
Is there any chance that Obsidian will - at some point - support the feature of putting the vault in its own app-private folder?
I also share the concerns raised in this thread. I just started using Obsidian on my personal computer and subscribed for sync service, intending to also use the app on my phone. But I’m very hesitant to give any app edit permissions for all files on my phone, regardless of my trust in the developer. Every other app I’ve installed so far has had permissions to access certain files or folders only.
I understand the intent of letting users choose the sync method of their choice.
How about giving a simple, reliable and private option to the users who won’t bother to fiddle with 3rd party sync apps?
The private storage feature would only work with Obsidian Sync; it would incentivize users to upgrade to a paid subscription.
