When I run Obsidian for the first time, it requests the storage permission which allows it to access everything saved on my phone. I don’t trust Obsidian and thus I don’t want it to be able to do that. But if I don’t give Obsidian this permission, it doesn’t work.
Instead of requesting the storage permission, Obsidian should either
Save the vault in either Android/data/md.obsidian or Android/media/md.obsidian. AFAIK, it can access these directories without any permissions.
or ask the user where to keep the vault, let the user choose a directory and ask for access only to that directory.
The current setup gives a non-technical user the impression that their notes are private, while in reality they probably have a lot of other random apps that can read their notes in shared storage.
Of course, their ignorance is their fault but in researching this I found that the reality is that a lot of experienced users didn’t consider the scenario of an attack by a rogue app from the Google Play app store taking and uploading their notes, which might contain passwords.
ScopedStorage would be great to use. Thank you for informing us in the docs that it lags too much to be usable at this point.
I found that Cryptomator uses a ContentProvider so maybe this could be a solution for now?
This is a compelling concern but I think I prefer usability and speed over protecting my files from every other app if that will slow the app down. My files are in the open and unencrypted at rest on my desktop devices, after all.
I don’t feel that I am likely to install apps which might be scraping plaintext files for sensitive data.
(In your example of passwords I think they should be in a secure system like a password manager; even letting Google manage them would be better than trying to manage them in Obsidian)
Reading how that works, it sounds very slow? Nextcloud and other apps utilize this feature (pull the file, create a sharing copy, generate a share link, etc)