[FR] Make Obsidian work on Android without asking for storage permissions

Platform

[ ] iOS
[X] Android

Obsidian Mobile version: v0.1.1


When I run Obsidian for the first time, it requests the storage permission which allows it to access everything saved on my phone. I don’t trust Obsidian and thus I don’t want it to be able to do that. But if I don’t give Obsidian this permission, it doesn’t work.

Instead of requesting the storage permission, Obsidian should either

  1. Save the vault in either Android/data/md.obsidian or Android/media/md.obsidian. AFAIK, it can access these directories without any permissions.
  2. or ask the user where to keep the vault, let the user choose a directory and ask for access only to that directory.
3 Likes
  1. Obsdian uses a shared location “/Documents” so that other apps can access the files (e.g. third party sync services) or add stuff.
    This is feature not a bug.

  2. Even with storage permission enabled, Obsdian can’t access other apps private data.

I am gonna relabel this as FR.

Even with storage permission enabled, Obsdian can’t access other apps private data.

That’s false. It can access my photos, everything I sync using syncthing, files I download from my Nextcloud using the Nextcloud app, all files I download from Telegram.

Obsdian uses a shared location “/Documents” so that other apps can access the files (e.g. third party sync services) or add stuff.

That’s probably possible without android.permission.READ_EXTERNAL_STORAGE if Obsidian instead just asks me where I want to keep my vault and lets me choose the “/Documents/vaultname” directory.

Yeah, but those are not in other app’s privata data, that’s sharable media files.

I understand your POV and I am also aware that there are recent changes in Androind 11 API regarding FS access.

In the future, we’ll look if it’s possible to use private location or a public location with scooped access (hoping that it is compatible with the file watcher we rely on).

3 Likes

This is CRITICAL.

The current setup gives a non-technical user the impression that their notes are private, while in reality they probably have a lot of other random apps that can read their notes in shared storage.
Of course, their ignorance is their fault but in researching this I found that the reality is that a lot of experienced users didn’t consider the scenario of an attack by a rogue app from the Google Play app store taking and uploading their notes, which might contain passwords.

ScopedStorage would be great to use. Thank you for informing us in the docs that it lags too much to be usable at this point.

I found that Cryptomator uses a ContentProvider so maybe this could be a solution for now?

2 Likes

This is a compelling concern but I think I prefer usability and speed over protecting my files from every other app if that will slow the app down. My files are in the open and unencrypted at rest on my desktop devices, after all.

I don’t feel that I am likely to install apps which might be scraping plaintext files for sensitive data.

(In your example of passwords I think they should be in a secure system like a password manager; even letting Google manage them would be better than trying to manage them in Obsidian)

Reading how that works, it sounds very slow? Nextcloud and other apps utilize this feature (pull the file, create a sharing copy, generate a share link, etc)

1 Like

You know what? I think you’re right.
This could be feature creep.
This is a job for the operating system. The o/s is at fault here.

Having said this, allowing Cryptomator to work with Obsidian, I think, would be the best compromise for all.

1 Like

I am going to archive this. Please follow this FR: