Mishaal Rahman / Android Authority
Tl;
- An error has been detected in Samsung’s secure folder feature, which allows everyone to see the apps and images stored in it.
- This is possible because Samsung’s safe folder is set up as a working profile.
- Then, the Android settings and the permission controller app processes it as one and lets you see which apps and photos are in the safe folder, even when locked.
If you own a Samsung device and want to keep some files, photos, videos or apps hidden from other people you will use Samsung’s secure folder feature. The feature creates a new profile with its own storage space and screen lock, keeping your sensitive apps and files private. Or we thought until an error was discovered in Samsung’s secure folder that lets someone see what apps and photos you have.
You read one Authority insight history. Discover Authority Insight For more exclusive reports, you can demolishes, leaks and thorough technical coverage you do not find anywhere else.
Ex -filtration of photos and videos from the safe folder
Reddit -User Lawyerz88 Recently, a method for access to photos and videos stored in the safe folder discovered. Normally, if you launch an app asking you to insert a photo or video using Android Photo Picker, Android will block access to items stored in the safe folder, even if it is unlocked. However, this is just the case if you try to access secure folder items from a “personal” app, ie an app running in the main profile. If you are trying to access secure folder items from a “work” app does not block Android access.
We were able to recreate this error in A Ui 7 by creating a working profile manually using the Shelter app. Apps like Shelter can create a working profile of any device, which means that as long as someone has physical access to your Samsung device, they can install the Shelter app to see which photos and videos are stored in the safe folder. If you already have a work profile enabled through your employer, it is possible This loophole will not work if they configured it so that work files are not available at all. However, we have not been able to confirm whether certain employer-configured work profiles actually prevent this access.
On the bright side, this error does not extend to wide access to all files stored in the safe folder. In our testing, we noticed that Android System File Picker is blocking access to secure folder files even if the file picker is available via a “work” app. This means that only photos and videos risk accessing outside the safe folder.
One way to ensure that photos and videos cannot be reached outside the safe folder is to encrypt it. The safe folder is not encrypted by default but you can encrypt it by tapping the menu inside it and then selecting “Encrypt“Option. When you do, take the safe folder so that the files cannot be reached via the photo clipper.
Decide which apps are installed in the safe folder
Android Authority Also discovered a separate error in Safe Folder, one who lets someone see which apps are part of it. To see this, go to Settings> Security and Privacy> Multiple Privacy Settings> Permit Officer. Then select one of the permits in the list. You can find apps from the safe folder listed there.
Usually requested permits, such as place, tend to list safer folder apps. This is the case even when the safe folder is encrypted, which means there is no way to prevent secure folder apps from appearing in the permit processor.
In particular, the notification permit is one of the few permits that do not leak information about which apps are in the safe folder. This is because the notification position page is handled by Samsung settings instead of the Android Permission Controller app. This distinction is important because it relates to why this error in the first place exists.
Why are apps and photos in Samsung’s secure folder visible outside it?
The reason for this error traces back to how Samsung constructed the safe folder. The User Type to which the Samsung Secure folder belongs to is android.os.usertype.profile.MANAGED. According to Android’s source code, this is the user type that “represents an administered profile, which is a profile to be managed by a device policy controller (DPC). The intended purpose is for work profiles, administered by a business unit.” In other words, it it Secure the folder uses the same user type as an actual work profile.
Mishaal Rahman / Android Authority
As a result, Android Photo Picker and Permition Controller Apps Secure Folder profile treats as a work profile, since it internally acts as one. Photo bags and permission checks are part of the project’s main line modules, which means they are made by Google, not Samsung. Thus, Samsung has no control over the behavior of the photo clipper and the permission controller, and then cannot hide secure folder apps from them. However, the company has control over its own setting app, which is why the notification page in a user interface – which is part of Samsung’s setting app – hides secure folder apps.
It is worth noting that this error does not exist with Google’s version of Safe Folder, ie. Android 15s private space. This is because Google created a brand new user type for private space, android.os.usertype.profile.PRIVATEwhich is treated differently by photo slips and permission controls. Android recognizes when the private profile is locked and then hides it for the photo picker, the permit controller and other system surfaces.
In theory, Samsung could thus solve this problem by changing which user type the safe folder uses under the hood. However, it’s probably not that simple, and I’m not even sure it is possible to migrate the user type without resetting it. We reached our contacts at Samsung to see if the company is aware of this error and whether it has any plans to address it. We will update this article if we belong.