• General
  • Storage Scopes slight confusion

I've previously interacted with SS without any misunderstandings but I'm currently experiencing behavior which I'm confused about. I've re-read https://grapheneos.org/usage#storage-access but I'm still confused.

I've set Protonmail to SS with access only to Main storage/Protonmail. Now, with protonmail, I'm able to access files, by attaching them to an email, from /Downloads and from Main storage/Protonmail which makes sense.

However, to test SS and Protonmail, I tried attaching a file from /Main storage/KeePassDX and I'm indeed able to attach a *.kdbx file inside of that directory.

My expectation is that, with SS enable for Protonmail and with only Main storage/Protonmail allowed, i should not be able to access and upload something inside of Main storage/KeePassDX. What am I misunderstanding?

    • [deleted]

    • Edited

    spiral I have seen this brought up before. With SS, apps aren't able to access any files outside of where you've explicitly enabled (other than files it's created), but it can bring up the system file picker and once you explicitly select a file then it will be able to access that specific file at least temporarily.

    TL;DR: SS doesn't apply in cases the app uses system file picker, but it still needs your explicit permission in the form of you selecting a specific file.

      [deleted] Infact you could completely turn off storage scopes and all file permissions and it would still be able to use any files you select from the file picker

      Sooooo..... Protonmail doesn't itself have access to these files. It's just that Protomail appears to have access to them when really the app accessing them is "System File Picker" and NOT Protonmail... do I have that right?

      I just tried this same thing with Signal and the behavior is the same as I described with Protonmail.

      I'm just confused about this because I swear this didn't used to be the case. I remember having storage scopes on for Signal in one profile, trying to attach a photo which was NOT in a standard directory, and not being able to do it - I had to specifically add through Signal's storage scopes the one photo I wanted to attach. Now, it appears that with Signal and Protonmail I can attach anything I want through the System File Picker.

        I had the same concern. it is a file picker that have access, not the app.

          katemason

          Regarding my third paragraph "I'm just confused about this because I swear..." do you recall anything similar as what I described? I remember Storage Scopes in practice being very clear to understand, however with the way System File Picker now makes it seem that the APP itself has access, it's anything but clear at least initially.

          spiral I remember having storage scopes on for Signal in one profile, trying to attach a photo which was NOT in a standard directory, and not being able to do it - I had to specifically add through Signal's storage scopes the one photo I wanted to attach. Now, it appears that with Signal and Protonmail I can attach anything I want through the System File Picker.

          Signal doesn't use the file picker when you specifically select 'Gallery' when choosing what to send in a chat; it expects to have the permission to access Media on your phone (photos, videos) to be able to show a list of photos to send for this purpose. On the other hand, Signal uses the system file picker if you specifically select 'File' rather than 'Gallery' when choosing what you want to send.

          I don't believe the way it works in Signal has changed recently. In the situation you remember you were probably selecting 'Gallery' and as a result Signal was asking you for the permission to access Photos/videos and wasn't allowing you to send any photo or video that you hadn't granted it access to (whether by giving it permission or through Storage Scopes), while now you're probably selecting 'File' which triggers the file picker directly rather than a permission prompt.

            233328

            Ahhh yes, that's exactly it. I was just using "file" to test this out.