• General
  • How a password manager app can access its database without any permission ?

I am using an app called KeePassDroid as a password manager. Password databases are stored in a *.kdbx file, and also in addition to the password, I use a key file, which it can be any file type, but in my case, I use a *.jpg file. Both files (database and key file) are not located in standard location (Documents, Pictures etc), rather in folders created by myself for this purpose.

The application has access to both files with no permissions granted. Storage scopes are not activated either. Howerver, in "app info" > Storage & cache, there is a button called "Clear access", and there is a line stating "External Storage 1 item". If I push this button, the storage permission is removed, and the external storage line disappears. If I uninstal and reinstall the app, storage access come back by default.

When an app uses the system file picker to create a new file or open an existing file, that goes through Android's Storage Access Framework. The system gives the app permission to access the selected file only and nothing else. This method of selecting files does not require any permissions because the app can only access what the user explicitly granted. This is true for Android in general, not just for GrapheneOS.

The External Storage 1 item is referring to the .kdbx file you selected. With adb, you can see that the system only granted access to the specific file by running:

# For keepassdroid:
adb shell pm dump com.android.keepass | grep UriPermission

You should see something like:

UriPermission{93a7c7a content://com.android.externalstorage.documents/document/primary%3Apath%2Fto%2Fyour%2Ffile.kdbx [user 0]}