OneDrive sync on iOS via Files App (security)

Hello, everyone!

I have noticed that synchronization feature on Linux Desktop and on iOS works rather differently. On desktop, it just asks to provide access to a single service (OneDrive), which is the right way from security perspective. But on iOS a user have to sign in to an account those providing much wider permissions to the app, which may be too risky for those who use Microsoft account for critical tasks.

For those who already have OneDrive app installed on iOS, is it possible to implement synchronization via Files app? This way, more cloud providers may be supported without explicit API client implementation.

I'm fairly certain this isn't possible, Apple has fairly strick sandmboxing to prevent apps from accessing eachother. I'm not an IOS dev so there might be some way to get around it, but as far as I know this is not allowed.

Note that the logic is exactly the same on desktop and mobile (and cli) so if there's a risk it's the same on all platforms. But as far as I know, the app only has access to its own folder in /Apps so normally there's no problem.

But as far as I know, the app only has access to its own folder in /Apps so normally there's no problem.

This is actually not true. Joplin has the Files.ReadWrite.All permission (see onedrive-api.js) which meas that joplin can read, write, update and delete all files of a user. But this is the fault of Microsoft and not Joplin's faul. I really don't understand why but Microsoft doesn't offer an option to only access the /Apps folder (see the docs) for Applications. It is only possible for Delegated permissions which as far as I can see can't be used from Joplin (as described here). People with high security consciousness really shouldn't use onedrive in any open source software. People with good knowledge of the Onedrive Rest Api and basic database knowledge could theoretically use the credentials saved on your device and abuse all your data in Onedrive without you even noticing. This obviously still means that the developer first need access to your device. So personally I think the risk is very low but Microsoft could theoretically provide much more security.

1 Like

@CalebJohn I'm not an iOS dev either, but it seems that it is indeed possible. Look at "File Provider" docs at their website. Strongbox and BookPlayer to name a few - are both open source iOS apps that work perfectly with files in OneDrive via this API while not having to deal with Microsoft account authentication.

@laurent Thank you so much for your work. The app is absolutely awesome! Anyway, I can't confirm that the logic I see is the same: on Linux desktop, when I configure sync I grant some restricted permissions to the app - I can see it on page, - while on iOS I'm advised to Log In to the account - which I can confirm here The latter gives to the app a completely different access level.

Indeed you're right. I think before it could only access /Apps but I've had to change the permissions not long ago because that wasn't sufficient anymore. It's unlikely this will be changed then, as doing so I believe would invalidate existing tokens, or perhaps throw permission errors.

I would say that the app is obviously not doing anything harmful though, and there's several ways to ensure this:

  • The app is open source, so you can check the source code
  • The executables are checked and re-checked by various validation processes by Google, Mozilla, Apple and Microsoft. If there was anything bad it would have been flagged long ago.
  • The apps are signed so once they are built it's not possible to introduce malicious code.

Then again all that might not be enough if you are concerned about API permissions, so in that case it could indeed be best to use Dropbox or your own WebDAV server.

Please, don't get me wrong. This is not to express a suspicion that the app is malicious in any way. It's just principle of least privilege that helps to mitigate risks if an access token gets compromised.

Although sync via File Provider still appears to be better solution for me, switching to another storage provider is also a valid option.