Samsung’s Secure Folder might not be as private as you think

by · Android Police

Summary

  • A Samsung Secure Folder loophole allows apps in a work profile to access files stored in Secure Folder.
  • Any employer with remote access to a user's work profile will be able to see photos, videos, apps, and files stored there.
  • The flaw also exposes all apps in Secure Folder by showing them in the Android permission manager.

Samsung's Secure Folder is supposed to act as a locked-down space for sensitive apps and files. It is supposed to keep them separate from the rest of your device, accessible only to your biometrics. But a newly discovered loophole suggests that the Secure Folder may not be as secure as Samsung claims, especially if you use a work profile.

Related

I tried Android 15 Private Space and Samsung Secure Folder – Here's my verdict

Can Google's solution keep up with Secure Folder on Galaxy devices?

Posts 2

Users found apps running inside a work profile can access files stored in the Secure Folder without any restrictions (via Android Authority). It doesn't matter if the work profile was set up by an employer or with apps like Shelter or Island. It seems Secure Folder only blocks access from personal profiles. Anyone in your employer's IT department may be able to access and see all the files you've stashed in there.

Here's how work profiles expose Secure Folder files

Source: Mishaal Rahman / Android Authority

A Reddit user was one of the first to publicly post the issue, noting that Secure Folder appears to be built on top of Android's work profile system rather than as a true isolated space. This means apps running in work profile can browse Secure Folder as if it were just any other storage folder.

It's all because Samsung decided to make Secure Folder different from Android 15's Private Space, which Google designed as a completely separate user profile. Samsung's Secure Folder is treated as a managed profile. As a result:

  • Files inside Secure Folder are not truly locked away, they're simply hidden from the personal profile.
  • Any app in the work profile can browse Secure Folder files.
  • Your employer can access your Secure Folder files remotely.

Photos and videos at the highest risk

Mishaal Rahman put the vulnerability to the test. He found that media files –– such as photos and videos –– are the most exposed. Android file system file picker blocks Secure Folder files from personal apps, but photos and videos were there for anyone on any profile, work and personal, to peruse.

Rahman also discovered another flaw in how Samsung handles app privacy in Secure Folder. Apps stored within it still appear in the Android permission manager. It's easy to see what apps are installed simply by going to the permission manager.

Samsung has acknowledged the issue, but has not given any details about a possible fix. Correcting the issue might require changing the entire way Secure Folder is structured, which is not something easily done through a simple OTA update. You may want to store those sensitive photos somewhere more secure for the time being.