While the gap between Android and iPhone is narrowing, there is a new gap emerging between Google and Samsung. With Android 15 now live for Pixel owners and still en route for Galaxy owners, the different deployments of Android become more critical.
Much of this is presentational — widgets, layouts, animations, but there are key security differences as well. Samsung’s tighter restrictions on sideloading or Google pushing out new features such as live threat and scam detection faster than Samsung can match.
One of those differences is Samsung’s Galaxy-specific Secure Folder, which is different to Android’s Private Space. Samsung says “we know how important it is for you to be able to keep your photos, videos, files, apps and data that you consider private in a safe place. That is why one of the most useful tools on your Galaxy device is the Secure Folder, where you can store everything you want with maximum security.”
But unfortunately one Redditor has outed a glaring mistake in how this is set up. “Coming from pixel,” lawyerz88 warned, “I expected secure folder to act like Private Space. It does not. I’m aware Private Space is new in Android 15 and that this secure folder function is older and builds off the ‘Work’ Profile feature. However, if you have the work profile enabled through something like Island or Shelter (or you know, your actual workplace), any apps in the work profile can access the entirety of photos and videos saved in secure folder without any restrictions whatsoever.”
As Android Authority explains, “because Samsung’s Secure Folder is set up like a Work profile, the Android Settings and Permission Controller apps treat it like one and let you see what apps and photos are in the Secure Folder, even when it’s locked… The feature creates a new profile with its own storage space and screen lock, keeping your sensitive apps and files private. Or so we thought until a flaw was discovered in Samsung’s Secure Folder that lets anyone see which apps and photos you have.”
The Android specialists replicated the flaw in One UI 7 by manually creating a work profile, albeit they note that what happens in practice will depend on how work profiles and set up by an organization. Critically, “the Android system file picker blocks access to Secure Folder files even if the file picker is accessed through a ‘work’ app. This means that only photos and videos are at risk of being accessed outside the Secure Folder.”
As Android Police warns, “anyone in your employer’s IT department may be able to access and see all the files you’ve stashed in there.” But the fix is easy — just change your phone setup and encrypt the secure folder. This stops the photo picker working this way. The folder isn’t decrypted by default, and is opened by your device’s unlock, this enables other apps to access the folder. Encrypting it will add that additional layer.
If you store private data in your Secure Folder and have any form of Work Profile on your device, you should go ahead and do that now. Meanwhile, Samsung has acknowledged the issue and we await news of a fix.
