How KeePassium stays offline and works with online storage

Every iOS app lives it is own system-enforced sandbox and cannot simply access files inside other apps.

Some older KeePass apps integrate with cloud providers directly. That is, you give those apps your FTP/Dropbox/OneDrive login and password, and they directly contact the servers via the network. These apps have complete access to your storage, with all the associated risks.

KeePassium, in contrast, integrates with cloud providers indirectly, via the system. The system stands between the app and cloud storage, so they cannot and don’t need to know about each other.

How KeePassium works with storage providers
How KeePassium works with storage providers

Here’s what happens when you add an existing database to KeePassium:

  1. KeePassium asks the system to show a standard file picker dialog (UIDocumentPickerViewController).
  2. The system takes control, pauses KeePassium and shows the file selection screen.
  3. The system interacts with storage provider apps to show your cloud-based folders and files. KeePassium remains paused by the system and cannot look at your files even if it wanted.
  4. Once you select a database, the system returns control to KeePassium and gives the app a special reference to the selected file. The reference is not a file path or URL, it is a numeric identifier with some auxiliary data.

As a result, KeePassium:

  • Can access the file you selected — and only that file;
  • Does not know about your other files;
  • Does not know your cloud/server credentials.

See also