How does KeePassium access my cloud storage?

Every iOS app lives it is own system-enforced sandbox and cannot simply access files inside other apps.

Some older KeePass apps integrate with cloud providers directly. That is, you give those apps your FTP/Dropbox/OneDrive login and password, and they directly contact the servers via the network. These apps have complete access to your storage, with all the associated risks.

KeePassium, in contrast, uses a new method for integration with cloud providers (available since iOS 11). In a few words: the app asks the system “I need the user to pick a file”, the system takes control (KeePassium is temporarily paused), lets you navigate to and select a file, then returns control to the app: “here’s a reference to the selected file”.

In more details, the app calls system-provided file selection dialog (UIDocumentPickerViewController). When this happens, the system sends KeePassium to background, and shows you a file selection interface similar to the Files app. This file picker is managed by the system, and thus has access to all installed cloud storage apps. Once you select a specific location (for example, OneDrive), the system works directly with the OneDrive app to list available files.

When you pick a specific file (in a cloud storage or inside another app’s sandbox on the same device), the system creates a special reference to that file and returns control to KeePassium, along with the reference to the file. This reference does not point to the file in the traditional sense (not a file path or URL), but allows the app to ask the system in the future to read/write that one selected file.

As a result of this lengthy process, KeePassium can access the file you manually selected — and only this file. The app does not know where the file is located, or what other files are there. The system stands between the apps and cloud storage, so they cannot and don’t need to know about each other.