Galaxy phones had a hidden privacy flaw – and Samsung just patched it

Samsung has now patched a security flaw in its Secure Folder. The issue previously allowed anyone who had physical access to your Galaxy phone to take a look at your hidden apps and photos, and it has now been addressed by the South Korean company. 

Samsung's Secure Folder is a nice feature that allows you to easily hide sensitive files and apps on your Galaxy phone. The feature creates a separate, sandboxed (controlled, isolated environment) profile where you can move all your private content. 

This isolated profile is then protected with a passcode, thus stopping any unauthorized users from getting into what you've placed inside. All that sounds quite good until you find out that there was a flaw in this feature, discovered earlier this year.

The flaw basically allowed anyone who manages to get physical access to your phone (like, stealing it, for example) to see which apps and photos you had hidden in that Secure Folder. 

Luckily, though, the latest One UI 8 release is also bringing a patch for this security flaw.

How does the Secure Folder work?

Profiles on Android are sandboxed spaces with their own app data separate from the profile for the main user. Profiles do share the same lifecycle and some settings that are applied system-wide. 



Basically, you have different types of profiles, including a "work profile". With Android 14, people could also clone profiles if they wanted to run an app multiple times, while Android 15 brought private profiles, which are aimed at supporting Google's Private Space feature. 

Back in 2017, Samsung introduced Secure Folder. When the company did it, it had only one option, though: Secure Folder had to be implemented as a "work profile". For the most part, this worked, but there comes the catch: some system components would incorrectly categorize the Secure Folder as a standard work profile. 

Of course, this would be a problem because then the Secure Folder wouldn't get treated as a highly secure space by those system components. This would mean that some system components could potentially reveal the sensitive information that was hidden inside. 

Yep, more or less, the system could somewhat leak Secure Folder files or apps. Some of these system components include the Photo Picker or the Permission Controller, which are not managed by Samsung's One UI but instead are controlled by Google. 

Google has made these specific components able to recognize and hide content within Android 14's private profiles, which are used for the Private Space feature. However, the components weren't designed to assign the same level of privacy to profiles designated as "work profiles". 

So yep, the Photo Picker and the Permission Controller were able to see photos and apps hidden in the Secure Folder and inadvertently reveal them. 

How did Samsung fix the issue?

Luckily, though, Samsung's now fixed the issue with One UI 8. The company has now reclassified the Secure Folder as a "private" profile, not as a "work" one. Now, with this change, Samsung makes sure that the Photo Picker and the Permission Controller will keep their hands off your private files. 

Meanwhile, it's worth noting that this protection is only active when you have the Secure Folder fully hidden, not just closed. When you hide the folder, you not only remove its icon from the app drawer, but you also encrypt the data inside. And yep, this way, its apps can't run and they can't send notifications either. 

It's worth mentioning that the updated Secure Folder still doesn't integrate with third-party launchers, so that issue remains, as Android Authority rightfully underlines. Meanwhile, Android 15's Private Space supports third-party launchers. Well, maybe this one is for fixing at a later time by Samsung. 

Grab Surfshark VPN now at more than 50% off and with 3 extra months for free!

Secure your connection now at a bargain price!

We may earn a commission if you make a purchase

Check Out The Offer