I agree, it also has some serious security issues: https://github.com/zen-browser/desktop/pull/927
The developer’s comment reveals that it has been there since the inception of the project. And there are even more privacy / security issues mentioned in the comments.
Unfortunately Zen browser gets a big fat no from me. 🫤
Obsidian asks for the permission upon first launch, but if you don’t give it access it won’t work at all (it’s a required permission for the app).
you can use an android firewall to block Internet access from the app
True, however, AFAIK if your phone is not rooted, you can’t have a firewall and VPN running at the same time (the firewalls I’ve seen must be configured as VPN).
not the privileges that obsidian has
Also true, although Obsidian has access to that shared storage, and therefore, Obsidian being closed source, you have no way of knowing what they do with the files other apps create in that storage directory. I’m not saying they are acting maliciously, but I don’t like this approach (software vulnerabilities, supply chain attacks, etc.). The devs recognized the issue in another thread, but there’s no solution to the problem as of yet.
I’d love to use this setup, however, the Obsidian Android app requires a kind of file access that is concerning:
Obsdian uses a shared location “/Documents” so that other apps can access the files (e.g. third party sync services) or add stuff.
It’s a no-go for me. :/
Just? I’m sorry but that’s just a terrible mistake to make, especially for a browser that people use to surf the world wild web. I don’t know if you’ve ever used a remote debugger (I do), but depending on the debugger, it can be a very powerful tool, you can do a lot of things with it. I don’t think calling it a backdoor is a massive exaggeration. I don’t doubt the developer’s good intention, but this issue shouldn’t be dismissed as an insignificant issue.
To add insult to the injury, it didn’t even prompt the user for it.
Unless you tweak the default Firefox settings in the code base, e.g. https://github.com/zen-browser/desktop/blob/dev/src/browser/app/profile/zen-browser.js#L258 (allow unsigned extensions by default).