{"id":39218,"date":"2025-09-09T09:01:38","date_gmt":"2025-09-09T07:01:38","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=39218"},"modified":"2025-09-09T09:11:06","modified_gmt":"2025-09-09T07:11:06","slug":"nextcloud-data-protection-bug-in-android-app","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2025\/09\/09\/nextcloud-data-protection-bug-in-android-app\/","title":{"rendered":"Nextcloud: Data protection bug in Android app?"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"margin: 0px 10px 0px 0px; display: inline; float: left;\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2012\/07\/android.jpg\" width=\"58\" height=\"58\" align=\"left\" \/>[<a href=\"https:\/\/www.borncity.com\/blog\/2025\/09\/09\/nextcloud-datenschutzkritischer-bug-in-android-app\/\" target=\"_blank\" rel=\"noopener\">German<\/a>]There appears to be a bug in the Android app for Nextcloud that is not insignificant in terms of data protection. Media content uploads are distributed across different folders belonging to different instances (accounts), even if this is not what the user intended.<\/p>\n<p><!--more--><\/p>\n<h2>Nextcloud and the Android app<\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/vg04.met.vgwort.de\/na\/994c93322c3341a98204399e9088a43b\" alt=\"\" width=\"1\" height=\"1\" \/>Nextcloud is free software based on an ownCloud fork (developed by Frank Karlitschek) and developed in PHP for storing data (e.g., files, calendars, contacts, etc.) on a server. The Nextcloud project has been further developed by Karlitschek and other developers in the team since 2016.<\/p>\n<p>Unlike the public clouds offered by Amazon, Apple, Google, and Microsoft, users can host Nextcloud on their own server and retain control over this instance. Users can access Nextcloud data via a web interface or client applications (smartphone and desktop). This allows users to access a central, consistent database from multiple devices and optionally share it with other users. In addition to data storage, Nextcloud offers video conferencing and various office applications via the web interface.<\/p>\n<p><a href=\"https:\/\/play.google.com\/store\/apps\/details?id=com.nextcloud.client&amp;pli=1\" target=\"_blank\" rel=\"noopener nofollow\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/i.postimg.cc\/HxQsMmPK\/image.png\" alt=\"NextCloud Android-App\" width=\"640\" height=\"607\" \/><\/a><\/p>\n<p>For Android, there is the app mentioned in the screenshot above, which allows access to all files in Nextcloud. The app's interface can be used to upload files (including photos and videos) to your own Nextcloud server, synchronize them, and share them with third parties. The app also supports multiple Nextcloud accounts simultaneously.<\/p>\n<h2>Android app: Auto-Upload-Bug pushes files into multiple folders<\/h2>\n<p>German blog reader Sebastian W. contacted me by email the other day (thanks for that) because he noticed a bug in the Android app that is not only unsightly but also relevant to data protection. According to Sebastian, the current Android version of the Nextcloud client (version 3.32.3 of the Android app was released on August 21, 2025) has an unpleasant bug that is relevant to data protection. The prerequisite for the bug in the Android app to take effect is:<\/p>\n<ul>\n<li>The user has configured and connected the Android app as a client for multiple Nextcloud instances (i.e., accounts).<\/li>\n<li>Automatic uploading and synchronization of new images is enabled (this is often done for smartphone camera shots).<\/li>\n<\/ul>\n<p>If both conditions are met, the Android app uploads new files to the Nextcloud instances. The problem:<\/p>\n<ul>\n<li>According to Sebastian, these images and videos automatically end up in the specified folder in Nextcloud, as in previous versions.<\/li>\n<li>However, a folder is now also created in the other Nextcloud instances and all images\/videos are uploaded there as well, even though no automatic upload is set for these instances.<\/li>\n<\/ul>\n<p>Sebastian wrote that this can quickly become unpleasant if, for example, you use a private Nextcloud connection in parallel with a business Nextcloud connection that is administered by your employer.<\/p>\n<h2>Bug reported, developers are working on it<\/h2>\n<p>Sebastian reported the bug affecting the Nextcloud Android client 3.32.3 via Github, see the bug tracker entry <a href=\"https:\/\/github.com\/nextcloud\/android\/issues\/15498\" target=\"_blank\" rel=\"noopener\">Auto-upload goes wild &#8211; possible security breach<\/a>\u00a0from early September 2025. At least one developer is currently working actively on analyzing the error, and the bug report has already been marked as \"closed\" (it should be fixed soon).<\/p>\n<p>Sebastian comments: \"In any case, some people will certainly be glad to receive a warning about the current 'danger' and pay closer attention to the next Nextcloud update, which will hopefully fix this error.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]There appears to be a bug in the Android app for Nextcloud that is not insignificant in terms of data protection. Media content uploads are distributed across different folders belonging to different instances (accounts), even if this is not what &hellip; <a href=\"https:\/\/borncity.com\/win\/2025\/09\/09\/nextcloud-data-protection-bug-in-android-app\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,63,463,580],"tags":[60,78,188,2943,69],"class_list":["post-39218","post","type-post","status-publish","format-standard","hentry","category-android","category-cloud","category-issue","category-security","tag-android","tag-app","tag-bug","tag-nextcloud","tag-security"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/39218","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=39218"}],"version-history":[{"count":3,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/39218\/revisions"}],"predecessor-version":[{"id":39221,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/39218\/revisions\/39221"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=39218"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=39218"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=39218"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}