Where does the export go?

dwf2008 · October 17, 2023, 7:55am

When exporting the vault from my ipad, it seems to work but I can’t find the exported file. Where does it go?

OpSec · October 17, 2023, 4:42pm

Most devices have a default location for downloads. Wherever your downloads go is where the export should be. I personalize the path for my BW exports on my specific device for control and security, but that is just me, LOL!!

dwf2008 · October 17, 2023, 6:05pm

Thank you OpSec. How do you personalize the output location?

OpSec · October 18, 2023, 5:02pm

I use virtual machines so some of the general clipboard concerns are moot for me. I restore the VM clean snapshot after doing the export and then saving it to a virtual drive.

Leaving my situation aside lets say that you are using Firefox as your browser (you can easily adapt to your browser using similar steps). In the browser settings there is a spot to designate WHERE downloads go – easy stuff. If you are familiar with virtual drives I would recommend exporting directly to a virtual drive that you can close when finished. But if you just want to SEE your export easily and know where it is set up a Firefox Downloads folder on your Desktop and once configured the browser will place ALL downloads there. That way you will always find anything you download in one spot. I hope this helps you!!

grb · October 19, 2023, 1:52am

You do this on a mobile device?

dwf2008 · October 19, 2023, 4:39am

Yes usually an ipad.

grb · October 19, 2023, 5:17pm

Yes, I know that your question was about the export location on mobile devices. My question was for @OpSec.

OpSec · October 22, 2023, 6:43pm

Nope. Brain-dead here. I missed the mobile device part of the question.

bw-tinkerer · October 27, 2023, 6:29pm

I can confirm there is a corresponding problem on android based on the following reddit thread:
[android] vault export question - where does the export go

It is a POTENTIAL SECURITY PROBLEM when the vault is exported as unencrypted form (the default option) and the user can’t find it afterwards to delete it (after he’s done doing whatever he wanted to do with it). That means there may be an unencrypted copy of the vault floating around somewhere on the user’s mobile device, and the user is powerless to do anything about it (other than clear bitwarden app data and cache, which may or may not delete the unencrypted file, but definitely does require logging back in with master password and oauth to set up again afterwards)

I believe the data might be exported to a bitwarden subdirectory within Android/data that the user doesn’t have access to, but that’s just a guess.

At the end of that reddit thread is a tabulation of results by user, which is being updated as people respond. The first two users are not prompted for any file location during export from android (and can’t find their files afterwards). The 3rd user is prompted for export location. The 4th user experiences app crash. Below is a snapthot of that tabulation of user response as of 10/27/23 noon mountain time.

EDIT 2 - TABULATION OF EXPORT RESULTS BY USER, PHONE, ANDROID VERSION, BITWARDEN VERSION

/u/Sweaty_Astronomer_47 Pixel 6, Android 14, Bitwarden version 2023.9.2(8002) - no prompt for file location, file not findable after export.
/u/jpcrypto Phone? Android Version? Bitwarden Version? no prompt for file location, file not findable after export as reported in another thread
/u/s2odin Pixel 7 Pro, Android 14 beta build U1B2.230922.010, Bitwarden version 2023.9.2 F Droid apk from github, prompts for location to store file
/u/0xvino Samsung, Android 13, Bitwarden version 2023.9.2 - crashes

bw-tinkerer · October 30, 2023, 9:13pm

bump. I’d be interested to hear some thoughts. It seems at best the app doesn’t work as expected. At worst it’s a security concern (the default unencrypted export disappears to unknown location)

OpSec · November 1, 2023, 4:30pm

This is just a “brain storming” idea, which I have not attempted or researched. How about BW develops or explains how a user/Admin might create and then download an encrypted vault backup to a location so that only fully encrypted cache/data download files are on our devices. Then we the user move the encrypted backup file to a specific isolated location - e.g. virtual drive – where we decrypt it locally and then store it as our desired plain text backup. This would allow bypassing the concerns that many here seem to have. If you are really paranoid you could save the encrypted vault backup and copy it to a flash drive and take it to an air-gap machine to go through the process. I still like the virtual machine snapshot method with clearing all data via snapshot reversal of activity, but hey that is me.

grb · November 1, 2023, 4:47pm

@OpSec this is fairly easy to do with the desktop app and browser extensions, but not with the mobile apps. Since this thread is about exports in mobile apps, if you have an interest in discussing/brainstorming solutions for the non-mobile apps, I would suggest starting a new thread.