(How) does remote wipe work?

Hi all.

tl;dr

Not working for me. Any help gratefully received :slight_smile: Thank you.

more

I’m testing “Remote Wipe” with my new 'phone, and I don’t think it’s working. I’ve read several other posts about this; I didn’t glean much from them.

What I did

  1. Installed the current stable version of the Android synchronization client onto my 'phone, via F-Droid.
  2. Connected the client to my Nextcloud account on my Nextcloud instance.
  3. Sync’ed some of my data from Nextcloud to my 'phone. (Files and folders appeared as expected; they were accessible via the Android file browser).
  4. Used the web browser on my laptop to login to my Nextcloud account, and select:

Settings > Security > Devices & sessions > Wipe device (confirm, enter password)


What I’d expect to happen

  1. Access to my account is revoked for the client on the 'phone.
  2. Any files sync’ed from Nextcloud to local storage are deleted from the 'phone (but not from the server).

What actually happens

  1. This works, in the same way “Revoke” does: the next time I open the client on my 'phone, it prompts me for the server address and my credentials :+1:
  2. …but this apparently doesn’t(?) The message “(Marked for remote wipe)” appears next to my 'phone in “Devices & sessions”…but after several hours the files are still accessible on the 'phone via the Android file browser :thinking:

What I’ve tried

  1. Checking the permissions of the sync client in Android.

…which look fine: it says “Allow access to manage all files”

Allow this app to read, modify and delete all files on this device or any connected storage volumes. If granted, app may access files without your explicit knowledge.

  1. Checking the logs
    • /var/log/apache2/error.log (nada)
    • grep -i 'wipe' /path/to/nextcloud.log (ditto)

Qs:

  1. Does remote wipe work?
  2. If so, am I doing it wrong?
  3. …Or does “remote wipe” mean something other than what I think it means?

If you’ve read this far, thank you very much for your time; if you can shed any light on this, thank you even more :heart:


Server

  • Nextcloud version: 24.0.8
  • Operating system and version: Ubuntu 20.04
  • Apache version: 2.4.41
  • PHP version: 7.4.3

Client

  • Android version: 13 (GrapheneOS)
  • Nextcloud Android client version: 3.23.1

Hi,

I do not have clear answers but :

Yes you understood it correctly :

https://nextcloud.com/blog/nextcloud-17-brings-remote-wipe-collaborative-text-editor-and-next-generation-secure-watermarking/

https://www.youtube.com/watch?v=QmR86-LsGus&ab_channel=Nextcloud

It works like stated here : https://docs.nextcloud.com/server/19/developer_manual/client_apis/RemoteWipe/index.html

And it seems to have been imported into the android app since the 3.10.1 (https://nextcloud.com/blog/nextcloud-3-10-1-for-android-is-out-plus-tips-about-remote-wipe-and-document-collaboration/)

So basically the implementation seems to not be consistent and working on the app based on your experience.
I did a quick search into the GitHub and some people reported some errors too : Issues · nextcloud/android · GitHub

So maybe the remote wipe is not working perfectly on the android app.
If you want you can open an issue on the GitHub and maybe a developer will have the time to correct the error (or telling you something was not done correctly on your side).

Hi @ligal; thank you for your reply :slight_smile:

This (from the dev documentation you linked to) confirms my expectations:

The client must remove all user data linked to the account. This includes:

  • caches
  • offline files
  • the actual account itself

So why isn’t it working, I wonder…?


I don’t understand this bit:

Note that wiping only works when clients use the login flow

Does that mean the device gets wiped the next time the user logs in?

That doesn’t sound right to me: wiping revokes access to the account, so the user can’t login (…and that’s as it should be, I think: if my 'phone gets stolen, I don’t want the thief to have access to any of my data, whether those data are on my cloud, or on the 'phone itself).

I think I’ll open an issue; thank you again!