How the sandbox isolates apps

Both iOS and Android run every app inside a sandbox — a per-app container the kernel enforces. On Android each app gets a unique Linux UID, and its private files live under `/data/data/<package>` (internal) and an app-specific external directory; other apps cannot read those paths. On iOS each app lives in its own container directory and is restricted by system entitlements.

The sandbox is why uninstalling an app removes its data cleanly, and why an app can only see its own caches and documents by default. Access to anything shared — photos, contacts, the media library — must go through a mediated API plus a user permission grant.

Reaching shared data from inside the sandbox

Because the sandbox blocks direct cross-app file access, an app reads shared media through brokered interfaces: the MediaStore / ContentResolver on Android and PhotoKit (PHAsset) on iOS. These return only content the user has authorized, so even a granted app sees the photo library through a controlled layer rather than raw filesystem paths.

An app's own cache and temporary data live inside the sandbox — Android's `getCacheDir()` / `getExternalCacheDir()` and iOS's `NSCachesDirectory`. The OS may purge these under storage pressure, which is the technical basis for what users see as reclaimable app cache.

Why it matters for cleanup

The sandbox is exactly why no third-party app can fully clean another app's internal junk: each app owns its private container, and only the system (or that app itself) can clear it. A cleaner like Cleanor works within the rules — surfacing duplicate and similar photos through the authorized media APIs and guiding the user to system tools for app-specific data, rather than pretending to bypass isolation it cannot legally cross.