DEV Community

Cover image for The Evolution of File Access Security in Android: Navigating Path Restrictions from Android 1.0 to Android 15
David Njoroge
David Njoroge

Posted on • Updated on

The Evolution of File Access Security in Android: Navigating Path Restrictions from Android 1.0 to Android 15

In the world of mobile app development, file access has always been a critical aspect of ensuring functionality while maintaining user privacy and security. Over the years, Android has evolved significantly, tightening restrictions on file access to protect user data. Starting from the earliest versions of Android, developers had open access to file paths, but with each new release, Google introduced more security features to safeguard user data. By the time we reach Android 15, file access has become a more controlled and secure process, requiring developers to adapt their methods to maintain access.

In this blog, we'll explore how file access security has evolved, the challenges developers face, and how to navigate content URIs and file paths in Android. We'll also dive into specific device-related issues, such as accessing files on Realme 9 and Samsung Galaxy 9 devices.

Early Days of Android: Unrestricted File Access (Android 1.5 to 4.3)

In the early versions of Android (up to Android 4.3), developers had direct access to the device's file system. This means they could freely use the file path (/storage/emulated/0/) or similar directories to read and write files. There were no significant restrictions, and apps could easily access the device’s internal and external storage without needing explicit permission from the user, as long as the app declared the necessary permissions in the AndroidManifest.xml file.

However, this unrestricted access raised concerns about security and privacy, as apps could potentially misuse this access to read or manipulate sensitive data.

Android 4.4 to 5.1: Introduction of Scoped Storage

With the release of Android 4.4 (KitKat) on October 31, 2013, Google introduced a shift in how external storage could be accessed. Apps were no longer allowed to write files to arbitrary locations on external storage unless they belonged to the app's own directory (/Android/data/<app_package_name>). While developers could still read files from external storage, writing was limited to app-specific directories.

Android 5.0 (Lollipop), released on November 12, 2014, introduced further refinements by allowing apps to access shared storage locations using the Storage Access Framework (SAF), which provided a more secure way to interact with the file system. This framework gave users more control by letting them choose which files or folders an app could access.

Android 6.0 (Marshmallow): Runtime Permissions and Scoped Storage Tightening

Android 6.0, released on October 5, 2015, introduced runtime permissions, giving users more control over what apps could access after installation. Instead of granting all permissions at install time, users could now grant or deny access to sensitive resources, such as storage, during runtime. This marked the beginning of stricter control over file access, with users having the option to revoke storage access at any time.

For file access, Android encouraged developers to use content URIs instead of raw file paths. The ContentResolver API became the preferred method for accessing files, as it provided a safer mechanism for sharing and accessing files between apps.

Android 7.0 to 8.1: File URI Restrictions and External Storage Evolution

With Android 7.0 (Nougat), released on August 22, 2016, Google deprecated the use of file:// URIs for sharing files between apps, requiring the use of content:// URIs instead. This change was designed to prevent unintended access to sensitive files and data leakage via file:// URIs, which could expose file paths.

Android 8.0 (Oreo), launched on August 21, 2017, continued this trend by introducing Android Instant Apps, which had more restrictive rules for accessing device resources like storage.

Android 10: Scoped Storage Enforcement

The biggest change came with Android 10, released on September 3, 2019, where Google enforced Scoped Storage. This was a game-changer in terms of file access. Scoped Storage limits apps’ access to a specific set of directories on the device, effectively sandboxing each app’s files from other apps and the system.

Apps could no longer access the external storage root directory directly (/storage/emulated/0/). Instead, they were limited to their own app-specific directories. For accessing other files, apps were required to use SAF or request the MANAGE_EXTERNAL_STORAGE permission, which granted broader access but was scrutinized more heavily by the Play Store during app reviews.

Android 11 to 13: Further Refinement of Scoped Storage

With Android 11, released on September 8, 2020, Google introduced more restrictions:

  • Enforcing Scoped Storage for all apps, even those targeting older versions of Android.
  • Allowing apps to access only media files (images, videos, audio) using MediaStore, unless they had specific permissions for managing external storage.
  • Providing new methods in MediaStore for bulk deleting and modifying files, making it easier for developers to manage large numbers of files.

Android 12, released on October 19, 2021, and Android 13, released on August 15, 2022, continued to refine Scoped Storage, with Google adding more controls for users to grant one-time access to files and directories.

Android 14 and 15: Expanding Access Controls

With the release of Android 14 on October 4, 2023, and Android 15 on September 3, 2024, file access security has become even more restrictive. Android 14 introduced Photo Picker, a new UI element that allows users to select photos and videos to share with apps, without giving them broad access to the entire photo library.

Android 15 continues to refine Scoped Storage with more granular permissions for accessing media and file paths. Permissions like READ_MEDIA_IMAGES and READ_MEDIA_VIDEO, introduced in Android 13, have been enhanced, and the use of content:// URIs remains the standard for accessing shared files.

Accessing Files in Android 15: Content URIs vs. File Paths

In Android 15, accessing files via content URIs has become the norm. Here's how you can manage file access:

  1. Content URIs: To access files securely, use ContentResolver and content URIs:

    val uri: Uri = // Uri of the file
    val inputStream = contentResolver.openInputStream(uri)
    // Read the file using InputStream
    
  2. File Paths: For apps that need to access file paths directly (for example, when dealing with app-specific files):

    val file = File(context.getExternalFilesDir(null), "myFile.txt")
    

For accessing files across the system, use the Storage Access Framework (SAF), which lets users choose specific files or directories that the app can access, providing secure file access without exposing the entire file system.

Device-Specific Issues in File Access

While Android provides a standardized framework for file access, many device manufacturers apply customizations that can cause issues. These issues often relate to file path inconsistencies, aggressive background management, or permissions that behave differently than expected. Below are some of the known device-specific problems developers face when working with file access.

1. Realme 9:

Realme devices, including the Realme 9, are known for their aggressive file management systems and power-saving modes. This can lead to issues like:

  • App-killing behavior: Apps that handle files in the background can get killed by the system, making file operations incomplete or inaccessible.
  • Scoped Storage Problems: Moving files between internal and external storage can sometimes result in broken file paths or inaccessible files due to the system not updating file references properly.
  • Background Task Restrictions: Tasks that involve long file access operations (like backups or media file management) often get interrupted due to power-saving optimizations.

2. Samsung Galaxy 9:

Samsung devices often have their own set of issues related to file access:

  • Inconsistent File Paths: Samsung devices with expandable storage often exhibit inconsistent behavior with file paths between internal and external storage. The actual path to an SD card can differ, depending on how the card is mounted.
  • Storage Permission Confusion: Users may face issues where apps cannot access files even with permissions granted. This is often due to Samsung’s Knox security features, which may restrict file access for certain types of apps.
  • FileProvider Issues: Samsung’s custom Android skin can cause discrepancies when using the FileProvider API. Developers may find that apps require additional configuration to work correctly across internal and external storage mediums.

3. Xiaomi Devices:

Xiaomi phones, which often run on MIUI, apply non-standard permission management, leading to:

  • Storage Permissions not Working as Expected: Despite users granting storage permissions, the system may block access to certain files or directories.
  • File Path Restrictions: Some Xiaomi devices restrict access to certain directories even with proper permissions, especially in the context of Scoped Storage.
  • Background Task Limitations: Like Realme, Xiaomi devices may terminate background file operations prematurely due to aggressive power-saving features.

4. Huawei Devices:

Huawei devices, running on EMUI, pose several file access challenges:

  • Custom File System Access: EMUI's handling of file paths can cause problems when apps attempt to access external storage. File paths may not be consistent across devices.
  • Aggressive Security Policies: Huawei’s strict security policies sometimes block apps from accessing shared files, especially those on SD cards or other external media.
  • Difficulty with Content URIs: Some Huawei devices experience issues where content URIs don’t resolve correctly, causing apps to fail when trying to read shared files.

5. OnePlus Devices:

OnePlus, known for OxygenOS, also introduces some challenges for file access:

  • Background File Operations Interrupted: Like other manufacturers, OnePlus aggressively kills background processes, often leading to issues where file access is interrupted. Backup or media operations in the background are particularly vulnerable.
  • Inconsistent File Paths: When switching between internal and external storage, OnePlus devices might return incorrect file paths, causing file not found errors.
  • Content URI Issues: Developers have reported issues with content URIs not functioning properly, especially when sharing files across apps using the FileProvider.

6. Google Pixel Devices:

Even though Google Pixel devices run the closest to stock Android, they have some unique file access issues:

  • Scoped Storage Enforced: Pixel devices, especially after Android 10, strictly enforce Scoped Storage. Apps that aren't updated to handle these changes will struggle to access shared storage.
  • Background File Operations Limited: Similar to other devices, Pixel phones limit background operations, especially for apps that access large numbers of files. Tasks like automatic backups or media syncing can be problematic if the app is not optimized for newer storage models.

7. LG Devices:

LG devices, though less common now, still exhibit unique file handling problems:

  • File Path Conflicts: Similar to Samsung, LG devices have inconsistent file paths, particularly for external storage, causing apps to struggle with file access.
  • Poor Support for FileProvider: Some LG devices have issues with implementing FileProvider, where shared content URIs may not resolve, resulting in file sharing failures between apps.

8. Oppo Devices:

Oppo devices face challenges due to their heavily customized ColorOS:

  • Permission Handling Issues: Oppo devices may not honor granted permissions correctly, resulting in errors when attempting to access shared storage or directories.
  • Background File Management: Oppo’s aggressive power-saving features can cause apps to lose access to files when running in the background or even crash if file operations take too long.
  • Scoped Storage Problems: Similar to Realme (a sub-brand of Oppo), Scoped Storage implementation is not always consistent, causing apps to lose access to files that were recently moved between directories.

9. Vivo Devices:

Vivo, another popular brand with its own customized Android version, introduces the following problems:

  • External Storage Issues: Some Vivo devices exhibit file path issues when accessing external SD cards, similar to Samsung and LG devices. Paths may change when cards are remounted or when the system is rebooted.
  • Aggressive App Management: Like Oppo and Xiaomi, Vivo’s app management can kill apps prematurely, leading to incomplete file operations or inaccessible files.
  • Scoped Storage Limitations: Vivo's customizations sometimes cause Scoped Storage to behave differently from standard Android, leading to problems when apps attempt to access files outside their sandbox.

Conclusion

The evolution of Android's file access security has dramatically improved user privacy and data protection but also introduced significant complexity for developers. From inconsistent file paths to aggressive power-saving features, device-specific issues can create challenges for apps trying to manage files on different Android devices. Each manufacturer’s custom Android skin and file handling behavior necessitates thorough testing to ensure file access works correctly across various devices.

Understanding these device-specific challenges is crucial when developing apps that need to interact with file storage, especially in an ecosystem as diverse as Android. As file access security becomes more restrictive with each version, developers must continue to adapt by using modern methods like Scoped Storage, Content URIs, and FileProvider to ensure seamless and secure file management.

Top comments (0)