Some of my thoughts on recent discussions about apps misusing granted permissions, whether intentionally or not due to leaks / vulnerabilities:
reddit.com/r/GrapheneOS/c
Coarse permissions are an awful model, and it's good that a lot of progress is being made away from them.
Conversation
Scoped Storage is substantial progress on this front, by removing the option to demand unrestricted access to external storage, i.e. the user's home directory for user-facing files outside of the normal storage location within the app sandbox. It provides users far more control.
1
6
It forces apps to use the Storage Access Framework, which puts the user in the driver's seat by having them choose files and/or directories on behalf of apps via the system file manager UI. It can grant persistent access and users can select an entire volume, but it's a choice.
1
4
So, for example, it's still possible to have a fully functionality third party file manager app, but the user has to explicitly choose to grant to access to an entire storage volume. Instead, they can scope the access as they wish, which makes sense even for a file manager app.
1
4
Unfortunately, journalists and power user communities are easily manipulated and were used as tools by app developers to fight against thisto avoid needing to respect user consent and privacy. Media coverage of this was pathetic, incredibly inaccurate and has caused massive harm.
1
1
7
Scoped Storage is still part of Android Q, but app developers can opt into using the legacy external storage model until the next major release. At the moment, you'll be better informed if you don't read the news, since not knowing is better than being immersed in misinformation.
1
4
Many developers are against it because dealing with it can require substantial work, but SAF has been around since Android 4.4 and they would have been migrating if they had any respect for user consent and privacy. Even in 4.4, it was *required* to access external drives anyway.
1
1
5
It should have been there from the start and required all along. It goes to show how hard it is to fix legacy design decisions. Developers can also use a traditional file API on top of SAF. It does work fine with legacy code, even C code, if you actually want to make it work.
1
5
Instead of the media and power users pushing for better privacy, what they did is aggressively fight against the single biggest privacy improvement in the history of the OS other than the move to the runtime permission model in 6.0. It's arguably even more important than that.
Replying to
GrapheneOS will be deploying Scoped Storage as it was intended to be, since it's an implementation of a feature that I had planned for years, even before I created this issue in 2016: github.com/AndroidHardeni. It doesn't actually need app adoption, but it makes the UX much better.
1
2
4
If there's no app adoption, users need to be aware of it, since apps get isolated (scoped) external storage directories. It's comparable to internal app storage, except that users can access these via the system file manager to move files/directories in/out or grant apps access.
1
1
I'm going to need to explain to users that the user experience sucks (i.e. needing to move files between apps not adopting the modern approach with the file manager) because of manufactured outrage and lazy, inaccurate media coverage. It's going right in the documentation on it.
3