Conversation

This Tweet was deleted by the Tweet author. Learn more

Replying to

The simple answer is no, they can't do that, because they can't do it today. Apps can't access files outside of their own app sandbox / directories without consent. That's the status quo already. The issue is that there's a coarse permission for a shared external storage volume.

1

1

Replying to

Scoped Storage drops support for this coarse access control model and storage permission, similar to how it went away for external drives in Android 4.4. Users can still grant access to the entire storage volume since when the app requests access the user can choose any scope.

1

2

Replying to

Apps have everything they need to avoid using the coarse, privacy-unfriendly storage permissions. The issue with the design is those coarse permissions existing at all. Apps demand them and aren't designed to work without them, and they store private data in that shared storage.

1

2

Replying to

Scoped Storage removes those permissions and works around legacy apps designed around them by providing a scoped view of external storage, emulating the way it used to work. Removing it forces apps to use SAF (added in Android 4.4), where the user selects files/directories.

1

2

Replying to

There are still some fairly coarse options available for things like media. An app like WhatsApp could decide to approach it by requesting Photos access and storing media in shared photo albums. It becomes much clear to users though, and it gives them granular control in general.

1

2

Replying to

GrapheneOS's use of KVM is totally where my mind was going regarding compartmentalizing the apps. I can see scoped storage as a stopgap measure IF the android devs felt that upcoming device processors were not going to be powerful enough to run full-on KVM.

2

Replying to

Then again this is kind of apples and oranges though since we're talking about app isolation as well as shared storage. If the KVM just provides a pass-through to shared storage without a storage management layer (think apparmor for storage), then we're back to square one.

2

Replying to

Reminds me of the iOS vulnerability where apps were/are still writing sensitive user info to shared storage and others have the ability to scrape it. e.g. apps that were denied location services can scraper data saved saved by apps that did have access to location services.

1

Replying to

For this kind of thing, it's definitely the app devs who are are not thinking about security enough while designing software (I'm assuming here the devs have the option of alternatively saving data to an app-specific memory area).

2

Replying to

The reason this is called external storage is because it's not the usual internal storage. External is referring to it being outside of the app sandbox. Apps need to explicitly opt-in to it and can't access data stored by other apps without permission. That's not what's wrong.

3:57 PM · Jul 20, 2019Twitter Web Client

Replying to

What's wrong is that the OS supports the ability for apps to request access to the entirety of external storage, rather than using the fine-grained model of the Storage Access Framework. The point of Scoped Storage is to emulate the coarse legacy approach to get rid of it.