Android 10 deprecated the Storage permissions and they aren't they available with the current API level without temporarily opting into the legacy storage model. Android 4 introduced SAF to access files via case-by-case user consent and Android 5 extended it to directory access.
Conversation
In Android 4, SAF became mandatory to access external drives. Apps had to support SAF to provide full functionality. Android 7 deprecated passing files via file: URI to avoid the app receiving a file from needing to depend on the legacy Storage permissions due to the other app.
1
1
In Android 9, apps within the same profile were each given their own SELinux MLS level to fully isolate them from each other, except through system APIs. This removed the ability for apps to make their internal data world writable / readable to share it via legacy file: URIs.
1
1
Modern apps must share files via content: URIs mapping to content providers providing a thin indirect access layer with a modern access control system including revocation, etc. Unfortunately some apps targeting older API levels or opting into legacy storage still use file: URIs.
1
2
For example, Firefox and the Amaze file manager still use the obsolete Storage permissions to gain direct access to the user's home directory. They still share files to other apps via legacy file: URIs since they disabled Android 7 sharing sanity checks: hg.mozilla.org/mozilla-centra.
2
2
Replying to
Is that code still in use on Firefox Preview? The nightly recently started to be usable, and I see they solved long standing issues: e.g they have a button to propose opening an URL in an app that registered it, which wasn't possible before.
1
Replying to
Don't know, just getting increasingly annoyed with being blamed for other people's broken apps. It's totally ridiculous that Firefox disabled the sanity checks added in Android 7 with the justification that they "disagree" with having a proper storage security model...
2
Replying to
They do raise valid concerns. A simple fix would be to "own" the download directory and change the model, but they'd be the ones getting flamed. How do Chrome/Brave solve this ?
2
Turns out they have users being confused: reddit.com/r/brave_browse
forum.xda-developers.com/pixel-3-xl/hel
1
Replying to
No, it doesn't, and you're the one that's confused. Brave wasn't using the modern downloads implementation. It was broken, but not because there's anything wrong with the new download implementation for Android 10. The default downloads location for Chromium is also the same...
Try downloading a file in Chrome on the stock OS or Vanadium on GrapheneOS. It will be saved to the regular Downloads directly and put into the Downloads category. It may still have the Storage permission due to the upgrade process but you can toggle it off and it still works.
2
What's confusing for users is broken apps like Firefox and Amaze passing legacy file: URIs to other apps which they can't open without requiring legacy permissions. This has led to coarse Storage permissions being normalized and users not realizing it's not actually necessary.
1
Show replies