App access to files

Another Matt

New member
Jan 1, 2014
4
0
0
Visit site
Hi, what controls the access that apps have to the user-visible file structure that I see via the "My Files" widget (structure shown as "Root" with subfolders "Alarms", "Android", "Download", "Movies", etc. etc.)? Or do all apps automatically have permission to access all of this? If it makes any difference, this is on a Samsung Galaxy Tab 10.1 running Android 4.0.4.
 

Golfdriver97

Trusted Member Team Leader
Moderator
Dec 4, 2012
35,364
110
63
Visit site
I think all apps need to have permission to do that. They need to be allowed to create a file for it's own data.
 

Another Matt

New member
Jan 1, 2014
4
0
0
Visit site
Hi, thanks for your reply, but I thought that an app's own data was usually put in a place in the file structure not directly visible to users. For example, at Storage Options | Android Developers it says "You can save files directly on the device's internal storage. By default, files saved to the internal storage are private to your application and other applications cannot access them (nor can the user)." So I don't see that an app necessarily needs access to the user-visible file structure "to create a file for its own data".

On the same web page it also says: "Every Android-compatible device supports a shared 'external storage' that you can use to save files. This can be a removable storage media (such as an SD card) or an internal (non-removable) storage. Files saved to the external storage are world-readable and can be modified by the user when they enable USB mass storage to transfer files on a computer." It then goes on to mention the READ_EXTERNAL_STORAGE and WRITE_EXTERNAL_STORAGE system permissions.

It's hard to wrap one's head around the baffling idea of calling internal storage "external", but could this be saying that the user-visible file structure on the non-removable storage is treated the same as data on removable storage as far as access permission is concerned? Could it be that permissions like "modify/delete SD card contents" also control access to the former? But then again, the same web page also says "All applications can read and write files placed on the external storage". In that case, what on earth is the point of permissions like "modify/delete SD card contents"?

I find it troubling if all apps can access all the user-visible file storage. For example, say I'm using a word processor to create a personal document, and I save it to a folder in the user-visible file structure, then it would mean that every app could see it? Although this is obviously no worse than traditional PCs where the entire file structure is visible to all programs, it does rather seem to defeat the whole purpose of the Android permissioning and the supposedly freer approach to installation of software that this encourages. If I'm creating personal documents I definitely do NOT want some random app that I downloaded to be able to access them. Similarly for photos. These seem to get saved into the user-visible file structure too. Surely this doesn't mean that all apps can access my photos? Whoever would want to allow that?

If anyone could shed any further light on these points I would be so grateful. I feel very confused.
 

Rukbat

Retired Moderator
Feb 12, 2012
44,529
26
0
Visit site
I find it troubling if all apps can access all the user-visible file storage. For example, say I'm using a word processor to create a personal document, and I save it to a folder in the user-visible file structure, then it would mean that every app could see it?
Access is controlled by rights. A file or directory has 3 sets of read write and execute rights - for the file or directory's owner, for members of he file or directory's group and for others. So if the word processor created the file with read and write rights for itself and its group, no one not in the group could see it. ("No one" meaning no app being run by someone not in the group of the person who created the file.) The file can be in a directory with all rights to everyone, but the file can still have, say, only read rights for the user who created it. So you, running any app, could access the file.

Of course, in most cases with Android, there's only one user (Knox changes the game), so things change a bit. But yes, if you create a document in a word processor, you can delete it in a file manager. In a desktop Linux environment, if you created the file read only and only for you, and I logged in as me on that computer, I couldn't read the file.
 

Another Matt

New member
Jan 1, 2014
4
0
0
Visit site
Thanks for your reply. In my situation there is only one user, so please ignore the issues of multiple users.

Just to be completely clear about this ... You say that me running any app could access the file, which could sound as if I always have some control over or visibility of what is happening. But is it also true that some app deliberately coded to nose around could steal all my files, photos, whatever -- anything in the user-visible file storage -- and send them to anyone else on the Internet (assuming it has Internet access permission), without my even knowing it had happened?

Also, is there anything in the app's requested permissions that tells me it is going to be allowed to do this, or is it automatic for all apps? I guess since you didn't mention it, you are implying it is automatic for all apps, right?

Thanks very much for your help, I really appreciate it.
 

Rukbat

Retired Moderator
Feb 12, 2012
44,529
26
0
Visit site
Just to be completely clear about this ... You say that me running any app could access the file, which could sound as if I always have some control over or visibility of what is happening. But is it also true that some app deliberately coded to nose around could steal all my files, photos, whatever -- anything in the user-visible file storage -- and send them to anyone else on the Internet (assuming it has Internet access permission), without my even knowing it had happened?
Yes - that's why each app in the Play store lists the permissions it needs to run. If an app can access the internet, or data, or the phone, but really has no reason to (like a text editor), you should be suspicious.

Also, is there anything in the app's requested permissions that tells me it is going to be allowed to do this, or is it automatic for all apps? I guess since you didn't mention it, you are implying it is automatic for all apps, right?
All apps have the ability to limit files to themselves. Since many app "developers" really don't understand the Linux environment, security or programming, their apps don't do this.

Never assume an app is secure - even if it's written by Google, the manufacturer, your bank, etc. Never assume that any of its files are either.

Passwords are another matter. 1) They're stored in the database, which has a different set of rules. And 2) if they're properly salted and hashed they're probably not worth what it costs to decode them. (Decoding a SHA256 salted password takes a pretty powerful computer and a lot of time.)
 

Another Matt

New member
Jan 1, 2014
4
0
0
Visit site
Yes - that's why each app in the Play store lists the permissions it needs to run. If an app can access the internet, or data, or the phone, but really has no reason to (like a text editor), you should be suspicious.
Thanks, but what are the permission(s) that allow an app to "access data" in the sense relevant here? The only permissions of this nature that I can recall seeing are "modify/delete SD card contents", and possibly others referring to SD cards or external storage. I have never seen any permissions that seem to relate to access to the user-visible file structure on the internal storage (the structure viewable via the "My Files" thing or similar file manager). Do such permissions exist? Or do all apps have access to all these files without explicit permission?

All apps have the ability to limit files to themselves.
I understand that each app has a private storage area, which is not visible to users through the "My Files" thing (or similar file manager), and that the files in this area are not accessible to other apps.

But is it also possible for an app to limit file availability to itself when the file is stored in the user-visible file structure (the structure viewable via the "My Files" thing or similar file manager)? Or are all files in the user-visible file structure always available to every app?