Implications of New Granular Permissions for file access in shared storage on Android 13

 

With the release of Android 13, Google has introduced further changes to the storage management system, continuing the evolution that began with Scoped Storage in Android 10 and 11. These modifications aim to provide more granular control over file access, enhancing user privacy and security, while requiring enterprise application developers to once again adapt their approaches to file access.

Evolution of storage access permissions in Android:

1. In early versions of Android up to Android 9 the access to the app's External Storage was mainly managed by two permissions:

  • WRITE_EXTERNAL_STORAGE granted read and write access to all external storage.
  • READ_EXTERNAL_STORAGE (introduced in Android 4.1) granted read access only.
  • These permissions gave full access to all files in external storage.

2. Scoped Storage:

  • Introduced to improve privacy and security. 
  • In Android 10, to enable a smoother transition, it was active by default, but an app could bypass it and restore the default Android 9.0-style behavior with requestLegacyExternalStorage=true attribute for application’s manifest. (see this news for more detail). 
  • In Android 11 it became mandatory for all apps and no longer bypassable.
  • READ_EXTERNAL_STORAGE no longer gave access to all directories, only media and downloads.
  • Apps could freely access only their own private files without permissions.
  • To access other apps' files, it was necessary to use Storage Access Framework or MediaStore API.

3. MANAGE_EXTERNAL_STORAGE:

  • Introduced in Android 11.
  • Grants full access to external storage, similar to the old WRITE_EXTERNAL_STORAGE.
  • Requires special approval from Google to the APK be published to the Play Store.
  • Designed for specific applications, such as file manager or backup applications.

New Permissions in Android 13

Android 13 introduces three new granular media permissions that evolve the previous READ_EXTERNAL_STORAGE permission:

READ_MEDIA_IMAGES: Allows read access to image files.
READ_MEDIA_VIDEO: Allows read access to video files.
READ_MEDIA_AUDIO: Allows read access to audio files.

These permissions offer more targeted and specific access to media files allowing applications to access specific categories of media files in shared storage without requiring full access to all files.

They are considered "runtime permissions," meaning they must be explicitly requested from the user during app execution, like what happened with READ_EXTERNAL_STORAGE.

At the same time, starting in API level 33, the READ_EXTERNAL_STORAGE permission has no effect anymore.

To use these new permissions, developers must:

  1. Declare the necessary permissions in the application manifest:

    <uses-permission android:name="android.permission.READ_MEDIA_IMAGES"/>
    <uses-permission android:name="android.permission.READ_MEDIA_VIDEO"/>
    <uses-permission android:name="android.permission.READ_MEDIA_AUDIO"/>
  1. Request permissions at runtime using the standard API for permission requests:

if (ContextCompat.checkSelfPermission(this, Manifest.permission.READ_MEDIA_IMAGES)
    != PackageManager.PERMISSION_GRANTED) {
    ActivityCompat.requestPermissions(this,
        arrayOf(Manifest.permission.READ_MEDIA_IMAGES),
        REQUEST_CODE_READ_MEDIA_IMAGES)
}

Impact on MANAGE_EXTERNAL_STORAGE

The MANAGE_EXTERNAL_STORAGE permission has not been deprecated in Android 13, but its use is now more limited. It is still necessary for scenarios requiring full access to external storage, such as file management or backup applications. However, this permission requires a review process by Google to be approved in the Play Store and for most applications that only need access to media files on shared storage, the new granular permissions are sufficient and preferable.

Implications for Enterprise Applications

In case your app was previously granted the READ_EXTERNAL_STORAGE permission, then any requested READ_MEDIA_* permissions are granted automatically when upgrading. 

In all the other cases, if an app targets Android 13 or higher and needs to access media files that other apps have created, you must request one or more of the new granular media permissions instead of the legacy READ_EXTERNAL_STORAGE permission that otherwise would be ignored.

For these reasons existing enterprise applications must be reviewed to use the new granular permissions where possible, reserving the use of MANAGE_EXTERNAL_STORAGE and READ_EXTERNAL_STORAGE only when strictly necessary. Applications must handle compatibility with previous versions of Android, implementing conditional logic based on the operating system version.

Note: new granular permissions are not required to access files created by the app itself, even if they are stored in shared memory.

Automatic Granting of New Permissions

For enterprise environments using Datalogic devices, it might be possible to automatically grant these new permissions using tools like Scan2Deploy. An example script could be:

SHELL pm grant <PACKAGE_NAME> android.permission.READ_MEDIA_IMAGES
SHELL pm grant <PACKAGE_NAME> android.permission.READ_MEDIA_VIDEO
SHELL pm grant <PACKAGE_NAME> android.permission.READ_MEDIA_AUDIO

Furthermore, the installation process can be simplified by installing the application directly via Scan2Deploy, which automatically grants all the permissions indicated in the manifest to the installed APK file, without the need for an explicit command or script.

NOTE: the use of such scripts or Scan2Deploy procedures to automatically grant permissions to any app should be done with caution and only in controlled corporate environments, as it could bypass important security controls designed to protect users' privacy.

Conclusion

The introduction of these new permissions in Android 13 represents a further step towards a more secure and granular file access model. For developers of enterprise applications on Datalogic devices, this means adapting their applications to use these new permissions when possible, reserving the use of MANAGE_EXTERNAL_STORAGE only for use cases that require full access to external storage.

See also:
https://developer.android.com/about/versions/13/behavior-changes-13#granular-media-permissions
https://developer.android.com/reference/android/Manifest.permission#READ_EXTERNAL_STORAGE
https://developer.android.com/reference/android/Manifest.permission#READ_MEDIA_IMAGES
https://developer.android.com/reference/android/Manifest.permission#READ_MEDIA_VIDEO
https://developer.android.com/reference/android/Manifest.permission#READ_MEDIA_AUDIO
NewsScoped Storage on Android 11 Devices

 

------

Created on: July 23rd, 2024