Permission of app specific folder on external storage

Question

Can someone explain the permission of the app specific folder /Android/data/< package_name>/files/ as described here http://developer.android.com/guide/topics/data/data-storage.html#filesExternal

It is not clear when it is truly private to the app and when it is world-readable. Is it the case that when the USB mass storage is enabled the files in the external storage, including the app specific folder, are world readable?

I tried using a file manager app (ASTRO file manager) and I am able to see/open files in the app specific folders on the sdcard and this is irrespective of the setting Protect USB storage in the developer options under Settings. I am using Google Nexus 4 running 4.3 version of android.

So it's confusing when this folder /Android/data/appname/files/ is really private to the app.

thanks.

Answer 1

Let's talk some Android security, shall we?

1. You can not access an application's home directory, on an unrooted device. This would have been a MAJOR security hole.

2. Creating WORLD_READABLE files is deprecated, and judging by the text in the API, this is one of those cases where "decperacted" means "deprecated".

3. So - you wanna pass data between applications?

   a. You can leave a file in a set place for the 2nd app to fetch. This is a bad idea though. It litters the user's storage space, there is NO SECURITY at all, the 2nd app is not notified about pending updates and you can not easily determine the state of affairs. I suggest you stear away from this approach. Even though, I've included some elaboration in the UPDATE section below.

   b. For simple, small chunks of data, I suggest you go the Intent/BroadcastReceiver approach.

   c. You can go the ContentProvider approach is you wanna do things the right way.

   d. You can go the Intent/Service approach.

   e. For true IPC - use AIDL.

UPDATE:

I suggest you begin by reading Google's article throughly. This article clearly deals with the case of transfering large files between apps. Also, as you can clearly witness, the terminology is quite confusing.

So let's review your question in light of Google's article on the subject.

Internal storage is private to your application and can not be accessed by other apps. You can access its directory structure via Context.html#getFilesDir().

Please mind that:

1. Files written here are deleted when the user uninstalls the app.

External storage can be physically internal (built in storage) or external (removable SD card). There is no security model here, files are visible and accessible to the world. You can access the external directory structure via Context.html#getExternalFilesDir(). Please mind that:

1. This direcory might become unaccessible (when the user connects the device to a computer or when he removes the SD card).

2. There might be a seperate directory per device user.

3. Files remain even when the user uninstalls the app.

Answer 2

<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />

Indra's point is correct. for reading EXTERNAL_STORAGE you need to put this uses-permission