Privacy and security are going to be a major focus of Android 10. That’s a good thing for each and every user, especially when many of the changes require no action on our part to happen. Security experts worrying about security on our phones means we can continue to use them as usual and everyone wins, except for a potential hacker or scammer. One major change to a fundamental feature of Android — sharing your files between any app — was tested during the Android 10 beta process and because of developer backlash was removed as a requirement for apps: Scoped Storage.
How Scoped Storage works
At one time Android worked like any other desktop operating system when it came to accessing your files; things like documents, photos, music or anything else you wanted to store on your device was there for any other app to open. You said it was OK for an app to do this when you installed it, and it just did. Using the app’s native UI, you could browse the file system and see all your public files.
With Android 4.4 KitKat, Google started making changes to and adding restrictions on how an app could access files it did not own, and with Android 5.1, the Storage Access Framework was implemented. This gave apps a way to access files in other folders using an Android API instead of using standard programming file operations. It … works. It’s slow and fairly unpopular, but it is available and by now almost every developer of an app that needs this sort of global access has at least tried it out to see how suitable it is or isn’t based on their needs.
With Scoped Storage, things are both more restrictive and more easy at the same time. A compatible app is given its own folder for user-facing data. Apps already have a private sandboxed folder for storage of their required files and this is unavailable to any other app. Scoped Storage gives the ability to create a second folder for files the app creates. Think of an app like a voice recorder, for instance; it needs somewhere to store the audio files it creates.
The app needs no permission to read or write any file in this folder, so you aren’t prompted to grant any permissions when you first run it concerning file read and write locations; apps also need permission for each and every folder they want to access but do not own.
Developers have been groomed to use specific methods for file access since Lollipop, but they’re very unpopular.
“Shared” folders like Music or Pictures will have a built-in method to gain access but every other folder on the external storage, which is your free internal storage and your SD card if you have one, now needs specific permission to be accessed. Now think of an app like a file manager, and how it needs to access every folder on your SD card and internal storage.
Developers who need to access folders not owned by their app will need to use the Storage Access Framework APIs. That means it needs to query the API to see if the files exist and get its device location then ask the user for permission to use it. This has been the recommended best practice for file access since Android Lollipop, so it’s not exactly new. But with Scoped Storage, it is now strictly enforced and no longer “optional”.
Why make this change?
Google gives two valid reasons why it’s making this change: Security and to reduce leftover “app clutter.”
On the security front, this change does a few things. First and foremost, it stops malicious apps that depend on you granting access to sensitive data because you did not read what you saw in the dialog and just clicked yes. This happens often enough that it needed to be addressed if only to protect the offenders. And we’ve all done it.
It also allows a developer to have their own space on the storage of your device that is private without asking for any specific permissions (see the first reason again) when first run. And no other app can access any document it creates without you saying it can.
The reason for a change is good, but the change itself isn’t being well-received.
Reducing app clutter needs little explanation. When you uninstall an app, the files and folders it drops all over your device storage once you gave it permission to do so stay behind. Enough of these leftovers can start to affect performance, especially if the files use a common name that may be repeated by another app. If a developer builds an app that creates media like a camera app or music recorder, for instance, he or she can use the standard media folder locations to deposit the things you create so they are not removed if the app is uninstalled.
Not written in stone
Early feedback for Scoped Storage was not very good. There’s even a petition that asks Google to remove the feature for now and rethink its implementation.
Which is mostly what Google did. Scoped Storage is available in the official Android 10 release, but developers are not required to use it. Google says that this was done so that apps can be ready when it becomes a requirement with the next platform release.
Warning: Apps will be required to use scoped storage in next year’s major platform release for all apps, independent of target SDK level. Therefore, you should ensure that your app works with scoped storage well in advance. To do so, make sure that the behavior is enabled for devices that run Android 10 (API level 29) and higher.
We imagine that during this time Google will look at even more feedback and see how this can be implemented in a way that makes less work for developers while still following its goal of how to secure Android and user privacy. A year is a long time in the life of any software and nobody would be surprised to see Scoped Storage evolve.