Back to Article

  • Tarwin - Thursday, March 13, 2014 - link

    Is the whatsapp example valid? It saves to the primary memory from what I know, whether that's internal or microSD. This means that it still has the same vulnerability asbefore.

    Secondly, this limits the usage of an external microSD greatly. File managerno longer manage files, they only read them. Download programs can no longer download to the external memory card. Heck, I personally prefer to manage the media content on my phone and tablet via Wi-Fi by directly connecting to my low-end home NAS (a Seagate goflex home drive). I won't be able to do that anymore.

    Also, I haven't seen any program yet which lets me install to the EXTERNAL SD card...

    This wouldn't bug me so much if we had Android phones with 128GB of memory so that I could continue using those apps like file managers and download managers... But unfortunately 32GB is still the norm for high end and low end is even worse.
  • marcardar - Friday, March 14, 2014 - link

    I agree - this seems to have little to do with the Whatsapp example. Any Android app can request READ_EXTERNAL_STORAGE permission and access the database. At least that is certainly true for devices with no SD card slot. For devices with an SD card slot, it depends whether "external storage" points to the SD card are some internal flash storage. If the external storage points to the SD card, then I think READ_EXTERNAL_STORAGE permission is sufficient (to read the SD card) even in 4.4. Reply
  • blanarahul - Friday, March 14, 2014 - link

    I didn't understand a single word of the second last paragraph. Reply
  • JoshHo - Friday, March 14, 2014 - link

    That's the thing, I suspect that Google would like to implement a similar system on primary storage but it would break tons of applications as a result. Long term though, I wouldn't be surprised to see a move towards the same system that we now see on microSD cards.

    It does for now, but Google is clearly trying to do something about it with the SAF, which effectively replaces file managers from the play store.

    As for installing applications to external SD, this is a common feature on some OEM phones.
  • Tarwin - Friday, March 14, 2014 - link

    I remember the "move to SD" but I personally haven't seen the option on any 4+ devices which have a passable amount of internal memory. Even on some newer lower end phones which only have two gigs left for user access they didn't have the option to install to external SD. It's also why some people were seriously complaining about the M.O.J.O. since games can take up quite a bit of space and sixteen gigs is seriously not enough.

    I have known of custom ROMS with the option and apps which give you the functionality on rooted devices, but not OEM devices that have anything newer than 2.3. Can you name some deviceswhich have the option? I'd loveto be proven wrong/corrected as then this would make a little more sense
  • digi_owl - Saturday, March 15, 2014 - link

    The "move to SD" was never about true SD cards. It was implemented because OEMs started partitioning internal storage space, and pointing the Android SD slot APIs to one of those partitions.

    Ever since the confusion have lingered in the Android APIs, and this latest change is adding further confusion.
  • Tarwin - Saturday, March 15, 2014 - link

    Oh, I know, it's just that JoshHo said "As for installing applications to external SD, this is a common feature on some OEM phones." And I was just saying that the last time I saw anything even resembling that feature was the "move to SD", though it was used with true SD cards when the internal storage was very limited (.e.g. the HTC Sensation) Reply
  • digi_owl - Sunday, March 16, 2014 - link

    Yeah, it rarely shows up in 4.x because Google introduced the option to union mount a FAT "partition" on top of a directory in the EXT based main partition. Thus sharing internal storage space between apps and user files without breaking the house of cards that started with OEMs mounting a partition as if it was a SD card. Reply
  • vdidenko - Thursday, March 13, 2014 - link

    Not sure, how file management applications like Nexus Media Importer work then? It does work on both Nexus 5 and 10 with OS version 4.4.2. It did not work for what seems to be described reasons with 4.4.0 and 4.4.1 - but works fine in 4.4.2. Reply
  • rstuart - Thursday, March 13, 2014 - link

    Yeah, there is something not quite right with the description. File manager apps have continued to work since the release of Honeycomb. I notice they all have a "Modify or delete the contents of your USB storage" permission. The stuff you can modify and delete lives under /sdcard and also /storage on a Nexus. What you could not do is modify stuff under / - but you can look at some of it. Reply
  • Nenad - Friday, March 14, 2014 - link

    ES File manager stopped working on my S4 after I upgraded to 4.4. More specifically, it CAN write files to external SD card, but it can NOT create folders there. And File Manager that came integrated with S4 CAN create folders.

    So it appears that what article describe is partially correct on S4 with KitKat: creating folders is prevented, but creating/writing files is not on external SD.
  • secretmanofagent - Friday, March 14, 2014 - link

    There's a good post here: Reply
  • vdidenko - Thursday, March 13, 2014 - link

    I think I now understand I misread the article. It does not claim restriction on ALL external storage. Only on media in the build-in microSD reader. Which none of my devices have. So I can not claim how Nexus Media Importer works with it.

    Anyone can report a file manager writing into an arbitrary directory on a build-in microSD device?
  • takur - Thursday, March 13, 2014 - link

    The "Security" reason is not at all valid. If the reason is that some other apps may access another app's data then I guess the better solution is for an app to encrypt its own data. Reply
  • StormyParis - Thursday, March 13, 2014 - link

    I'm unclear about what happens when I connect to my phone via USB, in MTP or storage device mode. What parts of the SD can I still read or wrtie to from Windows Explorer once the phone is mounted ?
    Also, what happens if I take the SD out and directly put it into my PC's SD reader ?
  • Gigaplex - Thursday, March 13, 2014 - link

    Nothing stops you from accessing the data if you put the card in an SD reader. This is an OS-level restriction that stops malicious Android apps from accessing data it shouldn't. It doesn't stop malicious physical access attempts. Reply
  • boredsysadmin - Friday, March 14, 2014 - link

    I have the same question here. Gigaplex below answers only the easy and obivious question, but how does this affect MTP access to SD card Reply
  • JoshHo - Friday, March 14, 2014 - link

    There's nothing stopping modification of the files through PC access. Reply
  • JoshHo - Friday, March 14, 2014 - link

    That's one part of the problem, but in the case of Whatsapp, the big problem is that there's nothing stopping an application from secretly uploading chat logs to a remote web server. If basic sandboxing actually happened between applications, this wouldn't be a problem. Reply
  • DLeRium - Friday, March 14, 2014 - link

    This same problem can exist for any SMS app uploading your text messages, or a 3rd party gallery app or file manager uploading your pictures. I'm not sure why people are targeting WhatsApp specifically. It's quite unfair because any app can potentially read a lot of things on your phone. Reply
  • JoshHo - Friday, March 14, 2014 - link

    The difference is that even with storage permissions, it isn't possible to read text messages. That needs a much more questionable permission. Reply
  • wisi - Friday, March 14, 2014 - link

    Because it's one example. What do you mean by people? Are there other articles talking about the gimped SD card access on Android and calling out Whatsapp? I understand the comments on this article because it was mention in it. Reply
  • wisi - Saturday, March 15, 2014 - link

    Apps still have READ permissions on the SD card. So those logs and other data can still be read by other apps if they're on the SD card.

    This crappy permission thing Google's forcing is limiting WRITE permission.
  • CSMR - Saturday, March 15, 2014 - link

    No, the better solution is to provide for a secure location for storage of application data (managed by the OS and inacessible to other apps), but also allow access to all public locations when authorized by the user. Reply
  • danjw - Friday, March 14, 2014 - link

    I am for anything that moves toward improved security for Android. I do think they need to give app developers a time frame to get their apps updated for the new security model. After that cutoff, the non-compliant apps should be removed from the Play store. They also need to move to this security model for all external storage, not just the SD card. Reply
  • Zstream - Friday, March 14, 2014 - link

    Just FYI, this does work on the Nokia 1520 as well. That might be something to talk about. Reply
  • wisi - Friday, March 14, 2014 - link

    Stupid Google hiding behind "security" to gimp access to the SD card. The internal and USB (less likely used) storage stay the same...

    The direction Google has been taking with Android has really been making me root for Sailfish and Ubuntu phones.
  • Guren88 - Saturday, March 15, 2014 - link

    This is almost like Apple. So what's the use of sd card anyway?
    Before i have been downloding files directly to sd card. But now i cannot do it. Still lucky that i can still move them to sd card but that's another more time to do. Moving like 4Gb of data to sd card. I am not suing my laptop anymore to download because i finally have large storage to use. And now you want me to fully use my internal memory and transfer to sd card after? I dont care about security. It is the users fault if something happens.
  • Tarwin - Saturday, March 15, 2014 - link

    Hear! Hear! Reply
  • digi_owl - Saturday, March 15, 2014 - link

    Here is the gist of the issue.

    When Android launched, all internal space was dedicated to Android and apps. Any kind of generally accessed space, for music and such, was expected to be on a true removable SD card.

    But later OEMs started partitioning the internal space of their devices, and mounting one of them as the "SD card".

    This resulted in various issues, like phones being sold with 8GB of storage where only 1GB (or even less) was available for installing apps.

    Problem is that Google dropped the ball, and rather than introducing a new API that could handle multiple storage areas they introduced "move to SD". Thus forever cementing the idea of internal space being "SD card" within the API.

    End result is endless confusion between Google and users about what is actually meant by "SD card". Google talks about the APIs, while users talks about the actual physical cards they can insert and remove. But only when you have a device with no internal space and a physical SD slot are those one and the same. And good luck finding those on the market today.

    It seems that Google insist that Android is to be a web terminal and PMP, not a full on OS like it could be with proper handling of files. We can see this in how file access since 3.1 is to be mediated via the media storage database and MTP, rather than straight access to the file system.

    And this latest change build on that with the introducing of the storage access framework. You can tell by how they have categories like images, but no concept of directories or file paths. This is the same kind of shenanigans that MS has tried, and largely failed, to push for a decade or more on the desktop.
  • Tarwin - Saturday, March 15, 2014 - link

    Actually, part of the problem is precisely that this applies to the external SD card and not the internal "sd card". I can understand restricting access to system files (though an option for advanced users wouldn't be such a bad thing) but I believe I should be able to do as I wish with the files on the external SD as I've yet to see a program actually put their files there. Reply
  • digi_owl - Sunday, March 16, 2014 - link

    It only affects it, in the restrictive sense, if it is mounted as "secondary" storage (something that Android never had any good handling off).

    Primary storage can be any of 3 things, a partition on the internal storage space, a union mount on top of the internal storage space, a true removable SD card. The last option is rarely used these days tho.

    End result is that the read only restriction comes into play on secondary storage, while primary storage is what Google have sadly insisted on referring to "SD card" all these years.
  • speculatrix - Saturday, March 15, 2014 - link

    Why didn't Google simply require that people reformat their flash cards with a proper file system where file ownership and protection works just the same as the rest of the OS's file spaces?

    Then you have file spaces for music, movies, ebooks, documents etc can be shared amongst apps which have a genuine reason to read or read-write the files.

    Ok, so you can't take the memory card out and put in a windows or mac computer, but there's still MTP; and I'm sure it's not beyond the wit of Google to improve the linux ext3 or ext4 file system drivers for OSX or Windows.
  • StrangerGuy - Saturday, March 15, 2014 - link

    "Some may say that this is a clear attempt to kill off expandable storage and attempt to force cloud storage upon more users, but recent events have made it clear that this is a move targeted at OS security"

    That makes as much sense as a PC cannot have a 2nd HDD or run programs on it because Windows has a vulnerability.
  • Tujan - Sunday, March 16, 2014 - link

    Just got to thank you for that comment. Because without being splashed over the head with cold water,or having somebody click their thumbs. I would have continued into being some form of submissive orb.

    Thank you.
  • cjs150 - Monday, March 17, 2014 - link

    Joshua is right this change is as much about forcing people to move to the cloud as it is about security.

    Problem is that the cloud model is flawed if you are in location that does not allow internet access (eg a plane) or have very slow access. The people making these design decisions never factor that in.

    Ultimately what they want is cloud based subscription services, I do not. I have no objections to the cloud it has its uses but it is not a panacea. I use my tablet as an entertainment device. What I want to do is stick a 64 Gb microsd card in and have 20+ movies or a couple of TV series to watch. If I need more I take a wireless hard disk with me. My uses are not the same as everyone elses
  • beginner99 - Tuesday, March 18, 2014 - link

    Not to mention that when you actually have fast cloud access (LTE) you are limited by the amount of data your plan supports (for free) and where I live that amount is unusable for any kind of media files. Of course there are more expensive plans but most people can't really afford those. Reply
  • Arbie - Monday, March 17, 2014 - link

    cjs150: I agree completely. Reply
  • Hrel - Wednesday, March 19, 2014 - link

    "However, whether this gain in security is worth the transition period between a robust permissions system for microSD/FAT systems on Android and the status quo is another question entirely, and is one that may not have an answer."

    I think it's good, IF it drives OEM's to start producing pre-paid smartphones with more than 1 or 2GB of internal storage. Considering how cheap memory is, and how SSD's (NAND) just plummeted in terms of price/GB there's no reason besides greed for including anything less than 8GB on board storage.

    I think Google is trying to make that the minimum for integrated phone storage (partly because it costs OEMS effectively NOTHING to do, but also to improve user experience. Since internal storage is almost always faster than external). Really though when we're talking about 200-400$ phones the difference between 8GB and 16GB of internal storage is negligible. Worst case scenario they should offer different versions of the phones with a REASONABLE price increase for the upper level storage.

    Reasonable meaning the price increase to the customer is in line with the cost increase to the OEM. So basically nothing.
  • Haravikk - Monday, March 24, 2014 - link

    Hopefully it'll finally stop third party apps from littering files all over the damned SD card and actually set a consistent location for that stuff. Reply
  • Davidjan - Wednesday, April 16, 2014 - link

    External storage is necessary. Big MicroSD card must be accepted by folks. Meenova MicroSD reader supports 128GB MicroSD card to add phone's storage: Reply
  • Upiklosorg - Saturday, June 21, 2014 - link

    Why would this matter for very long? New apps would be setup for this and work fine wouldn't they? Makes me think how I couldn't use VHS tapes with my DVD player I simply used what was designed so everything worked fine. Reply
  • AnnihilatorX - Tuesday, July 22, 2014 - link

    " but recent events have made it clear that this is a move targeted at OS security, as the popular chat application Whatsapp could have all messages easily accessed by any application that could read the SD card. On 4.4, despite the lack of security on the part of the developer, such a security breach wouldn’t be possible."

    I fail to understand why disabling WRITE access to SD card would prevent READing content of other apps and solve this quoted security issue.

Log in

Don't have an account? Sign up now