[Security]: Files accessible without password via custom storage path (external storage)

[mdnosibulislam]

Steps to reproduce

1. Set up the application and create a private storage.

2. Use the custom path feature to set the storage path to /storage/emulated/0/Android/data/alt.nainapps.aer/files.
   

3. Navigate to the specified path using a file manager or another application.

4. Observe that files in this path can be accessed without entering the application password.

Expectations

What should happen:

Files should remain inaccessible without the password, even when accessed via a custom path.

Reality

What actually happens:

Files are accessible without a password if the storage path is accessed directly through another app or file manager.

App version

Version 2024.10.31 (1730403000) Added on Nov 05, 2024

Android version

Android 10

[nain-F49FF806]

Thank you for the bug report. It is noted. I may have identified the issue (see below).
But would like to gather some more information to confirm.

Initial assessment:

On Android 10, external app specific dirs are not completely protected.
This is a limitation of the android framework itself, and not our specific app.
This affects only external. Internal should be safe.

From the look of it, you have selected an external storage dir (please confirm).

Why Android 10 is not completely safe for using External storage?

Android 10 introduced scoped storage by default for improving storage privacy.
But on 10, apps can still opt out of scoped storage. This breaks our security model.

On Android 11, the restriction is tighter.

Initial recommendation

Do not use "External" storage option, on Android 10 and below.
We may enforce this in an update (or at least strongly nudge users).

Require More info

Could you please share the appid or store link of the file browser app you are using?
If it has the requestLegacyExternalStorage flag. This will help confirm the above.

[mdnosibulislam]

Subject: Additional Information Regarding Bug Report

Hello,

Thank you for your detailed response. I have gathered the requested details regarding the issue.

1. File Browser App Used:
   App Name: VLC Media Player
   App Store Link: https://play.google.com/store/apps/details?id=org.videolan.vlc

2. Storage Path:
   The custom storage path I selected was:
   /storage/emulated/0/Android/data/alt.nainapps.aer/files

3. Device Details:
   Device: Xiaomi Redmi 8
   Android Version: 10

Let me know if you need further details or steps to reproduce the issue.

[nain-F49FF806]

Thanks you. It indeed is the identified issue.
VLC has the requestLegacyExternalStorage flag turned on.
So upto Android 10, it can access private folder at the chosen External custom storage path.

Todo for me

I shall

• Add a warning in the next release,
• change the defaults for Android 10 (and below) to use safer internal storage.
• Add summarised documentation re Android storage privacy that can be useful to everyone.

Suggestion for users on Android 10 (and below)

Consider moving your files to the storage backend labeled Internal (/data/...) for ensuring privacy on Android 10.

[nain-F49FF806]

Steps were taken to address this security issue. Which was in part a documentation issue.
The defaults have also been changed to help users avoid this gotcha. As such I shall now mark this as closed.

Thanks for the report and assistance in verifying the diagnosis!