Android external storage permission Analysis

Source: Internet
Author: User

I don't know if you have any discovery, from cainiao's growth history: http://blog.csdn.net/zjbpku/article/details/25161131,

Later versions of KitKat do not support write operations on external SDcard (Secondary Storage. If you want to copy files to your mobile phone

It is stored in internal storage, but cannot be stored in external sdcard, and cannot create new folders, which makes it inconvenient for users and developers. Location

The external Sdcard cannot be operated in Versions later than KitKat because Google has changed the permission of this module. Previously, we can directly get WRITE_EXTERNAL_STORAGE

And READ_EXTERNAL_STORAGE permissions to directly operate on Sdcard, but not now, the purpose is to delete all files created by the software when the software is detached. According to Google

Employee Jeff SharKey (developer of this module), Anroid provided a new API to access Secondary External Storage after Kitkat, but this is not the focus of this article.

This article focuses on how external storage permissions work.


In the Android version before KitKat, an external storage space (external storage) is assigned to the application, which may be stored in sdcard.

(Pluggable external sdcaard), or on the flash memory of the device, we need to obtain the WRITE_EXTERNAL_STORAGE permission

Space. If you only want to read the content, you do not need the permission. In 4.4 KitKat and later versions, Google has made two changes: 1. It is required for reading

READ_EXTERNAL_STORAGE permission; 2. Access the data stored in the directory to which the application belongs (for example, android/data/[package name ]).

Permissions.


In KitKat, external storage is divided into multiple parts: one "primary" part, one or more "secondary" parts. Before Kitkat

The API can be used to operate the primary external storage. The secondary external storage slightly modifies the write permission.

The directory (for example, android/data/[package name]) has all operation permissions on the file. The application does not have the write permission except the directory that the application can manage.

. The focus of this article is introduced here. Ps: although Google does not require any vendor to add additional permissions to the Sdcard operation

Yes, but it forces the manufacturer to impose permission restrictions on secondary external storage. If you have any questions about Internal storage and external storage, you can refer

Profile https://developer.android.com/guide/topics/data/data-storage.html#filesInternal


According to Jeff SharKey, the current version of Android system, that is, Kitkat, uses FUSE (Filesysgem in Userspace)

Row management. To obtain necessary permissions during file creation and dynamically accept or reject individual requests from users/groups, an Android daemon will be involved with the FUSE kernel.

Driver interaction. This is only part of the Linux-type permission that Android uses on a removable volume formatted by the FAT File System. In the kernel, it also allows

The owner/gouper/user executes multi-level permission control. Let's take a look at the explanation of Jeff Sharkey below:


Https://android.googlesource.com/platform/system/core/#/master/sdcard? Http://www.bkjia.com/kf/ware/vc/ "target =" _ blank "class =" keylink "> vc2RjYXJkLmM8YnI + c1_vcd4kpha + PGJyPgo8L3A + cjxwp1_vcd4kpha + encrypt/decrypt + M/9 s/Ct8POyqGwcHJpbWFyeaGxsr + 31r7Nz/release + release/LWx1/release + 1wdC + release/qMbkyrXP8c3isr + release/release = ", There is no API for writing.

The following code comes from AOSP device storage conf iguration example:

on initmkdir /mnt/shell/emulated 0700 shell shellmkdir /storage/emulated 0555 root rootmkdir /mnt/media_rw/sdcard1 0700 media_rw media_rwmkdir /storage/sdcard1 0700 root rootexport EXTERNAL_STORAGE /storage/emulated/legacyexport EMULATED_STORAGE_SOURCE /mnt/shell/emulatedexport EMULATED_STORAGE_TARGET /storage/emulatedexport SECONDARY_STORAGE /storage/sdcard1
Applications inside the system can access any part of secondary storage, which is almost impossible for third-party applications (currently ES FileExplore, Airdroid, Fx, and other file applications

Special solutions can be used to operate external storage files on certain models ). (For details about how to operate files on 4.4, refer to Storage Options. Introduced by Google since 4.4

If Google does not change its current permissions on the external sd of the 4.4 system in the future, it may be necessary for developers to be familiar with the SAF Framework.

In addition, in the 4.4 system application, you will find an apk called DocumentUI, which is used to process some SAF interfaces .)


Directory files under external storage have the same permissions, as shown below:

4.4 device:

root@generic:/storage/sdcard # lld---rwxr-x system sdcard_rw 2014-05-06 13:20 Alarmsd---rwxr-x system sdcard_rw 2014-05-06 13:21 Androidd---rwxr-x system sdcard_rw 2014-05-06 13:20 DCIMd---rwxr-x system sdcard_rw 2014-05-06 13:20 Downloadd---rwxr-x system sdcard_rw 2014-05-06 13:18 LOST.DIRd---rwxr-x system sdcard_rw 2014-05-06 13:20 Moviesd---rwxr-x system sdcard_rw 2014-05-06 13:20 Musicd---rwxr-x system sdcard_rw 2014-05-06 13:20 Notificationsd---rwxr-x system sdcard_rw 2014-05-06 13:20 Picturesd---rwxr-x system sdcard_rw 2014-05-06 13:20 Podcastsd---rwxr-x system sdcard_rw 2014-05-06 13:20 Ringtonesroot@generic:/storage/sdcard # ll Android/data/drwxrwx--- system sdcard_rw 2014-05-06 13:21 com.google.android.apps.maps

4.4 device:

root@generic:/storage/sdcard # lldrwxrwx--- root sdcard_r 2013-11-27 23:35 Alarmsdrwxrwx--x root sdcard_r 2013-11-27 23:36 Androiddrwxrwx--- root sdcard_r 2014-05-06 01:33 DCIMdrwxrwx--- root sdcard_r 2013-11-27 23:35 Downloaddrwxrwx--- root sdcard_r 2013-11-28 04:33 LOST.DIRdrwxrwx--- root sdcard_r 2013-11-27 23:35 Moviesdrwxrwx--- root sdcard_r 2013-11-27 23:35 Musicdrwxrwx--- root sdcard_r 2013-11-27 23:35 Notificationsdrwxrwx--- root sdcard_r 2013-11-27 23:35 Picturesdrwxrwx--- root sdcard_r 2013-11-27 23:35 Podcastsdrwxrwx--- root sdcard_r 2013-11-27 23:35 Ringtonesroot@generic:/storage/sdcard # ll Android/data/drwxrwx--- u0_a33 sdcard_r 2013-11-27 23:36 com.google.android.apps.mapsroot@generic:/storage/sdcard # ll Android/data/com.google.android.apps.maps/drwxrwx--- u0_a33 sdcard_r 2013-11-27 23:36 cachedrwxrwx--- u0_a33 sdcard_r 2013-11-27 23:36 testdata


Note: In 4.3, the sdcard_rw group has all the read and write permissions. In Kitkat, The sdcard_r group has all the + rwx permissions, which is obviously incorrect. Not all,

Because the Fuse daemon will actively participate in modifying application permissions during runtime. The execution results of File APIs canWrite (), canRead (), and canExecute () are very different.

The values returned by these methods are recorded separately in the kernel file system, so they all return true, even if they try to open the file with POSIX, it will fail. (In 4.4 external sd

A file cannot be written to a folder, but when you try to call the canWrite () method to determine whether the folder can be written, it still returns true, so this method is not available)


Android. permission. WRITE_EXTERNAL_STORAGE permission is granted to members of the sdcard_r group and the sdcard_rw group. However, the write permission authentication in kitkat requires

Therefore, the FUSE daemon will be used to supplement the permissions of the file system. The FUSE daemon will forcibly grant each permission to the App with a specific directory (that is, the number of accesses to itself ).

Data storage directory android/data/pack-agename... and some public directories ). The FUSE daemon is also strong for non-default owners configured with the-w flag in the sdcard_rw group.

Write-protected permission.

service sdcard /system/bin/sdcard -u 1023 -g 1023 -l /data/media /mnt/shell/emulated    class late_startservice fuse_sdcard1 /system/bin/sdcard -u 1023 -g 1023 -w 1023 -d /mnt/media_rw/sdcard1 /storage/sdcard1    class late_start    disabled

From the above two statements, we can see that the FUSE daemon forces GID 1023 (media_rw, which is available only for system applications) to write secondar storage. Introduce again

One problem is that external storage is divided into primary and secondary in 4.4. Write operations can be performed in the primary Section (built-in sdcard), while in the secondary Section

(External sdcard) is not allowed. How does FUSE Daemon differentiate control? According to Jeff, "-w 2013" indicates that media_rw GID can be forcibly used in

The secondary part has the write permission.


Next, let's take a look at what developers can and cannot do if file operations are performed on a kitkat device with an external SD card? Give the developer a try

Some operations and results:


To sum up, Google's restrictions on secondary volume since 4.4 have not only brought inconvenience to users, but also brought inconvenience to device manufacturers and developers. Huawei

To this end, we have issued a Notice to developers: compatibility issues and solutions for the application write-out card on Android4.4. Nowadays, apart from the Rom pair after some OEMs modify their permissions

Third-party applications are not restricted. The scalpers also propose to the Root device users to modify the platform. xml file to modify the permissions (For details, refer to Baidu) so that third-party applications can operate.

External SD card; some file management tools mentioned above can also be used to operate external SD cards. No matter what the original intention of Google is, we hope that Google will consider the problem from the perspective of users,

Make better improvements to the Android system. I would like to thank the developer of FX file management tool Todd Liebeck for answering and helping me in a timely manner in G +.

X-plore developer of the CTO Liebeck solution for external Kitkat sd file operations.





Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.