[Zak]

Shady apps use file access to do tracking of various sorts and simply ingest private data that has nothing to do with their nominal purpose. Sophisticated users probably wouldn't install those apps, and certainly wouldn't agree to their request for filesystem access, but that's not who Google is trying to protect here.

It's obviously not a security problem or a harm when used by an open source file synchronization app, and Google is being unsophisticated with its policy here.

[lenkite]

Maybe they should not remove APIs for open source apps then. If you can vet the source code and the app has been built from the source code you vetted, then there is no point in removing capabilities for reasons other than market monopolization and extinguishing features for non-Google developers. After all, these security rules don't apply to Google themselves.

(btw, not singling out Google - IMHO Apple is bad here too. This duopoly in the smartphone space is a major PITA)

[g-b-r]

It really could.

[apitman]

Do you have links to stories about any of these shady apps that have now been stopped by this policy?

[Zak]

Most of the time, when apps are caught doing something really shady, they're removed from the Play Store for doing the shady thing. A story wouldn't report that they stopped working because of a policy change, but some of these wouldn't make it into the store now:

https://www.bleepingcomputer.com/news/security/apps-with-15m...

https://www.zdnet.com/article/phantomlance-spying-campaign-b...

https://www.welivesecurity.com/2023/05/23/android-app-breaki...

There are also examples of apps using the filesystem to try to detect rooted devices, an invasion of user privacy:

https://www.reddit.com/r/Android/comments/g6cdl6/apps_have_a...

[apitman]

Thanks, definitely looks like it's been abused.

But does the policy solve this problem? The first link is a file explorer app. In theory that app should be granted the permision by Google. They could get established and then start collecting data later. So how does the policy help?

In practice the only way it helps is by Google basically telling everyone other than big trusted orgs no, and that's not an open ecosystem.

Why not just give the user a big fat warning, even telling them that apps which request this permission have been known to steal data in the past, then let them decide for themselves?

[Zak]

It reduces the attack surface area, and in theory allows more thorough vetting of apps that are eligible to use the permission without spending additional resources. I say in theory because I have the impression Google wants this to be almost entirely automated and isn't actually doing a good job vetting apps that use risky permissions.

> that's not an open ecosystem

No, it is not. Did someone claim it was?

The open ecosystem of Android is that users can choose to install apps from any source they like. Apps like Syncthing-Fork and (full-featured) Nextcloud are available from other sources including F-Droid. Google does a couple things to privilege its own store, though I think those are being mitigated due to legislation and litigation.

[apitman]

> No, it is not. Did someone claim it was?

No, we said that's what we want it to be.