Google recently announced the launch of Android Instant Apps, a new technology which allows just the bare minumum of an App to be downloaded from links, bypassing the Play Store. This sounds cool enough on its own, but the implications of this reach far deeper than at first appears, and could end up changing the entire internet.
- Lorenzo Quiroli 0 Comments
Nougat and onwards forbids file:///URI beyond your package
Since Android 7.0 Nougat you can’t expose a file:/// URI
with an Intent outside your package domain, but don’t worry: here’s how you can fix it.
Android 7.0 Nougat introduced some file system permission changes in order to improve security. If you’ve already updated your app to targetSdkVersion 24 (or higher) and you’re passing a file:/// URI
outside your package domain through an Intent
, then what you’ll get is a FileUriExposedException
.
When you share a file with a file:/// URI
, you also modify the file system permission of it and make it available to any app (until you change it again). There’s no need to say that this approach is insecure.
Why is this happening?
According to the official documentation:
In order to improve the security of private files, the private directory of apps targeting Android 7.0 or higher has restricted access (0700
). This setting prevents leakage of metadata of private files, such as their size or existence.