"Access All Files" permission for exporting backup seems excessive

[Tombstone2K]

Using the "Access All Files" permission (i.e. MANAGE_EXTERNAL_STORAGE) for saving the backup json files really seems excessive. Instead it can be done via the Storage Access Framework for better privacy.

I have experience implementing the same in flutter, so I could seriously help you out.

Regards

[IzzySoft]

If I may chime in here, @h4h13 – the scanner in my repo got some new checks in January, and on today's update reported something similar:

! repo/dev.hemanths.paisa_602.apk declares sensitive permission(s):
  android.permission.READ_EXTERNAL_STORAGE
! repo/dev.hemanths.paisa_602.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

If storage access is really just for backup/restore, I have to agree with @Tombstone2K here: that only needs access to a single directory the user can choose, for which SAF would be perfect. Your app's minSdk is set to Android 5, so SAF is avalaible for the lowest supported version.

Btw, that DEPENDENCY_INFO_BLOCK is also avoided easily:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.

[h4h13]

Hey, I don't understand the new policy update on Android, it got rejected in the Google Play review even though submitted a review for why we need MANAGE_EXTERNAL_STORAGE Need some help so that we can implement this

[IzzySoft]

I'm not familiar with the PlayStore rules (I don't use PlayStore, I do not even have an account with Google), so I cannot help you with that. As you did not outline what you need the permission for (which is what was asked here) it's hard to help. If it's really just about exporting some JSON file, these are not the droids permissions you are looking for. You should use the Storage Access Framework (SAF) instead, which is available since Android 5. With that, the user is asked for a location to grant access to, and the JSON can be placed there. MANAGE_EXTERNAL_STORAGE is usually reserved to file managers and the likes.

[Tombstone2K]

Hey, I have worked with Android's Storage Access Framework (SAF) in my other Flutter projects. I'll be happy to help integrate it into Paisa, after getting a go ahead, thus eliminating the need for the overreaching MANAGE_EXTERNAL_STORAGE permission.

[Tombstone2K]

@h4h13 Should I start working on this ? Do assign this issue to me

[IzzySoft]

@h4h13 Will you accept Raj's offer? This just popped up again with your update today.

[IzzySoft]

@h4h13 you're there? Just got the warning again for the latest release.

[IzzySoft]

Ouch, I just see the size of the app has increased to almost 90 MB – that's 3 times the size limit at IzzyOnDroid. So it seems I have to remove the app – unless above issues are solved AND the size limit is addressed, e.g. using per-ABI builds. X86 + armeabi native libs make up for about 50 MB, so using arm64-only would bring it back into reach. Any chance for that?

[h4h13]

Let me check that today , by any chance are you guys using GitHub release or any other sources