Remove android.permission.READ_EXTERNAL_STORAGE

hpoul / file_picker_writable

Flutter plugin to choose files which can be read, referenced and written back at a later time.

https://pub.dev/packages/file_picker_writable

MIT License

17 stars 13 forks source link

Remove android.permission.READ_EXTERNAL_STORAGE #15

Open bradyt opened 3 years ago

bradyt commented 3 years ago

I think for ACTION_OPEN_DOCUMENT, we don't need the broad permission to read external storage. I think it's using a notion that user is implicitly giving surgical permission when picking the file.

I tried the following diff, and I was able to pick a file for reading.

modified   android/src/main/AndroidManifest.xml
@@ -1,4 +1,3 @@
 <manifest xmlns:android="http://schemas.android.com/apk/res/android"
   package="codeux.design.filepicker.file_picker_writable">
-    <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />
 </manifest>

I tested with:

file_picker_writable's null-safety branch (at 0144b6f0b8adab3d51fa1c1de418d2e59c9f1fc1)
Flutter 2.0
Android 11

bradyt commented 3 years ago

Hmm,

If your app uses the media store, however, you must request the READ_EXTERNAL_STORAGE permission to access other apps' media files. On devices that run Android 9 (API level 28) or lower, your app must request READ_EXTERNAL_STORAGE permission to access any media file, including the media files that your app created. -- https://developer.android.com/training/data-storage/shared/documents-files

EDIT: It seems that using READ_EXTERNAL_STORAGE with Storage Access Framework might imply one is reading and writing audio video or images, which usecase I am wondering if this package is not intending to cover.

hpoul commented 3 years ago

I'm honestly not completely sure in which scenarios it is required, but i'm pretty sure there was a requirement to use it.

If you know for sure your app doesn't need it you can simply remove it by adding <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" tools:node="remove"/> to your app's manifest. 🤔️

bradyt commented 3 years ago

That "remove" looks terrific, I still seem able to pick files with this line, I tried in the emulator. I will try this with my next release, and I'll be curious if the play store's listing will no longer have the permission listed (no estimate on my next release right now). I'm afraid this was a general programming question, tangentially related to your library. I appreciate the help. I defer to you if/when you want to close issue.

amake commented 3 years ago

Actually I came to the same conclusion as well: this permission seems not to be needed.

Note that it is a "dangerous" permission per the docs. That means that you need to actively request this permission via a dialog. If you haven't done that, then you never really had this permission at all.

Despite that it seems that all plugin features work fine.