0

I'm working on a library where I implement a FileProvider from Android Support and want to make it easy to allow the developer to share files from any of the external-path, external-cache-path, cache-path. If I provide the paths myself, the question is, do I create any security concerns if I declare sharing access to the root of each of these paths like this:

<?xml version="1.0" encoding="UTF-8" ?>
<paths>
  <external-path name="external_files" path="." />
  <cache-path name="internal_cache" path="." />
  <external-cache-path name="external_cache" path="." />
</paths>

I still need to call getUriForFile(..) to get the actual URI right? Is it possible for someone to guess a filename from that path in the original content uri and then access it, or does getUriForFile do something special for granting access to that specific file?

Phantômaxx
  • 37,901
  • 21
  • 84
  • 115
Redth
  • 5,464
  • 6
  • 34
  • 54

1 Answers1

0

getUriForFile() returns a secure Uri for accessing that one file only. The FileProvider grants access to a single file per Uri. What you have proposed is a secure way to allow apps to access your files.

Ge3ng
  • 1,875
  • 1
  • 24
  • 38
  • Do you have any documentation to support this? I don't doubt you, but I'm having a hard time finding a good source to prove this... Thanks! – Redth Mar 12 '19 at 17:06
  • 1
    The `getUriForFile()` is a link to the documentation for that. It is also part of the FileProvider documentation. Read "Generating the Content URI for a File" and "Granting Temporary Permissions to a URI" They explain it really well. I have also extensively tested this in my apps. - https://developer.android.com/reference/android/support/v4/content/FileProvider.html#GetUri – Ge3ng Mar 12 '19 at 17:23