Examining MicroSD changes in Android 4.4

While Samsung Galaxy devices had new restrictions on microSD read/write access, it was hard to say whether this was the start of a trend for all Android OEMs as restrictions on microSD were bypassed by most OEMs, as the vast majority of functionality such as moving apps to microSD were ported to Android 4.x builds. The story is more than just about Android 4.4 though, as the change in microSD functionality happened some time in the 3.x releases of Honeycomb.

Before Honeycomb, Android was heavily reliant upon microSD cards, as the vast majority of smartphones carried forward the storage model from the days of Windows Mobile, with very little internal storage for the OS and its applications. Everything else had to be placed on a microSD card, which meant the OS was useless if the microSD card was ejected. The same was true of most early Android smartphones. This is the model that most everyone is familiar with. Any application could read and write anywhere they wished on the microSD card with appropriate permissions.

The new model arrived with Honeycomb, which placed permission controls on the microSD card. This disallowed any third party application from writing to the microSD card, although they could write to their own private folder on the microSD card, much like how applications can write to their own folder on /data/apps/ but they can't modify any other folder in that directory. With permission to write to external storage, it is possible to read any file on the microSD card that isn’t a private folder, but it isn’t possible to write to any other folder. The permission to write to any folder on the microSD card is now limited to system/OS applications only.

This means that while Google Play Edition devices like the LG G Pad and Samsung Galaxy S4 followed the behavior that was set by Google as far back as Honeycomb, devices like the Galaxy S4 with TouchWiz never had such restrictions on microSD, custom ROMs altered the restrictions that Google had placed, and in general, microSD behavior continued to work as it did in Android 2.3 for the vast majority of people using Android.

The big news isn’t that Samsung is adopting the change. Rather, it seems that Google is now enforcing this change in microSD behavior across all OEMs. Presumably, this means that the Android CTS (Compatibility Test Suite) now requires compliance with the new system of accessing microSD storage. Based upon user feedback, both Samsung and HTC devices with microSD slots are no longer capable of allowing user applications to write to folders outside of the application’s private folder. While it was once hard to say whether this would only be followed by a few OEMs, it seems that this standard is well on track to universal adoption.

This sounds like a major issue, but Google has clearly planned this out, as the Storage Access Framework feature in Android 4.4 allows file manipulation of data on the microSD slot and can provide access to data on the microSD card without allowing free access of all data on the microSD card. At any rate, an example of the SAF UI can be seen below.

What seems to throw a wrench into everything is that the primary internal storage partition still has the same behavior as microSD cards before Honeycomb. This means that any data in the /data/media/ directory has no permission control. It seems that Google has backed themselves into a corner in a way, because this odd inconsistency is needed to maintain backwards compatibility with applications that still assume that /sdcard/ can be written to in any manner, and any file on /sdcard/ can be read as well. Google also hasn't done anything about USB-OTG storage, which is still left up to the OEM to decide implementation. That means nothing changes when it comes to primary internal storage and USB storage.

Some may say that this is a clear attempt to kill off expandable storage and attempt to force cloud storage upon more users, but recent events have made it clear that this is a move targeted at OS security, as the popular chat application Whatsapp could have all messages easily accessed by any application that could read the SD card. On 4.4, despite the lack of security on the part of the developer, such a security breach wouldn’t be possible. However, whether this gain in security is worth the transition period between a robust permissions system for microSD/FAT systems on Android and the status quo is another question entirely, and is one that may not have an answer.