Firefox, Opera, and other Android apps can save files to the download directory on my smartphone, even though I haven’t given them permission to do so. Is this a bug in Android or my smartphone?
No, it’s all fine — except that Google hasn’t documented this unauthorized file access very well. It’s also difficult to know that the app is using it.
In fact, the application now has to ask the user if he wants to access an area of the smartphone’s memory that is accessible to all applications. However, Google allows an exception: if an app wants to download files, it can transfer that to an Android system service, which relieves the app of a lot of work, for example in the event of a connection drop. If the application asks this service to store the file in a system directory such as the Downloads, Pictures, or Movies folder, it does not need the explicit write access permission that triggers a query from the user.
To do this, the app must ask for DOWNLOAD_WITHOUT_NOTIFICATION permission during installation – and it can now do it unnoticed because the Play Store no longer asks the user for the required rights during installation. Users will have to explicitly check the Play Store under ‘App Info’ under ‘App Permissions’ to see if ‘Download files without notification’ appears under ‘Other’. After installation, you can look into Settings under App Info, but Google hides this category of rights here as well: If you click “Permissions,” a “Permissions not allowed” message will appear. Only when you tap “All Permissions” in the three-dot menu at the top right does the respective entry appear at the bottom under “Other app functions.”
In fact, the application can store random files in the download directory without anyone noticing. After all, since Android 10, Android’s built-in malware scanner scans all downloads made to these public directories; Apps can’t turn off this scanning either.
“Prone to fits of apathy. Zombie ninja. Entrepreneur. Organizer. Evil travel aficionado. Coffee practitioner. Beer lover.”