While Samsung Galaxy devices had new restrictions on microSD read/write access, it was hard to say whether this was the start of a trend for all Android OEMs as restrictions on microSD were bypassed by most OEMs, as the vast majority of functionality such as moving apps to microSD were ported to Android 4.x builds. The story is more than just about Android 4.4 though, as the change in microSD functionality happened some time in the 3.x releases of Honeycomb.

Before Honeycomb, Android was heavily reliant upon microSD cards, as the vast majority of smartphones carried forward the storage model from the days of Windows Mobile, with very little internal storage for the OS and its applications. Everything else had to be placed on a microSD card, which meant the OS was useless if the microSD card was ejected. The same was true of most early Android smartphones. This is the model that most everyone is familiar with. Any application could read and write anywhere they wished on the microSD card with appropriate permissions.

The new model arrived with Honeycomb, which placed permission controls on the microSD card. This disallowed any third party application from writing to the microSD card, although they could write to their own private folder on the microSD card, much like how applications can write to their own folder on /data/apps/ but they can't modify any other folder in that directory. With permission to write to external storage, it is possible to read any file on the microSD card that isn’t a private folder, but it isn’t possible to write to any other folder. The permission to write to any folder on the microSD card is now limited to system/OS applications only.

This means that while Google Play Edition devices like the LG G Pad and Samsung Galaxy S4 followed the behavior that was set by Google as far back as Honeycomb, devices like the Galaxy S4 with TouchWiz never had such restrictions on microSD, custom ROMs altered the restrictions that Google had placed, and in general, microSD behavior continued to work as it did in Android 2.3 for the vast majority of people using Android.

The big news isn’t that Samsung is adopting the change. Rather, it seems that Google is now enforcing this change in microSD behavior across all OEMs. Presumably, this means that the Android CTS (Compatibility Test Suite) now requires compliance with the new system of accessing microSD storage. Based upon user feedback, both Samsung and HTC devices with microSD slots are no longer capable of allowing user applications to write to folders outside of the application’s private folder. While it was once hard to say whether this would only be followed by a few OEMs, it seems that this standard is well on track to universal adoption.

This sounds like a major issue, but Google has clearly planned this out, as the Storage Access Framework feature in Android 4.4 allows file manipulation of data on the microSD slot and can provide access to data on the microSD card without allowing free access of all data on the microSD card. At any rate, an example of the SAF UI can be seen below.

What seems to throw a wrench into everything is that the primary internal storage partition still has the same behavior as microSD cards before Honeycomb. This means that any data in the /data/media/ directory has no permission control. It seems that Google has backed themselves into a corner in a way, because this odd inconsistency is needed to maintain backwards compatibility with applications that still assume that /sdcard/ can be written to in any manner, and any file on /sdcard/ can be read as well. Google also hasn't done anything about USB-OTG storage, which is still left up to the OEM to decide implementation. That means nothing changes when it comes to primary internal storage and USB storage.

Some may say that this is a clear attempt to kill off expandable storage and attempt to force cloud storage upon more users, but recent events have made it clear that this is a move targeted at OS security, as the popular chat application Whatsapp could have all messages easily accessed by any application that could read the SD card. On 4.4, despite the lack of security on the part of the developer, such a security breach wouldn’t be possible. However, whether this gain in security is worth the transition period between a robust permissions system for microSD/FAT systems on Android and the status quo is another question entirely, and is one that may not have an answer.

Comments Locked


View All Comments

  • Nenad - Friday, March 14, 2014 - link

    ES File manager stopped working on my S4 after I upgraded to 4.4. More specifically, it CAN write files to external SD card, but it can NOT create folders there. And File Manager that came integrated with S4 CAN create folders.

    So it appears that what article describe is partially correct on S4 with KitKat: creating folders is prevented, but creating/writing files is not on external SD.
  • secretmanofagent - Friday, March 14, 2014 - link

    There's a good post here: https://plus.google.com/+TodLiebeck/posts/gjnmuaDM...
  • vdidenko - Thursday, March 13, 2014 - link

    I think I now understand I misread the article. It does not claim restriction on ALL external storage. Only on media in the build-in microSD reader. Which none of my devices have. So I can not claim how Nexus Media Importer works with it.

    Anyone can report a file manager writing into an arbitrary directory on a build-in microSD device?
  • takur - Thursday, March 13, 2014 - link

    The "Security" reason is not at all valid. If the reason is that some other apps may access another app's data then I guess the better solution is for an app to encrypt its own data.
  • StormyParis - Thursday, March 13, 2014 - link

    I'm unclear about what happens when I connect to my phone via USB, in MTP or storage device mode. What parts of the SD can I still read or wrtie to from Windows Explorer once the phone is mounted ?
    Also, what happens if I take the SD out and directly put it into my PC's SD reader ?
  • Gigaplex - Thursday, March 13, 2014 - link

    Nothing stops you from accessing the data if you put the card in an SD reader. This is an OS-level restriction that stops malicious Android apps from accessing data it shouldn't. It doesn't stop malicious physical access attempts.
  • boredsysadmin - Friday, March 14, 2014 - link

    I have the same question here. Gigaplex below answers only the easy and obivious question, but how does this affect MTP access to SD card
  • JoshHo - Friday, March 14, 2014 - link

    There's nothing stopping modification of the files through PC access.
  • JoshHo - Friday, March 14, 2014 - link

    That's one part of the problem, but in the case of Whatsapp, the big problem is that there's nothing stopping an application from secretly uploading chat logs to a remote web server. If basic sandboxing actually happened between applications, this wouldn't be a problem.
  • Affectionate-Bed-980 - Friday, March 14, 2014 - link

    This same problem can exist for any SMS app uploading your text messages, or a 3rd party gallery app or file manager uploading your pictures. I'm not sure why people are targeting WhatsApp specifically. It's quite unfair because any app can potentially read a lot of things on your phone.

Log in

Don't have an account? Sign up now