Android
FileUriExposedException
Intent
Storage
App Development

android.os.FileUriExposedException file///storage/emulated/0/test.txt exposed beyond app through Intent.getData

Master System Design with Codemia

Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.

android.os.FileUriExposedException is an exception thrown in Android when an app attempts to expose a file URI using an Intent to another app, contravening the file URI exposure guidelines introduced in Android Nougat (7.0, API level 24) for better security. This exception typically flags a potential security risk by alerting developers when a private file URI might be inadvertently shared externally.

Context and Technical Background

Why File URI Exposure is a Concern

A URI identifies a resource either on the internet or locally in a device. File URIs, such as file:///, directly link to a local file path. Android systems prior to Nougat did not restrict the sharing of these URIs. However, this presented certain risks:

  • Security Risks: Unauthorized apps could access sensitive files.
  • Incompatibility: Differences in file system structures across Android versions might prevent consistent and secure file access using URIs.

Introduction of FileUriExposedException

To mitigate these risks, starting from Android 7.0, the platform enforces the restriction of exposing file URIs. The FileUriExposedException is triggered when an app tries to expose these URIs indirectly when:

  • An Intent containing the file URI is sent.
  • A PendingIntent includes a file URI.

Using file URIs in this manner will cause the app to crash unless handled properly.

How to Handle FileUriExposedException

The recommended way to safely share files is to use content:// URIs instead of file:///. Here are several steps and strategies to use content URIs:

  1. File Provider:
    • Utilize FileProvider to encapsulate file sharing securely.
    • Declare a FileProvider in the app's AndroidManifest.xml.
xml
1     <provider
2         android:name="androidx.core.content.FileProvider"
3         android:authorities="${applicationId}.provider"
4         android:exported="false"
5         android:grantUriPermissions="true">
6         <meta-data
7             android:name="android.support.FILE_PROVIDER_PATHS"
8             android:resource="@xml/file_paths" />
9     </provider>
  • Define file_paths.xml under res/xml/ to specify which files to expose.
xml
     <paths>
         <external-path name="external_files" path="." />
     </paths>
  1. Get a Content URI:
    Use FileProvider.getUriForFile to convert a file URI to a content URI:
java
   File file = new File(context.getExternalFilesDir(null), "test.txt");
   Uri contentUri = FileProvider.getUriForFile(context, "com.example.myapp.provider", file);
  1. Granting Permissions:
    Ensure that temporary permission is granted to the URI by setting flags on the Intent:
java
1   Intent intent = new Intent(Intent.ACTION_SEND);
2   intent.setType("text/plain");
3   intent.putExtra(Intent.EXTRA_STREAM, contentUri);
4   intent.addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION);
5
6   context.startActivity(intent);

Example Scenario

Imagine an app attempting to share a text file through an email app. Prior to API level 24, the Intent might directly share a file URI, like so:

java
1File file = new File(Environment.getExternalStorageDirectory(), "test.txt");
2Uri fileUri = Uri.fromFile(file);
3
4Intent emailIntent = new Intent(Intent.ACTION_SEND);
5emailIntent.setType("text/plain");
6emailIntent.putExtra(Intent.EXTRA_STREAM, fileUri);
7// This would cause FileUriExposedException on Android 7.0 and above

Improving it involves utilizing FileProvider to obtain a safe contentUri and handle permissions as shown earlier.

Key Considerations

AspectDetails
Security ImplicationsDirect file URIs can expose sensitive files to unauthorized apps and are prone to permission issues.
Supported MechanismUse FileProvider to convert file:/// URIs to content:// URIs and safely expose files.
Permission GrantingNecessary to grant read/write permissions temporarily when sharing URIs outside the app's context.
Backward CompatibilityEnsure that content URIs still comply with older Android versions using appropriate checks and methods.

Conclusion

The transition from file URIs to content URIs in Android is a nuanced but necessary shift to enhance app security and compatibility. Developers should proactively migrate to using FileProvider and content URIs, aligning their app with modern Android security practices and ensuring smooth file sharing operations across diverse Android environments.


Course illustration
Course illustration

All Rights Reserved.