android.os.FileUriExposedException file///storage/emulated/0/test.txt exposed beyond app through Intent.getData
Master System Design with Codemia
Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.
android.os.FileUriExposedException is an exception thrown in Android when an app attempts to expose a file URI using an Intent to another app, contravening the file URI exposure guidelines introduced in Android Nougat (7.0, API level 24) for better security. This exception typically flags a potential security risk by alerting developers when a private file URI might be inadvertently shared externally.
Context and Technical Background
Why File URI Exposure is a Concern
A URI identifies a resource either on the internet or locally in a device. File URIs, such as file:///, directly link to a local file path. Android systems prior to Nougat did not restrict the sharing of these URIs. However, this presented certain risks:
- Security Risks: Unauthorized apps could access sensitive files.
- Incompatibility: Differences in file system structures across Android versions might prevent consistent and secure file access using URIs.
Introduction of FileUriExposedException
To mitigate these risks, starting from Android 7.0, the platform enforces the restriction of exposing file URIs. The FileUriExposedException is triggered when an app tries to expose these URIs indirectly when:
- An
Intentcontaining the file URI is sent. - A
PendingIntentincludes a file URI.
Using file URIs in this manner will cause the app to crash unless handled properly.
How to Handle FileUriExposedException
The recommended way to safely share files is to use content:// URIs instead of file:///. Here are several steps and strategies to use content URIs:
- File Provider:
- Utilize
FileProviderto encapsulate file sharing securely. - Declare a
FileProviderin the app'sAndroidManifest.xml.
- Define
file_paths.xmlunderres/xml/to specify which files to expose.
- Get a Content URI:Use
FileProvider.getUriForFileto convert a file URI to a content URI:
- Granting Permissions:Ensure that temporary permission is granted to the URI by setting flags on the
Intent:
Example Scenario
Imagine an app attempting to share a text file through an email app. Prior to API level 24, the Intent might directly share a file URI, like so:
Improving it involves utilizing FileProvider to obtain a safe contentUri and handle permissions as shown earlier.
Key Considerations
| Aspect | Details |
| Security Implications | Direct file URIs can expose sensitive files to unauthorized apps and are prone to permission issues. |
| Supported Mechanism | Use FileProvider to convert file:/// URIs to content:// URIs and safely expose files. |
| Permission Granting | Necessary to grant read/write permissions temporarily when sharing URIs outside the app's context. |
| Backward Compatibility | Ensure that content URIs still comply with older Android versions using appropriate checks and methods. |
Conclusion
The transition from file URIs to content URIs in Android is a nuanced but necessary shift to enhance app security and compatibility. Developers should proactively migrate to using FileProvider and content URIs, aligning their app with modern Android security practices and ensuring smooth file sharing operations across diverse Android environments.

