←back to thread

The recently lost file upload feature in the Nextcloud app for Android

(nextcloud.com)
410 points morsch | 2 comments | 14 May 25 05:38 UTC | HN request time: 0.441s | source
Show context
moonshot5 ◴[14 May 25 16:07 UTC] No.43986181[source]
AOSP platform dev here. (Filesystem) Opinions my own, I don't speak for Google.

Disclaimer: I don't use nextcloud, and have not looked at their app specifically, this is just a surface level observation from my relatively informed perspective.

My take: SAF would work for this use case, as others have already mentioned.

Google Drive does not have the permissions that next cloud claims Google is giving preferential treatment to, and is delivered via the Play store in the same way nextcloud's app is.

As others have also observed, permissions such as MANAGE_EXTERNAL_STORAGE have been rampantly abused in the past, often in horrific ways.

replies(7): >>43986712 #>>43987576 #>>43987745 #>>43989733 #>>43990209 #>>43991397 #>>43992185 #
coded_monkey ◴[14 May 25 16:53 UTC] No.43986712[source]
> As others have also observed, permissions such as MANAGE_EXTERNAL_STORAGE have been rampantly abused in the past, often in horrific ways.

The lack of consideration for this point in this thread scares me. The amount of data that can be taken from a device through a permission like this is likely huge and it’s not just about “protecting users from themselves”. I wouldn’t feel safe enabling it for any app, and while syncing all data on the device sounds very useful, it’s a damned if they do, damned if they don’t scenario for Google.

replies(4): >>43986806 #>>43988162 #>>43989753 #>>43990775 #
zb3 ◴[14 May 25 17:02 UTC] No.43986806[source]
> I wouldn’t feel safe enabling it for any app

Then don't enable it, no need to take away my ability to do so. Granular permissions are good (especially when the app can't reliably know they were refused), providing I have the ultimate control.

> it’s a damned if they do, damned if they don’t scenario for Google.

Did they consider my scenario above - where the app doesn't know it was not granted a permission?

replies(1): >>43987668 #
1. IshKebab ◴[14 May 25 18:26 UTC] No.43987668[source]
> especially when the app can't reliably know they were refused

That's the problem. Android didn't do this even though it was obviously what is needed. Android apps can easily tell what permissions they have.

I think Google prioritised UX over power and security here. They were presumably scared about people accidentally clicking the "Silently deny" button and then getting confused when the app didn't work. Big missed opportunity.

replies(1): >>43989323 #
2. nolist_policy ◴[14 May 25 21:16 UTC] No.43989323[source]
But the new API allows exactly this, the user can just give the app an empty directory. And Google even pushes apps to use it.