ScopeVerif: Analyzing the Security of Android’s Scoped Storage via Differential Analysis
Abstract
Storage on Android has evolved significantly over
the years, with each new Android version introducing changes
aimed at enhancing usability, security, and privacy. While these
updates typically help with restricting app access to storage
through various mechanisms, they may occasionally introduce
new complexities and vulnerabilities. A prime example is the
introduction of scoped storage in Android 10, which fundamen-
tally changed how apps interact with files. While intended to
enhance user privacy by limiting broad access to shared storage,
scoped storage has also presented developers with new challenges
and potential vulnerabilities to address. However, despite its
significance for user privacy and app functionality, no systematic
studies have been performed to study Android’s scoped storage
at depth from a security perspective.
In this paper, we present the first systematic security analysis
of the scoped storage mechanism. To this end, we design and
implement a testing tool, named ScopeVerif, that relies on
differential analysis to uncover security issues and implementation inconsistencies in Android’s storage. Specifically, ScopeVerif
takes a list of security properties and checks if there are any
file operations that violate any security properties defined in
the official Android documentation. Additionally, we conduct a
comprehensive analysis across different Android versions as well
as a cross-OEM analysis to identify discrepancies in different
implementations and their security implications.
Our study identifies both known and unknown issues of scoped
storage. Our cross-version analysis highlights undocumented
changes as well as partially fixed security loopholes across
versions. Additionally, we discovered several vulnerabilities in
scoped storage implementations by different OEMs. These vulnerabilities stem from deviations from the documented and
correct behavior, which potentially poses security risks. The
affected OEMs and Google have acknowledged our findings and
offered us bug bounties in response.
the years, with each new Android version introducing changes
aimed at enhancing usability, security, and privacy. While these
updates typically help with restricting app access to storage
through various mechanisms, they may occasionally introduce
new complexities and vulnerabilities. A prime example is the
introduction of scoped storage in Android 10, which fundamen-
tally changed how apps interact with files. While intended to
enhance user privacy by limiting broad access to shared storage,
scoped storage has also presented developers with new challenges
and potential vulnerabilities to address. However, despite its
significance for user privacy and app functionality, no systematic
studies have been performed to study Android’s scoped storage
at depth from a security perspective.
In this paper, we present the first systematic security analysis
of the scoped storage mechanism. To this end, we design and
implement a testing tool, named ScopeVerif, that relies on
differential analysis to uncover security issues and implementation inconsistencies in Android’s storage. Specifically, ScopeVerif
takes a list of security properties and checks if there are any
file operations that violate any security properties defined in
the official Android documentation. Additionally, we conduct a
comprehensive analysis across different Android versions as well
as a cross-OEM analysis to identify discrepancies in different
implementations and their security implications.
Our study identifies both known and unknown issues of scoped
storage. Our cross-version analysis highlights undocumented
changes as well as partially fixed security loopholes across
versions. Additionally, we discovered several vulnerabilities in
scoped storage implementations by different OEMs. These vulnerabilities stem from deviations from the documented and
correct behavior, which potentially poses security risks. The
affected OEMs and Google have acknowledged our findings and
offered us bug bounties in response.
