GoogleApps icon indicating copy to clipboard operation
GoogleApps copied to clipboard

Published 20 hours ago verified publisher icon tobykurien

Allow sharing files

Open danielegobbetti opened this issue 10 years ago • 6 comments

Hello!

I don't know if this is considered a feature or an anti-feature, but I am going to ask nevertheless.

Lately the g+ website has been updated and works way better than it used to. One of the changes is that now it's possible to attach pictures to posts. Using the function from the browser yields the following message in logcat

I/ActivityManager(10908): START u0 {act=android.intent.action.CHOOSER cmp=android/com.android.internal.app.ChooserActivity (has extras)} from pid 25552

I guess GoogleNews is not allowed to fire this intent, because the link does not work and nothing appears in logcat.

So my question is if you could consider adding this function, or if it would defeat the aim of requiring the minimum set of permissions that is possible.

Kind regards.

danielegobbetti avatar Jun 17 '14 10:06 danielegobbetti

Thanks for bringing this to my attention. I think it should be possible without any additional permissions, so I'll investigate when I get a chance and see if I can enable that functionality without adding permissions to the app.

tobykurien avatar Jun 17 '14 12:06 tobykurien

Hi peeps,

What about this issue? We cannot attach a file to mail neither.

xavihernandez avatar Jan 27 '16 13:01 xavihernandez

I am concerned that letting the WebView have file system access is a major security risk. It means that in theory, some javascript could take advantage and upload your files, since this is handled by webview and not the app.

tobykurien avatar Jan 28 '16 07:01 tobykurien

@tobykurien while a bit cumbersome, it could be a two-step process:

  • the user "shares" a file with the app => the file gets copied to the "private" path of the application (no external storage permission is needed to manage files there, but for reading them from their original position it's possible that the app would need it)
  • the user "uploads" one of the files (while browsing), but since the webview would have access only to the files that live in the aforementioned "private" path, it would limit the scope of an attack
  • the app could have a setting to delete "expired" files (perhaps even user configurable: "Delete shared files after: 5 min/10 min/1 hour/never") or just silently delete them after a while

danielegobbetti avatar Jan 28 '16 07:01 danielegobbetti

Ok, that's a great idea, thanks!

tobykurien avatar Jan 28 '16 08:01 tobykurien

Really good idea @danielegobbetti

xavihernandez avatar Jan 28 '16 10:01 xavihernandez