Internal Storage Metadata Leaks

Usually, with internal storage, we are aiming to prevent other apps from reading or writing our files.

However, as Arne Swinnen points out, there is another possibility: reading metadata about your files, such as size and last-modified timestamp, or even their simple existence. While reportedly this is fixed in Android 7.0, it is unclear how many older devices will get the fix. Most likely, the answer is “few”.

App developers should not assume that file metadata is protected. In particular, do not generate internal storage filenames based on private identifiers. Arne Swinnen’s blog post points out that both Instagram and Facebook do this, and particularly in the case of Instagram, it is possible for a third-party app to find out the Instagram user ID through brute-force techniques.