I'm working on a library where I implement a FileProvider from Android Support and want to make it easy to allow the developer to share files from any of the external-path, external-cache-path, cache-path. If I provide the paths myself, the question is, do I create any security concerns if I declare sharing access to the root of each of these paths like this:
<?xml version="1.0" encoding="UTF-8" ?>
<paths>
<external-path name="external_files" path="." />
<cache-path name="internal_cache" path="." />
<external-cache-path name="external_cache" path="." />
</paths>
I still need to call getUriForFile(..) to get the actual URI right? Is it possible for someone to guess a filename from that path in the original content uri and then access it, or does getUriForFile do something special for granting access to that specific file?
getUriForFile() returns a secure Uri for accessing that one file only. The FileProvider grants access to a single file per Uri. What you have proposed is a secure way to allow apps to access your files.