Scoped Storage and the 'All Files Access' Trap

For years, Android users lived with a significant privacy vulnerability: the "Read External Storage" permission. Once granted, an app could see every photo, document, and download on your device, regardless of whether it actually needed them. Google attempted to fix this with a system called Scoped Storage, which forces apps to live in their own private sandboxes. However, a dangerous loophole remains. The all files access android permission allows specific apps to bypass these privacy fences, effectively returning your device to the wide-open state of 2018. If you have granted this to the wrong app, your entire digital life—from bank statements to private photos—is visible to that developer's servers.

I have spent the last week testing how Android 13, 14, and the latest Android 15 betas handle these requests across a Pixel 8, a Samsung Galaxy S24 running One UI 6.1, and a Xiaomi 14 with HyperOS. The results are concerning. Many apps, particularly third-party file managers, "cleaners," and backup tools, aggressively nudge users to enable the "Manage External Storage" toggle. In this guide, I will explain why this permission is a massive privacy risk, how to identify which apps are currently exploiting it, and how to use safer alternatives that respect your data boundaries without sacrificing functionality.

How scoped storage works

Scoped Storage was introduced as the default for apps targeting Android 10 and 11, and it became strictly enforced with Android 13. Before this, storage was treated like a single giant room where every app could see every other app's furniture. Scoped Storage changed this by giving every app its own "private locker." An app can read and write to its own folder without any special permission at all. If a photo editor wants to save a picture to your generic "Pictures" folder, it can do so, but it can only see the photos it created itself unless you explicitly pick others using the system file picker.

On modern versions of Android, specifically Android 14 and 15, this system has become even more granular. When an app asks for your photos, you no longer have to choose between "Yes" and "No." You can select "Select photos and videos," which allows you to grant access to only three specific images while keeping the rest of your gallery hidden. This is the gold standard for privacy. It ensures that a social media app cannot quietly scan your screenshots or sensitive documents in the background while you are merely trying to upload a profile picture. On Samsung Galaxy devices running One UI 6, this is integrated into the "Security and privacy" dashboard, making it easier to see which apps are currently "scoped" versus those with broader access.

The technical shift here is from "Storage Access" to "Media Access." On Android 13 and above, the old general storage permission has been split into three separate permissions: Images, Videos, and Audio. This means a music player no longer has any business requesting access to your photos. However, developers who find these restrictions too "limiting" often try to trick users into granting the all files access android permission, which is technically known in the system as MANAGE_EXTERNAL_STORAGE. This permission is intended only for very specific types of apps, like anti-virus scanners or full-system backup utilities, but it is frequently abused by lesser-known utility apps.

What 'All files access' really grants

When you toggle the switch for "All files access," you are essentially turning off the Scoped Storage privacy protections for that specific app. This is not a "Read Media" permission; it is a "Read and Write Everything" permission. This allows the app to view files in your Downloads folder, your Documents, your root directory, and even folders created by other apps that aren't specifically protected by the system. If you have a PDF of your passport in your "Travel" folder or a spreadsheet of passwords in "Downloads," an app with this permission can read and upload that data in milliseconds without you ever knowing.

Google has strict policies in the Play Store regarding this permission. Developers must prove that their app's core functionality is impossible without it. However, I have found that many apps on the Play Store—and especially those sideloaded from third-party sources—bypass these checks or use deceptive UI patterns to make you think the permission is required for basic tasks. On Xiaomi HyperOS, the system is particularly aggressive about "All files access," often burying the warning behind multiple confirmation screens, yet users often click through these out of habit. You must understand that this permission gives an app the same level of control over your files that a desktop OS like Windows or macOS gives to a program.

The danger is exacerbated on Android 14 and 15 because the system is designed to trust the "Manage External Storage" flag implicitly. While standard permissions might expire if an app isn't used for a few months, the "All files" access often persists indefinitely. On a Samsung device, you might see this listed under "Special access" in the settings. If an app has this power, it can also modify or delete your files. A malicious "cleaner" app could, in theory, hold your documents for ransom or quietly delete logs that would show it was communicating with a suspicious server. It is the single most powerful storage permission on your device.

Auditing which apps have it

It is vital to perform a manual audit of this permission at least once a month, as app updates can sometimes prompt you to enable it under the guise of "improving compatibility." The path to finding this setting varies slightly depending on your device's manufacturer. 1. For Pixel users on Android 14 or 15, go to Settings > Apps > Special app access > All files access. 2. For Samsung One UI 6 users, navigate to Settings > Apps > click the three-dot menu in the top right > Special access > All files access. 3. For Xiaomi HyperOS users, go to Settings > Apps > Permissions > Special app access > All files access.

Once you are in this menu, you will see a list of apps that have requested this high-level privilege. Any app with a toggle in the "On" position can see every file on your phone. In my testing, I found that even legitimate apps like WhatsApp or Spotify do not appear here—because they don't need to. They use Scoped Storage or the system file picker. If you see a calculator, a flashlight app, or a simple photo editor in this list, it is a massive red flag. Even popular third-party file managers like ES File Explorer (which was famously delisted for various issues) or newer "File Commander" style apps will be here. You should ask yourself if the utility of the app is worth the total lack of file privacy.

On Android 15, the "Private Space" feature adds another layer to this audit. Apps inside the Private Space have their own separate storage permissions. If you are using a Pixel or a device with Android 15, you must also check the "All files access" list within the Private Space settings to ensure that no hidden apps are vacuuming up data from your most sensitive vault. Remember that certain system apps, like "Media Storage" or the built-in "Files" app, will have this permission by default. These are generally safe as they are part of the core Android Open Source Project (AOSP) or provided by the manufacturer to facilitate basic phone functions.

Revoking and what breaks

Revoking the all files access android permission is as simple as flipping the toggle to "Off" in the menus mentioned above. However, doing so will change how the app functions. If you revoke access from a third-party file manager, it will likely become useless. It will show you an empty screen when you try to browse your "Documents" or "Downloads" because it no longer has the authority to "look" into those folders. If you revoke it from a backup app like Titanium Backup or certain cloud sync tools, the automated backup process will fail because the app cannot scan for new files to upload.

In most cases, revoking this permission will NOT crash the app. Instead, the next time you open the app, it will either show an error message or, more likely, trigger a new permission request. If you are using a photo editor and it asks for "All files access," try revoking it and see if the app still allows you to open photos via the system picker. Often, developers ask for the "All files" permission because it's easier for them to code, not because the app actually requires it. 1. Turn off the toggle. 2. Open the app and attempt to perform your usual tasks. 3. If the app asks for the permission again, look for a "No" or "Use system picker" option. 4. If the app refuses to work entirely, seek a privacy-conscious alternative.

For Samsung users, you might notice that some "Good Lock" modules or Samsung-specific utilities lose functionality when this is revoked. Samsung’s ecosystem is tightly integrated, and they often use these higher permissions to move files between "Secure Folder" and the main storage. If you find that revoking access breaks a critical workflow, consider whether you can move that workflow to the built-in Samsung "My Files" app, which already has the necessary permissions and is generally more trustworthy than a random third-party utility downloaded from the internet.

OEM file managers

One of the best ways to protect your privacy is to stop using third-party "File Manager" apps entirely. Your phone comes with a built-in manager that is granted all files access android by the system, meaning it doesn't need to "ask" for it in a way that risks your data being sent to a third party. On Pixel devices, this is the "Files by Google" app. It is clean, respects Scoped Storage, and includes a "Safe Folder" that is encrypted. Because it is a system app, its access is managed by the OS, and it doesn't have the same tracking SDKs that many free third-party apps include.

Samsung’s "My Files" app is arguably the most powerful OEM file manager. On One UI 6, it integrates perfectly with OneDrive and Google Drive, allowing you to manage cloud and local files in one place without granting "All files access" to dozens of different apps. Xiaomi's HyperOS "File Manager" is also feature-rich but comes with a caveat: it often includes advertisements. If you are using a Xiaomi device, I recommend going into the File Manager settings and disabling "Recommendations" and "Ads" to ensure that your file metadata isn't being used for ad-profiling, even if the file access itself is "official."

If the built-in app isn't powerful enough for you—for instance, if you need to access NAS drives or perform complex batch renaming—look for open-source alternatives on F-Droid, such as "Amaze" or "Material Files." These apps are transparent about their code. While they still require the "All files access" permission to function, you can be much more confident that they aren't scanning your documents for personal info to sell to data brokers. Always prefer an app that uses the modern "Storage Access Framework" (SAF) over one that demands full control over your storage hardware.

Safer file-sharing patterns

To keep your device secure, you should adopt the "Pull" rather than "Push" method for file access. Instead of giving an app permission to "Go and find my files" (which is what All Files Access does), you should use the system's built-in file picker to "send" a specific file to the app. When you use the system picker, the app only ever sees the one file you selected. This is the fundamental principle of Scoped Storage and is much safer for daily use. 1. When an app asks for storage permission, always select "Only this time" or "Select photos." 2. If an app opens its own custom file browser, look for a button that says "System Picker" or "Browse other files." 3. Move your most sensitive documents into the "System Hidden" or "Safe" folders provided by Google or Samsung, as these are often isolated even from apps with broad permissions.

Another tip for Android 14 and 15 users is to utilize the "Partial Media Access" feature. If you use a messaging app that hasn't been updated to the latest standards, Android will manually overlay a selection screen that lets you pick specific photos. Use this religiously. On my Samsung S24, I have found that even apps that claim they "need" full gallery access work perfectly fine if I only give them access to the five most recent photos. This limits the "blast radius" if that app is ever compromised or if the developer turns out to be untrustworthy.

Looking ahead to Android 16 and beyond, Google is expected to further restrict the "Manage External Storage" permission, likely moving it behind an even more hidden "Developer Options" style wall. The goal is a truly "stateless" storage system where no app has a persistent view of your entire file system. By auditing your "All files access" today and moving toward built-in OEM tools and the system file picker, you are future-proofing your privacy and ensuring that your personal data remains exactly where it belongs: under your exclusive control.