Using Capacitor Camera plugin requires permissions to READ_EXTERNAL_STORAGE and WRITE_EXTERNAL_STORAGE on Android. Giving these two permissions is raising a HIGH risk vulnerability issue when static analysis is done as part of Cloud Application Security Assessment (CASA) necessitated by Google.
Note from bard.google.com:
The READ_EXTERNAL_STORAGE and WRITE_EXTERNAL_STORAGE permissions are considered a security risk because they give apps access to all files on a user’s device, including personal photos, videos, and documents. This can be exploited by malicious apps to steal sensitive data, install malware, or even damage the device.
Google suggested using scoped storage but there seem to be no Plugin that supports it.
What else can be done in this regard? Any help & advice is highly appreciated.
That’s incorrect, the permission is needed in some Android versions, totally harmless in other Android versions and even have no effect at all in some Android versions.
If you want a more fine grained permission declaration, you can check the second block on Camera Capacitor Plugin API | Capacitor Documentation
@julio-ionic Thank you for your response. I am using Ionic 6 (capacitor/camera v4.1.3) with targetSdkVersion set to API level 33. With this configuration, Camera plugin does not work without me giving these two permissions (READ_EXTERNAL_STORAGE and WRITE_EXTERNAL_STORAGE). Now, Camera plugin always required these permissions, as far as I understand it. I may be incorrect. If I add maxSdkVersion (from second block of documentation) also, I get the same high risk vulnerability flag. I am trying to address this high risk situation, which would not go away even if I go for fine grained permission declaration, like you suggested.
To properly target SDK 33, you have to update to Capacitor 5 and Camera plugin to latest 5.x version, and then you can benefit from those permission changes.
@julio-ionic Hmm… I will update the project to Capacitor 5 and Camera plugin also to 5.x and see how that goes. Appreciate your help. Thanks a ton.