First published at Nov/2020

File upload on Android mobile browser apps with no permissions

This is an issue that happens monstly on Android devices, I couldn't find strong content about it on the internet, so this article is an attempt to throw some light on the subject and start a conversation with the web community.

let's get started.

How to reproduce

Write a HTML page with an input type file like this:

<input type="file" accept="*" />

Now, on your Android device:

go to settings
applications (manage applications)
Find your Browser name
Go to Permissions
And uncheck all permissions
When you go back to your browser, and tab the input file, it is required to denie all the permissions and check the "Dont't ask again" button
The browser app might need to be closed and opened again

The problem

When an user interact with the input, it won't open the platform's native file picker interface. In fact, nothing changes, you can even detect rage click on the input file. The browser doesn't tell the user either there's missing permissions on the android platform level or a clear call to action to manage them.

Who is affected?

Everyone, it affects both Facebook's and Twitter's post picture to timeline functionality, TWAs, PWAs, Web Pages on Browsers, all kind of businesses that runs on a browser context on Android are affected by this issue, all major browsers Chrome Webview, Chrome, Firefox, Opera, MIUI, Samsung Browsers.

In my case, I discovered the issue working for an educational loan lead generation company, the application is used to send files like selfies, personal IDs, proof of residence address, scholar records, but none of this works for a fraction of our consumers.

We all know end users doesn't always understand fully the platform they are using, so we currently decided to display instructions on how to manage it's own permissions in a very limited way, and offering consumer support to allow them to send files from alternative channels, which became a process bottle neck

Notes

Permissions API

This API would be the perfect fit, but it doesn't have a keyword on the permissions registry section, then I couldn't not find a suitable keywork to test for device storage

The available ones on the Working Draft includes can be checked on this anchor link

Get User Media

It can give some indications if your use case relies on Camera (ex: input with accept image/jpge), but it is not strong enough if your case includes a PDF upload

The perfect solution

I believe the browser should be completely accountable to:

Notice there's an input type file that the interaction leads to nothing then;
Display a manage permissions screens with a button call to action that leads the user directly to the browser's app permission screen on Android devices
By the way, this solutions is what Whatsapp for Android does in the same scenarios when the app got all permissions denied.

This way, web authors could rest relaxed assured that the basic foundations of the web functionality stills works regardless of the browser app permission configurations on Android, and don't need to write extra code to check for trivial feature of web pages

A note about Outlook app on Android

By defaukt the custom in-app browser never open the file picker with input of type file.

The user must go to settings and enable "Use default browser" to be able to use file picker again.

edit Dec/2020