Nextcloud Critiques Android’s File Access Limits as Gatekeeping

Background: Nextcloud vs. Google Play’s Storage Policies

Nextcloud is an open-source, self-hosted cloud platform that provides file storage, collaborative editing, and video conferencing akin to Google Workspace or Microsoft 365. Since launching its Android client in 2016, it relied on broad filesystem read-write permissions to sync all file types between user devices and self-managed servers. However, Android 11’s introduction of Scoped Storage (API level 30) significantly reshaped how apps access external storage, aiming to bolster user privacy by isolating apps’ data footprints.

Nextcloud claims that in September 2024, Google abruptly rejected its request to escalate its MANAGE_EXTERNAL_STORAGE permission—often referred to as “All files access”—forcing the app to drop non-media file uploads. According to a May 2025 blog post from Nextcloud’s team, “To make it crystal clear: All of you as users have a worse Nextcloud Files client because Google wanted that. We understand and share your frustration, but there is nothing we can do.”

Technical Deep Dive: Android Scoped Storage and the Storage Access Framework

Android’s Scoped Storage model restricts apps’ direct access to external directories and emphasises user-mediated file selection. Key components include:

• MANAGE_EXTERNAL_STORAGE: Also known as the “All files access” permission, it grants broad filesystem access via direct file path APIs like java.io.File and NIO.2, but is tightly gated by Google Play review.
• Storage Access Framework (SAF): A user-centric API using intents (e.g., ACTION_OPEN_DOCUMENT and ACTION_CREATE_DOCUMENT) to grant apps URI-based access to specific files or folders, with persisted URI permissions.
• MediaStore API: Provides scoped read-write access to shared media collections (images, audio, video) without full filesystem traversal privileges.

Nextcloud’s original implementation used raw filesystem calls to detect, index, and sync any file type. Under Scoped Storage, it must now rely exclusively on SAF flows for non-media files, which cannot be automated in background sync operations without user intervention.

Recent Developments in Android 14 and 15 Policies

In Q1 2025, Android 14’s Quarterly Platform Release (QPR1) clarified that only Google’s first-party apps and a handful of privileged partners qualify for MANAGE_EXTERNAL_STORAGE. Android 15 Developer Preview 2, released May 2025, further narrowed exemptions by requiring an annual CASA (Controlled Access Storage Assessment) for third-party apps to justify filesystem access beyond media.

This policy shift aligns with Google’s broader security posture—sandboxing, file-based encryption, and per-user file isolation—to mitigate malware and data exfiltration risks but severely constrains file-centric apps like Nextcloud, iA Writer, and Syncthing.

Implications for the Open Source Ecosystem

Industry experts warn that these restrictions may do more harm than good. Simon Phipps, open-source advocate and former OSI president, notes, “By locking down file APIs, Google undermines the flexibility that makes Android an open platform. Developers are forced into cumbersome SAF patterns or sideloading.”

Smaller vendors, unable to navigate Google’s rigorous permission assessments or pay for dedicated Android Enterprise support, face an uneven playing field, reinforcing concerns of “Big Tech gatekeeping.”

Expert Opinions and Antitrust Considerations

Mark Cox, a cybersecurity researcher at NCC Group, argues that “These policies could raise antitrust red flags, especially in the EU under the Digital Markets Act. If Google restricts rivals’ abilities to deliver core functionalities on Android, it crosses into anti-competitive territory.”

Nextcloud has already filed complaints against Microsoft’s bundling of Teams and OneDrive in 2021, and is lodging similar concerns with EU regulators about Google’s Play Store policies.

Workarounds and F-Droid Side-loading

Users can bypass Google Play constraints by installing Nextcloud’s client from F-Droid, the open-source Android app repository. When side-loaded with the MANAGE_EXTERNAL_STORAGE permission granted via adb or custom ROMs, the app regains full sync capabilities. However, this approach excludes non-technical users and voids Google Play updates.

Future-Proofing Through Community and Standards

Nextcloud is exploring alternative synchronization protocols, such as implementing delta sync over WebDAV and GraphQL, to work within SAF’s boundaries. The community-driven Syncthing project continues to thrive with LAN-based peer-to-peer sync, sidestepping Play Store restrictions entirely.

Open source advocates are calling for standardized federated file APIs in Android—akin to Matrix for messaging—to provide secure, user-approved file access without compromising platform integrity.

Conclusion: Balancing Security and Openness

Google’s tightened storage model underscores an essential tension: protecting user privacy and security versus preserving platform openness. For Nextcloud and other file-centric apps, the battleground is clear. As Android evolves, developers, regulators, and users must collaborate to ensure that sandboxing doesn’t become strangulation.