You might have heard that Google tossed out the next version of Android yesterday, and Jelly Bean is now official. We're pouring through things to find what's new, what's good, and what's not. One thing we stumbled across got our attention, as it's an app permission and security related. We've said before that external storage on a mobile device, by it's very nature, is insecure. If you format it in a way that you can apply the standard permission model, Windows computers (well over 90-percent of the computer market) can't read from them. Up until now, the default has been the same as many other operating systems, and that is to let applications read what's stored on an SD card without anyone caring. This has lead to several sky-is-falling moments where people suddenly realized that the wide open model is, well, wide open. The best way to fix things is to simply do away with external storage and all it's security baggage, and Google has done that with their own devices as of late. But OEM's are going to do things differently, so in a "future release" applications will need explicit permission to read from external storage, much like they do for writing to storage now. Here's the relevant bit from G --
Provides protected read access to external storage. In Android 4.1 by default all applications still have read access. This will be changed in a future release to require that applications explicitly request read access using this permission. If your application already requests write access, it will automatically get read access as well. There is a new developer option to turn on read access restriction, for developers to test their applications against how Android will behave in the future.
So when (if) your phone gets updated to Jelly Bean, and you see the new setting in the developer options, you'll know what you're looking at and why.
More: Android 4.1 APIs