diff --git a/android/app/src/com/android/bluetooth/btservice/BondStateMachine.java b/android/app/src/com/android/bluetooth/btservice/BondStateMachine.java
index 71b4d8d4e71a6be88a217404a7b02585c26a3664..caf20b44e3fe0e4d6b2bbc57f80b2bf6e8993672 100644
--- a/android/app/src/com/android/bluetooth/btservice/BondStateMachine.java
+++ b/android/app/src/com/android/bluetooth/btservice/BondStateMachine.java
@@ -567,6 +567,14 @@ final class BondStateMachine extends StateMachine {
         }
 
         mAdapterService.handleBondStateChanged(device, oldState, newState);
+
+        if (newState == BluetoothDevice.BOND_NONE) {
+            // Remove the permissions for unbonded devices
+            mAdapterService.setMessageAccessPermission(device, BluetoothDevice.ACCESS_UNKNOWN);
+            mAdapterService.setPhonebookAccessPermission(device, BluetoothDevice.ACCESS_UNKNOWN);
+            mAdapterService.setSimAccessPermission(device, BluetoothDevice.ACCESS_UNKNOWN);
+        }
+
         Intent intent = new Intent(BluetoothDevice.ACTION_BOND_STATE_CHANGED);
         intent.putExtra(BluetoothDevice.EXTRA_DEVICE, device);
         intent.putExtra(BluetoothDevice.EXTRA_BOND_STATE, newState);
diff --git a/android/app/src/com/android/bluetooth/opp/BluetoothOppSendFileInfo.java b/android/app/src/com/android/bluetooth/opp/BluetoothOppSendFileInfo.java
index d71e69910c439c2bb234f0d896eaf6fe47aa9cf6..8b0958171aa5223b9bc2e35d63fae2923ca6e4a4 100644
--- a/android/app/src/com/android/bluetooth/opp/BluetoothOppSendFileInfo.java
+++ b/android/app/src/com/android/bluetooth/opp/BluetoothOppSendFileInfo.java
@@ -32,6 +32,8 @@
 
 package com.android.bluetooth.opp;
 
+import static android.os.UserHandle.myUserId;
+
 import android.bluetooth.BluetoothProfile;
 import android.bluetooth.BluetoothProtoEnums;
 import android.content.ContentResolver;
@@ -41,6 +43,7 @@ import android.database.Cursor;
 import android.database.sqlite.SQLiteException;
 import android.net.Uri;
 import android.provider.OpenableColumns;
+import android.text.TextUtils;
 import android.util.EventLog;
 import android.util.Log;
 
@@ -53,6 +56,7 @@ import java.io.File;
 import java.io.FileInputStream;
 import java.io.FileNotFoundException;
 import java.io.IOException;
+import java.util.Objects;
 
 /**
  * This class stores information about a single sending file It will only be used for outbound
@@ -127,6 +131,11 @@ public class BluetoothOppSendFileInfo {
                 return SEND_FILE_INFO_ERROR;
             }
 
+            if (isContentUriForOtherUser(uri)) {
+                Log.e(TAG, "Uri: " + uri + " is invalid for user " + myUserId());
+                return SEND_FILE_INFO_ERROR;
+            }
+
             contentType = contentResolver.getType(uri);
             Cursor metadataCursor;
             try {
@@ -337,6 +346,12 @@ public class BluetoothOppSendFileInfo {
         return new BluetoothOppSendFileInfo(fileName, contentType, length, is, 0);
     }
 
+    private static boolean isContentUriForOtherUser(Uri uri) {
+        String uriUserId = uri.getUserInfo();
+        return !TextUtils.isEmpty(uriUserId)
+                && !Objects.equals(uriUserId, String.valueOf(myUserId()));
+    }
+
     private static long getStreamSize(FileInputStream is) throws IOException {
         long length = 0;
         byte[] unused = new byte[4096];
diff --git a/android/app/tests/unit/src/com/android/bluetooth/opp/BluetoothOppSendFileInfoTest.java b/android/app/tests/unit/src/com/android/bluetooth/opp/BluetoothOppSendFileInfoTest.java
index de7de37b5d32019e823c787f9331421e7e587b0b..acb58272fbb0f4dd80951731a43aeae054fb61fa 100644
--- a/android/app/tests/unit/src/com/android/bluetooth/opp/BluetoothOppSendFileInfoTest.java
+++ b/android/app/tests/unit/src/com/android/bluetooth/opp/BluetoothOppSendFileInfoTest.java
@@ -17,6 +17,8 @@
 
 package com.android.bluetooth.opp;
 
+import static android.os.UserHandle.myUserId;
+
 import static com.google.common.truth.Truth.assertThat;
 
 import static org.mockito.ArgumentMatchers.any;
@@ -119,6 +121,110 @@ public class BluetoothOppSendFileInfoTest {
         assertThat(info).isEqualTo(BluetoothOppSendFileInfo.SEND_FILE_INFO_ERROR);
     }
 
+    @Test
+    public void generateFileInfo_withContentUriForOtherUser_returnsSendFileInfoError()
+            throws Exception {
+        String type = "image/jpeg";
+        Uri uri = buildContentUriWithEncodedAuthority((myUserId() + 1) + "@media");
+
+        long fileLength = 1000;
+        String fileName = "pic.jpg";
+
+        FileInputStream fs = mock(FileInputStream.class);
+        AssetFileDescriptor fd = mock(AssetFileDescriptor.class);
+        doReturn(fileLength).when(fd).getLength();
+        doReturn(fs).when(fd).createInputStream();
+
+        doReturn(fd).when(mCallProxy).contentResolverOpenAssetFileDescriptor(any(), eq(uri), any());
+
+        mCursor =
+                new MatrixCursor(new String[] {OpenableColumns.DISPLAY_NAME, OpenableColumns.SIZE});
+        mCursor.addRow(new Object[] {fileName, fileLength});
+
+        doReturn(mCursor)
+                .when(mCallProxy)
+                .contentResolverQuery(any(), eq(uri), any(), any(), any(), any());
+
+        BluetoothOppSendFileInfo info =
+                BluetoothOppSendFileInfo.generateFileInfo(mContext, uri, type, true);
+
+        assertThat(info).isEqualTo(BluetoothOppSendFileInfo.SEND_FILE_INFO_ERROR);
+    }
+
+    @Test
+    public void generateFileInfo_withContentUriForImplicitUser_returnsInfoWithCorrectLength()
+            throws Exception {
+        String type = "image/jpeg";
+        Uri uri = buildContentUriWithEncodedAuthority("media");
+
+        long fileLength = 1000;
+        String fileName = "pic.jpg";
+
+        FileInputStream fs = mock(FileInputStream.class);
+        AssetFileDescriptor fd = mock(AssetFileDescriptor.class);
+        doReturn(fileLength).when(fd).getLength();
+        doReturn(fs).when(fd).createInputStream();
+
+        doReturn(fd).when(mCallProxy).contentResolverOpenAssetFileDescriptor(any(), eq(uri), any());
+
+        mCursor =
+                new MatrixCursor(new String[] {OpenableColumns.DISPLAY_NAME, OpenableColumns.SIZE});
+        mCursor.addRow(new Object[] {fileName, fileLength});
+
+        doReturn(mCursor)
+                .when(mCallProxy)
+                .contentResolverQuery(any(), eq(uri), any(), any(), any(), any());
+
+        BluetoothOppSendFileInfo info =
+                BluetoothOppSendFileInfo.generateFileInfo(mContext, uri, type, true);
+
+        assertThat(info.mInputStream).isEqualTo(fs);
+        assertThat(info.mFileName).isEqualTo(fileName);
+        assertThat(info.mLength).isEqualTo(fileLength);
+        assertThat(info.mStatus).isEqualTo(0);
+    }
+
+    @Test
+    public void generateFileInfo_withContentUriForSameUser_returnsInfoWithCorrectLength()
+            throws Exception {
+        String type = "image/jpeg";
+        Uri uri = buildContentUriWithEncodedAuthority(myUserId() + "@media");
+
+        long fileLength = 1000;
+        String fileName = "pic.jpg";
+
+        FileInputStream fs = mock(FileInputStream.class);
+        AssetFileDescriptor fd = mock(AssetFileDescriptor.class);
+        doReturn(fileLength).when(fd).getLength();
+        doReturn(fs).when(fd).createInputStream();
+
+        doReturn(fd).when(mCallProxy).contentResolverOpenAssetFileDescriptor(any(), eq(uri), any());
+
+        mCursor =
+                new MatrixCursor(new String[] {OpenableColumns.DISPLAY_NAME, OpenableColumns.SIZE});
+        mCursor.addRow(new Object[] {fileName, fileLength});
+
+        doReturn(mCursor)
+                .when(mCallProxy)
+                .contentResolverQuery(any(), eq(uri), any(), any(), any(), any());
+
+        BluetoothOppSendFileInfo info =
+                BluetoothOppSendFileInfo.generateFileInfo(mContext, uri, type, true);
+
+        assertThat(info.mInputStream).isEqualTo(fs);
+        assertThat(info.mFileName).isEqualTo(fileName);
+        assertThat(info.mLength).isEqualTo(fileLength);
+        assertThat(info.mStatus).isEqualTo(0);
+    }
+
+    private static Uri buildContentUriWithEncodedAuthority(String authority) {
+        return new Uri.Builder()
+                .scheme("content")
+                .encodedAuthority(authority)
+                .path("external/images/media/1")
+                .build();
+    }
+
     @Test
     public void generateFileInfo_withoutPermissionForAccessingUri_returnsSendFileInfoError() {
         String type = "text/plain";