Application backup allowed¶
ID: java/android/backup-enabledKind: problemSecurity severity: 7.5Severity: recommendationPrecision: very-highTags: - security - external/cwe/cwe-312Query suites: - java-security-extended.qls - java-security-and-quality.qls
Click to see the query in the CodeQL repository
In the Android manifest file, you can use theandroid:allowBackup attribute of theapplication element to define whether the application will have automatic backups or not.
If your application uses any sensitive data, you should disable automatic backups to prevent attackers from extracting it.
Recommendation¶
For Android applications which process sensitive data, setandroid:allowBackup tofalse in the manifest file.
Note: Since Android 6.0 (Marshmallow), automatic backups for applications are switched on by default.
Example¶
In the following two (bad) examples, theandroid:allowBackup setting is enabled:
<manifest...><!-- BAD: 'android:allowBackup' set to 'true' --><applicationandroid:allowBackup="true"><activity...></activity></application></manifest>
<manifest...><!-- BAD: no 'android:allowBackup' set, defaults to 'true' --><application><activity...></activity></application></manifest>
In the following (good) example,android:allowBackup is set tofalse:
<manifest...><!-- GOOD: 'android:allowBackup' set to 'false' --><applicationandroid:allowBackup="false"><activity...></activity></application></manifest>
References¶
Android Documentation:Back up user data with Auto Backup
OWASP Mobile Security Testing Guide: Android Backups
Common Weakness Enumeration:CWE-312.