Application backup allowed¶
ID: java/android/backup-enabled
Kind: problem
Security severity: 7.5
Severity: recommendation
Precision: very-high
Tags:
- security
- external/cwe/cwe-312
Query suites:
- java-security-extended.qls
- java-security-and-quality.qls
Click to see the query in the CodeQL repository
In the Android manifest file, you can use the android:allowBackup attribute of the application element to define whether the application will have automatic backups or not.
If your application uses any sensitive data, you should disable automatic backups to prevent attackers from extracting it.
Recommendation¶
For Android applications which process sensitive data, set android:allowBackup to false in the manifest file.
Note: Since Android 6.0 (Marshmallow), automatic backups for applications are switched on by default.
Example¶
In the following two (bad) examples, the android:allowBackup setting is enabled:
<manifest ... >
<!-- BAD: 'android:allowBackup' set to 'true' -->
<application
android:allowBackup="true">
<activity ... >
</activity>
</application>
</manifest>
<manifest ... >
<!-- BAD: no 'android:allowBackup' set, defaults to 'true' -->
<application>
<activity ... >
</activity>
</application>
</manifest>
In the following (good) example, android:allowBackup is set to false:
<manifest ... >
<!-- GOOD: 'android:allowBackup' set to 'false' -->
<application
android:allowBackup="false">
<activity ... >
</activity>
</application>
</manifest>
References¶
Android Documentation: Back up user data with Auto Backup
OWASP Mobile Security Testing Guide: Android Backups
Common Weakness Enumeration: CWE-312.