Backup mode enabled

Backup mode enabled

Risk: potentially

Description

Backup mode is a feature in Android that allows users to backup and restore data and settings from one device to another. By default, Android performs a full backup of applications including the private files stored on /data partition. When backup mode is enabled on an Android device, the Backup Manager Service will periodically upload data and settings to the user's Google Drive account, such as app data, Wi-Fi passwords, and other settings. This data can then be restored to the same device, or a different device if the user signs in to the same Google account.

Here are some key features of the Backup Manager Service in Android:

1. Automatic backup: The Backup Manager Service automatically backs up app data at regular intervals, typically once a day. It can also trigger backups when specific events occur, such as when a device is connected to a power source or when the user manually initiates a backup.

2. Incremental backups: The Backup Manager Service performs incremental backups, meaning it only backs up data that has changed since the last backup. This helps reduce the backup size and speed up the backup process.

3. Encrypted backups: Backups created by the Backup Manager Service are encrypted with a key unique to each user's device, ensuring that only the user or someone with their Google account credentials can access the backup data.

4. App-specific backups: The Backup Manager Service allows apps to specify which data should be backed up and which data should be excluded from backups. This can help reduce the size of backups and ensure that sensitive data is not included.

5. Restore functionality: The Backup Manager Service also provides a restore functionality that allows users to restore their app data to a new or factory-reset device, or to restore data to an existing device after an app has been uninstalled and reinstalled.

Recommendation

In your app manifest file, set the attribute android:allowBackup to enable or disable backup. The default value is true but to make your intentions clear, it is recommended to explicitly set the attribute in the application's manifest as shown below:

XML

    <manifest>
        <application android:allowBackup="true">
        </application>
    </manifest>

If the application contains sensitive data that you don't want to be backed up or restored, you can disable backup mode by setting the attribute android:allowBackup to false as shown below:

XML

    <manifest>
        <application android:allowBackup="false">
        </application>
    </manifest>

Links

• Random Musings on the M Developer Preview: the Ugly (Part Two)
• DRD22. Do not cache sensitive information

Standards

• OWASP_MASVS_L1:
  • MSTG_STORAGE_6
• OWASP_MASVS_L2:
  • MSTG_STORAGE_6
• PCI_STANDARDS:
  • REQ_6_2
• OWASP_MASVS_v2_1:
  • MASVS_STORAGE_2