[MASWE-0004] Sensitive Data Not Excluded From Backup

[cpholguera]

Description

Create a new risk for "Sensitive Data Not Excluded From Backup (MASVS-STORAGE-2)" using the following information:

sensitive data can be excluded to prevent it from being backed up.

Create "risks/MASVS-STORAGE/2-***-****/data-not-excluded-backup/risk.md" including the following content:

---
title: Sensitive Data Not Excluded From Backup
alias: data-not-excluded-backup
platform: [android, ios]
profiles: [L1, L2, P]
mappings:
  masvs-v1: [MSTG-STORAGE-8]
  masvs-v2: [MASVS-STORAGE-2, MASVS-PRIVACY-1]
  mastg-v1: [MASTG-TEST-0058, MASTG-TEST-0009]

---

## Overview

## Impact

## Modes of Introduction

## Mitigations

To complete the sections follow the guidelines from Writing MASTG Risks & Tests

Use at least the following references:

• https://developer.android.com/guide/topics/data/autobackup#include-exclude-android-11
• https://developer.android.com/guide/topics/data/autobackup#include-exclude-android-12

When creating the corresponding tests, use the following areas to guide you:

• android:fullBackupContent (Android 11-) or android:dataExtractionRules (Android 12+)
• iOS isExcludedFromBackup (iOS)
• cryptographic keys in backups (?)

MASTG v1 Refactoring:

If the risk has a MASVS v1 ID, you can use it to search for related tests in the MASTG and use them as input to define your risks and associated tests.

• MASTG-TEST-0058 - Testing Backups for Sensitive Data (ios)
• MASTG-TEST-0009 - Testing Backups for Sensitive Data (android)

Acceptance Criteria

• [ ] The risk has been created in the correct directory (risks/MASVS-STORAGE/2-***-****/data-not-excluded-backup/risk.md)
• [ ] The risk content follows the guidelines
• [ ] At least one GitHub Issue has been created for the corresponding tests (derived from "Modes of Introduction")
• [ ] The risk indicates the related MASTG v1 tests in its metadata.

[cpholguera]

@githubrlloyd

[titze]

I am not sure there is a reliable way to exclude files from backup on iOS. isExcludedFromBackup is only a hint of what can be excluded:

The isExcludedFromBackup resource value exists only to provide guidance to the system about which files and directories it can exclude; it’s not a mechanism to guarantee those items never appear in a backup or on a restored device.

https://developer.apple.com/documentation/foundation/optimizing_your_app_s_data_for_icloud_backup

If this is really the case, isn't the full risk already covered by #2544. Or should there really be a separate issue for this (@cpholguera)

[cpholguera]

NEW! Please review and include info and reference: https://developer.android.com/privacy-and-security/risks/backup-leaks