NowSecure static analysis: Application Potentially Exposes Sensitive Data on Device Through App Backup

[edwindwalker]

Finding Description

The application is declaring the allowBackup flag as true in the Android Manifest or is using the Android default value flag of true. The Android backup feature can be used to expose device storage that would normally only be viewable by the app, known as private app storage. This can allow an attacker to backup the application folder and recover private data. Attacks against device storage typically require privilege escalation exploits.

Steps to Reproduce

Evaluate whether the allowBackup flag within the Android Manifest is set to False.

Business Impact

Allowing apps to be backed up can expose the application to reverse engineering attacks which can create security, privacy, and reputational risks. In addition, enabling apps to be backed up can enable an unauthorized entity or attacker to gain access to sensitive information.

Remediation Resources

Recommended Fix

Unless app backups are absolutely necessary for the app to perform its functionality, always explicitly set the allowBackup flag to false in the Android Manifest. For applications that do require specific files to be recoverable, it is possible to define backup rules and conditions in the manifest using these guidelines: https://developer.android.com/guide/topics/data/autobackup#define-device-conditions

Code Samples

Bad Code Sample (.xml)

<manifest ... >
...
<application android:allowBackup="true" ... >
...
</application>
</manifest>

Good Code Sample 1 (.xml)

<manifest ... >
...
<application android:allowBackup="false" ... >
...
</application>
</manifest>

Good Code Sample 2 (.xml)

<application ...
android:allowBackup="True"
android:fullBackupContent="@xml/my_backup_rules"... >
</application>
my_backup_rules.xml
<?xml version="1.0" encoding="utf-8"?>
<full-backup-content>
<include domain="sharedpref" path="."/>
<exclude domain="sharedpref" path="device.xml"/>
</full-backup-content>

Additional Guidance

• This Google Android Developer article discussed how to backup user data with Auto Backup. https://developer.android.com/guide/topics/data/autobackup

Risk and Regulatory Information

Severity: medium CVSS: 4.6

• CWE: 538, 359
• NIAP: FPT_AEX_EXT.1.3
• FISMA LOW: SI-3 MALICIOUS CODE PROTECTION
• FISMA MED: AC-6 LEAST PRIVILEGE, SC-28 PROTECTION OF INFORMATION AT REST
• Risk OWASP: Mobile Top 10: M10-Extraneous Functionality
• GDPR: Risks violating Article 25, Risks violating Article 32
• FFIEC: May violate D3.PC.Am.B.10
• PCI: May violate requirement 6.4.4, May violate requirement 3.1 through 3.4
• HIPAA: May violate §164.312(c)(1): Standard: Integrity., May violate §164.312(a)(1): Standard: Access control.
• CCPA: Risks violating CCPA: exfiltration, theft, or disclosure of PII

Application

• Platform: android
• Package: com.what3words.android

See more detail in the NowSecure Report