any app can read the backups

jensstein / oandbackup

backup manager for android

Other

543 stars 193 forks source link

any app can read the backups #244

Open TjrGithub opened 5 years ago

TjrGithub commented 5 years ago

Currently, oandbackup backs up to globally-readable storage. Any app can read the backups and leak internal data of other apps.

In an ideal world, only oandbackup and a syncing app (e.g. syncopoli) can read the backups. Perhaps oandbackup itself could be in charge of syncing.

Desktop Ubuntu's Duplicity can make backups automatically, incrementally, encrypted, off-site. Perhaps it can serve as inspiration (it is GPL, not MIT license).

fynngodau commented 5 years ago

I'll have to disagree. Ideally, backups are encrypted with GPG and therefore can't be leaked by any other app that does not have the key. If the backups were in the oandbackup data directory, they would disappear should oandbackup happen to be uninstalled.

TjrGithub commented 5 years ago

Oandbackup does have a menu entry encryption, but it's grayed out and no documentation how to get it going. Fixing that would also resolve this bug.

TjrGithub commented 5 years ago

Versions:

lineageos-with-microg 15.1 as of 2019-04-10 with addon_root on a Mido
xposed 90-beta3 and xprivacylua 1.24 FDroid, don't restrict oandbackup
oandbackup 0.3.5-universal Fdroid

pbanj commented 5 years ago

You need openkeychain you can get it on Android. It's pretty much the bog standard app.used for encryption stuff for foss apps.