The application is declaring the allowBackup flag as true in the Android Manifest or is using the Android default value flag of true.
The Android backup feature can be used to expose device storage that would normally only be viewable by the app, known as private app storage.
This can allow an attacker to backup the application folder and recover private data.
Attacks against device storage typically require privilege escalation exploits.
Steps to Reproduce
Evaluate whether the allowBackup flag within the Android Manifest is set to False.
Business Impact
Allowing apps to be backed up can expose the application to reverse engineering attacks which can create security, privacy, and reputational risks.
In addition, enabling apps to be backed up can enable an unauthorized entity or attacker to gain access to sensitive information.
Remediation Resources
Recommended Fix
Unless app backups are absolutely necessary for the app to perform its functionality, always explicitly set the allowBackup flag to false in the Android Manifest.
For applications that do require specific files to be recoverable, it is possible to define backup rules and conditions in the manifest using these guidelines:
https://developer.android.com/guide/topics/data/autobackup#define-device-conditions
Finding Description
The application is declaring the
allowBackup
flag as true in the Android Manifest or is using the Android default value flag of true. The Android backup feature can be used to expose device storage that would normally only be viewable by the app, known as private app storage. This can allow an attacker to backup the application folder and recover private data. Attacks against device storage typically require privilege escalation exploits.Steps to Reproduce
Evaluate whether the
allowBackup
flag within the Android Manifest is set toFalse
.Business Impact
Allowing apps to be backed up can expose the application to reverse engineering attacks which can create security, privacy, and reputational risks. In addition, enabling apps to be backed up can enable an unauthorized entity or attacker to gain access to sensitive information.
Remediation Resources
Recommended Fix
Unless app backups are absolutely necessary for the app to perform its functionality, always explicitly set the
allowBackup
flag to false in the Android Manifest. For applications that do require specific files to be recoverable, it is possible to define backup rules and conditions in the manifest using these guidelines: https://developer.android.com/guide/topics/data/autobackup#define-device-conditionsCode Samples
Bad Code Sample (.xml)
Good Code Sample 1 (.xml)
Good Code Sample 2 (.xml)
Additional Guidance
Risk and Regulatory Information
Severity: medium CVSS: 4.6
Application
See more detail in the NowSecure Report