The application is declaring the allowBackup flag as true in the Android Manifest or is using the Android default value flag of true.
The Android backup feature can be used to expose device storage that would normally only be viewable by the app, known as private app storage. This can allow an attacker to backup the application folder and recover private data. Attacks against device storage typically require privilege escalation exploits.
Recommendation
Unless app backups are absolutely necessary for the app to perform its functionality, always explicitly set the allowBackup flag to false in the Android Manifest. For applications that do require specific files to be recoverable, it is possible to define backup rules and conditions in the manifest using these guidelines: https://developer.android.com/guide/topics/data/autobackup#define-device-conditions
Summary
The application is declaring the
allowBackupflag as true in the Android Manifest or is using the Android default value flag of true. The Android backup feature can be used to expose device storage that would normally only be viewable by the app, known as private app storage. This can allow an attacker to backup the application folder and recover private data. Attacks against device storage typically require privilege escalation exploits.Recommendation
Unless app backups are absolutely necessary for the app to perform its functionality, always explicitly set the
allowBackupflag to false in the Android Manifest. For applications that do require specific files to be recoverable, it is possible to define backup rules and conditions in the manifest using these guidelines: https://developer.android.com/guide/topics/data/autobackup#define-device-conditionsRisk and Regulatory Information
Severity: medium CVSS: 4.6
Application
See more detail in the NowSecure Report