codeql/java/ql/src/Security/CWE/CWE-312/AllowBackupAttributeEnabled.qhelp at 53cb30dcd00a7f7a1d32f2694781ecc598b8a9af · github/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
<!DOCTYPE qhelp PUBLIC
  "-//Semmle//qhelp//EN"
  "qhelp.dtd">
<qhelp>
<overview>
<p>In the Android manifest file, you can use the <code>android:allowBackup</code> attribute of the <code>application</code> element to define whether the
application will have automatic backups or not.</p>

<p>If your application uses any sensitive data, you should disable automatic backups to prevent attackers from extracting it.</p>
</overview>

<recommendation>
<p>For Android applications which process sensitive data, set <code>android:allowBackup</code> to <code>false</code> in the manifest
file.</p>

<p>Note: Since Android 6.0 (Marshmallow), automatic backups for applications are switched on by default.
</p>
</recommendation>

<example>

<p>In the following two (bad) examples, the <code>android:allowBackup</code> setting is enabled:</p>

<sample src="AllowBackupTrue.xml" />

<sample src="AllowBackupEmpty.xml"/>

<p>In the following (good) example, <code>android:allowBackup</code> is set to <code>false</code>:</p>

<sample src="AllowBackupFalse.xml"/>

</example>
<references>
<li>
   Android Documentation:
   <a href="https://developer.android.com/guide/topics/data/autobackup#EnablingAutoBackup">Back up user data with Auto Backup</a>
</li>
<li>
   OWASP Mobile Security Testing Guide:
   <a href="https://github.com/OWASP/owasp-mstg/blob/b7a93a2e5e0557cc9a12e55fc3f6675f6986bb86/Document/0x05d-Testing-Data-Storage.md#backups">
    Android Backups
   </a>
</li>
</references>
</qhelp>