diff --git a/java/ql/src/Security/CWE/CWE-312/AllowBackupAttributeEnabled.qhelp b/java/ql/src/Security/CWE/CWE-312/AllowBackupAttributeEnabled.qhelp new file mode 100644 index 00000000000..8945f40172f --- /dev/null +++ b/java/ql/src/Security/CWE/CWE-312/AllowBackupAttributeEnabled.qhelp @@ -0,0 +1,51 @@ + + + +

The Android manifest file defines configuration settings for Android +applications. In this file, the android:allowBackup attribute of +the application element can be used to define whether or not the +application can have automatic backups.

+ +

Enabling backups may allow an attacker to extract sensitive data. Therefore, +it is advised to set android:allowBackup to false if +your application uses any sensitive data.

+ + + +

For Android applications which process sensitive data, set the +android:allowBackup setting to false in the manifest +file.

+ +

Note: Since Android 6.0 (Marshmallow), applications default to participating +in automatic backups. Therefore, it is necessary to explicitly disable backups. +

+ + + + +

In the two examples below, the android:allowBackup setting is enabled:

+ + + + + +

A corrected version explicity sets android:allowBackup to false:

+ + + + + +
  • + Android Documentation: + Back up user data with Auto Backup +
    • +
  • + OWASP Mobile Security Testing Guide: + + Android Backups + +
    • +     +     \ No newline at end of file