From 6509426fb383ba28bfc4f12f4b27f835bd392ed3 Mon Sep 17 00:00:00 2001 From: Ed Minnix Date: Thu, 18 Aug 2022 22:03:51 -0400 Subject: [PATCH] `android:allowBackup` query documentation --- .../CWE-312/AllowBackupAttributeEnabled.qhelp | 51 +++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 java/ql/src/Security/CWE/CWE-312/AllowBackupAttributeEnabled.qhelp diff --git a/java/ql/src/Security/CWE/CWE-312/AllowBackupAttributeEnabled.qhelp b/java/ql/src/Security/CWE/CWE-312/AllowBackupAttributeEnabled.qhelp new file mode 100644 index 00000000000..8945f40172f --- /dev/null +++ b/java/ql/src/Security/CWE/CWE-312/AllowBackupAttributeEnabled.qhelp @@ -0,0 +1,51 @@ + + + +

The Android manifest file defines configuration settings for Android +applications. In this file, the android:allowBackup attribute of +the application element can be used to define whether or not the +application can have automatic backups.

+ +

Enabling backups may allow an attacker to extract sensitive data. Therefore, +it is advised to set android:allowBackup to false if +your application uses any sensitive data.

+ + + +

For Android applications which process sensitive data, set the +android:allowBackup setting to false in the manifest +file.

+ +

Note: Since Android 6.0 (Marshmallow), applications default to participating +in automatic backups. Therefore, it is necessary to explicitly disable backups. +

+ + + + +

In the two examples below, the android:allowBackup setting is enabled:

+ + + + + +

A corrected version explicity sets android:allowBackup to false:

+ + + + + +
  • + Android Documentation: + Back up user data with Auto Backup +
    • +
  • + OWASP Mobile Security Testing Guide: + + Android Backups + +
    • +     +     \ No newline at end of file