hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 02:35:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Apply suggestions from documentation review

Browse Source 
Co-authored-by: Ben Ahmady <32935794+subatoi@users.noreply.github.com>
This commit is contained in:
Edward Minnix III
2022-09-08 15:55:00 -04:00
committed by GitHub
parent 59909751ae
commit 83c8e22225
2 changed files with 8 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
java/ql/src/Security/CWE/CWE-312/AllowBackupAttributeEnabled.qhelp
View File

@@ -3,35 +3,29 @@
"qhelp.dtd">
<qhelp>
<overview>
<p>The Android manifest file defines configuration settings for Android
applications. In this file, the <code>android:allowBackup</code> attribute of
the <code>application</code> element can be used to define whether or not the
application can have automatic backups.</p>
<p>In the Android manifest file, you can use the <code>android:allowBackup</code> attribute of the <code>application</code> element to define whether the
application will have automatic backups or not.</p>
<p>Enabling backups may allow an attacker to extract sensitive data. Therefore,
it is advised to set <code>android:allowBackup</code> to <code>false</code> if
your application uses any sensitive data.</p>
<p>If your application uses any sensitive data, you should disable automatic backups to prevent attackers from extracting it.</p>
</overview>
<recommendation>
<p>For Android applications which process sensitive data, set the
<code>android:allowBackup</code> setting to <code>false</code> in the manifest
<p>For Android applications which process sensitive data, set <code>android:allowBackup</code> to <code>false</code> in the manifest
file.</p>
<p>Note: Since Android 6.0 (Marshmallow), applications default to participating
in automatic backups. Therefore, it is necessary to explicitly disable backups.
<p>Note: Since Android 6.0 (Marshmallow), automatic backups for applications are switched on by default.
</p>
</recommendation>
<example>
<p>In the two examples below, the <code>android:allowBackup</code> setting is enabled:</p>
<p>In the following two (bad) examples, the <code>android:allowBackup</code> setting is enabled:</p>
<sample src="AllowBackupTrue.xml" />
<sample src="AllowBackupEmpty.xml"/>
<p>A corrected version explicity sets <code>android:allowBackup</code> to <code>false</code>:</p>
<p>In the following (good) example, <code>android:allowBackup</code> is set to <code>false</code>:</p>
<sample src="AllowBackupFalse.xml"/>

2
java/ql/src/Security/CWE/CWE-312/AllowBackupAttributeEnabled.ql
View File

@@ -1,6 +1,6 @@
/**
* @name Android allowBackup attribute enabled
* @description Android manifests which do not disable the `android:allowBackup` attribute allow backups, which can store sensitive information.
* @description Enabling the `android:allowBackup` attribute may allow an attacker to extract sensitive data.
* @kind problem
* @problem.severity recommendation
* @security-severity 7.5