Merge pull request #10106 from egregius313/egregius313/android-backup-allowed

Java: Query to detect Android backup allowed
2026-06-18 11:21:07 +02:00 · 2022-09-12 11:14:03 -04:00
parent a8a7909d33 817f12cae6
commit eadb8a3988
31 changed files with 279 additions and 2 deletions
--- a/java/ql/src/Security/CWE/CWE-312/AllowBackupAttributeEnabled.qhelp
+++ b/java/ql/src/Security/CWE/CWE-312/AllowBackupAttributeEnabled.qhelp
@@ -0,0 +1,45 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>In the Android manifest file, you can use the <code>android:allowBackup</code> attribute of the <code>application</code> element to define whether the
+application will have automatic backups or not.</p>
+
+<p>If your application uses any sensitive data, you should disable automatic backups to prevent attackers from extracting it.</p>
+</overview>
+
+<recommendation>
+<p>For Android applications which process sensitive data, set <code>android:allowBackup</code> to <code>false</code> in the manifest
+file.</p>
+
+<p>Note: Since Android 6.0 (Marshmallow), automatic backups for applications are switched on by default. 
+</p>
+</recommendation>
+
+<example>
+
+<p>In the following two (bad) examples, the <code>android:allowBackup</code> setting is enabled:</p>
+
+<sample src="AllowBackupTrue.xml" />
+
+<sample src="AllowBackupEmpty.xml"/>
+
+<p>In the following (good) example, <code>android:allowBackup</code> is set to <code>false</code>:</p>
+
+<sample src="AllowBackupFalse.xml"/>
+
+</example>
+<references>
+<li>
+   Android Documentation:
+   <a href="https://developer.android.com/guide/topics/data/autobackup#EnablingAutoBackup">Back up user data with Auto Backup</a>
+</li>
+<li>
+   OWASP Mobile Security Testing Guide:
+   <a href="https://github.com/OWASP/owasp-mstg/blob/b7a93a2e5e0557cc9a12e55fc3f6675f6986bb86/Document/0x05d-Testing-Data-Storage.md#backups">
+    Android Backups
+   </a>
+</li>
+</references>
+</qhelp>
--- a/java/ql/src/Security/CWE/CWE-312/AllowBackupAttributeEnabled.ql
+++ b/java/ql/src/Security/CWE/CWE-312/AllowBackupAttributeEnabled.ql
@@ -0,0 +1,18 @@
+/**
+ * @name Application backup allowed
+ * @description Allowing application backups may allow an attacker to extract sensitive data.
+ * @kind problem
+ * @problem.severity recommendation
+ * @security-severity 7.5
+ * @id java/android/backup-enabled
+ * @tags security
+ *       external/cwe/cwe-312
+ * @precision very-high
+ */
+
+import java
+import semmle.code.xml.AndroidManifest
+
+from AndroidApplicationXmlElement androidAppElem
+where androidAppElem.allowsBackup()
+select androidAppElem, "Backups are allowed in this Android application."
--- a/java/ql/src/Security/CWE/CWE-312/AllowBackupEmpty.xml
+++ b/java/ql/src/Security/CWE/CWE-312/AllowBackupEmpty.xml
@@ -0,0 +1,7 @@
+<manifest ... >
+    <!-- BAD: no 'android:allowBackup' set, defaults to 'true' -->
+    <application>
+        <activity ... >
+        </activity>
+    </application>
+</manifest>
--- a/java/ql/src/Security/CWE/CWE-312/AllowBackupFalse.xml
+++ b/java/ql/src/Security/CWE/CWE-312/AllowBackupFalse.xml
@@ -0,0 +1,8 @@
+<manifest ... >
+    <!-- GOOD: 'android:allowBackup' set to 'false' -->
+    <application
+        android:allowBackup="false">
+        <activity ... >
+        </activity>
+    </application>
+</manifest>
--- a/java/ql/src/Security/CWE/CWE-312/AllowBackupTrue.xml
+++ b/java/ql/src/Security/CWE/CWE-312/AllowBackupTrue.xml
@@ -0,0 +1,8 @@
+<manifest ... >
+    <!-- BAD: 'android:allowBackup' set to 'true' -->
+    <application
+        android:allowBackup="true">
+        <activity ... >
+        </activity>
+    </application>
+</manifest>