OWASP category: MASVS-STORAGE: Storage
Overview
Applications commonly store data for use, whether locally on the device, within external storage, or remotely in cloud storage. To preserve an application's state, application backups are performed so that the application can be restored if it experiences a critical failure or user error resulting in the loss of data. When stored data relates to sensitive information, such as a user's personal data or authentication keys and passwords, additional security measures can be applied to prevent the leaking of this sensitive data if the backup is accessed by someone other than the intended user.
It's important to note that one of the most common methods of retrieving backup data using the ADB backup command, which requires Developer options to be enabled on the device. As enabling Developer options requires the use of the user's PIN. Any potential attacker would need to first compromise a user's PIN in order to retrieve any backup data.
Impact
An attacker with access to an application's backup file can retrieve any unencrypted data that the application has backed up. As a result, any sensitive data exposed can be used by the attacker in future attacks or be readily exploited.
Risk: Allowing application backups
Any attacker with physical access to an unlocked device or access to a
compromised Google Account can perform a backup of an application and its data.
It is important to note that as of Android 12, application data is not included
within the backup data, as long as the android:debuggable attribute in the
Android Manifest is set to false. As a result, any unencrypted application
data included in the backup may be exposed and abused by the attacker.
It's important to note, that while the following configuration changes can help prevent sensitive data from being leaked in backups files, not all phone manufactures adhere to an application's backup policies. As a result, data that is not intended to be backed up may be backed up anyway through a unique OEM- backup solution. To account for such cases, consider implementing additional measures to protect user data, such as encryption and removing or not storing unnecessary data that may be considered sensitive.
Mitigations
Disable application backup
If an application's backup data is not considered necessary for the normal
operation of the application, consider adding rules to prevent backups from
being performed. To restrict backups of an application, set the
android:allowBackup attribute within the AndroidManifest.xml file to
false. Note that for Android versions 12 and higher, setting allowBackup to
false restricts Cloud and ADB backups, but device-to-device migrations
are still permitted.
<application android:name="com.example.foo" android:allowBackup="false">
...
</application>
Control what is backed up
If backups are required for the normal use of the application, backup rules can be set to specify what data is backed up. The rules are defined in a backup_rules.xml file. There are some differences in how these rules are configured depending on the version of Android that's used:
For Android versions 12 and higher, add an android:dataExtractionRules
attribute to the <application> element within the AndroidManifest.xml shown
in the following example:
<application android:name="com.example.foo"
android:dataExtractionRules="backup_rules.xml">
…
</application>
<application android:name="com.example.foo"
android:fullBackupContent="@xml/backup_rules">
…
</application>
Risk: Storing sensitive data unencrypted
Depending on the purpose of an application, some data that is backed up on the device may be considered sensitive; such as data pertaining to personal and financial data. An attacker that manages to compromise a user's device may be able to retrieve data from the device. As a result, any cleartext data exposed to the attacker may be exploited.
Mitigation
Encrypt all sensitive data
For improved data security, encrypt any stored data that may be considered sensitive by following Android's cryptography guidelines, and use the Android Keystore system to protect encryption keys.
If application data migration to new devices needs to be supported, consider implementing a data transfer mode for the application, where encrypted data is briefly stored unencrypted within the application's internal files; allowing the application's data to be transferred to a new device.
When implementing a data transfer mode, consider the following best practices:
- Ensure that the data transfer mode can only be enabled by an authenticated application user.
- Store the unencrypted data locally within the application's internal files, not within external storage.
- Only permit unencrypted files to exist for a short period of time; after-which the files are deleted.
- Once files are transferred, have the application encrypted the unencrypted files on startup.
While this mode would also allow unencrypted data to be backed up, the limited window of opportunity that's available to backup unencrypted reduces the chances of an unauthenticated attacker from gaining access to clear-text data.
Resources
- Description of the allowBackup attribute
- D2D transfer behavior changes
- Control backup on Android 12 or higher
- Control backup on Android 11 and lower
- Understanding PII in Google's contracts and policies
- Cryptography
- Android Keystore system
- ADB
- Developer options