Android has a built-in backup mechanism that can save and restore application data. When application backup is enabled, local data from your
application can be exported to Google Cloud or to an external device via
adb backup. Enabling Android backup exposes your application to
disclosure of sensitive data. It can also lead to corruption of local data when restore is performed from an untrusted source.
By default application backup is enabled and it includes:
- Shared preferences files
- Files saved in one of the paths returned by
Ask Yourself Whether
- Application backup is enabled and sensitive data is stored in local files, local databases or shared preferences.
- Your application never validates data from files that are included in backups
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
- Disable application backup unless it’s required for your application to work properly.
- Narrow the scope of backed-up files by using either
- backup rules (see
- a custom
- or the dedicated "no_backup" folder (see
- Don’t backup local data containing sensitive information unless they are properly encrypted.
- Make sure that the keys used to encrypt backup data are not included in the backup.
- Validate data from backed-up files. They should be considered untrusted as they could have been restored from an untrusted source.
Noncompliant Code Example
android:allowBackup="true"> <!-- Sensitive -->
Disable application backup.
If targeting Android 6.0 or above (API level 23), define files to include/exclude from the application backup. <application
android:allowBackup="true" android:fullBackupContent="@xml/backup.xml"> </application>