Insecure service configuration - ADB Backup - android

Insecure service configuration - ADB Backup - android

Need

Disable ADB backup to prevent unauthorized data extraction

Context

  • Usage of Android development for mobile applications
  • Ensuring security of sensitive user data in Android applications

Description

Non compliant code

        <manifest ...>
    <application
        android:name=".MyApplication"
        android:allowBackup="true"
        android:label="@string/app_name"
        android:theme="@style/AppTheme">
    </application>
</manifest>

        
        

In this AndroidManifest.xml configuration, the android:allowBackup attribute is either set to true or is missing, which defaults to true. This means that Android's ADB backup feature is enabled, allowing users (or attackers) with ADB access to extract app data, including sensitive user information.

This vulnerability can be exploited if a device is compromised or if an attacker gains temporary access to a user's unlocked device, allowing them to execute adb backup commands to retrieve application data.

To mitigate this risk, the android:allowBackup attribute should be explicitly set to false in the AndroidManifest.xml file.

Steps

  • Open the AndroidManifest.xml file of your application.
  • Locate the `` tag and check the value of `android:allowBackup`.
  • If it is set to `true` or missing, explicitly set `android:allowBackup="false"`.
  • Save the changes and rebuild the application to enforce the security setting.

Compliant code

        <manifest ...>
    <application
        android:name=".MyApplication"
        android:allowBackup="false"
        android:label="@string/app_name"
        android:theme="@style/AppTheme">
    </application>
</manifest>

        
        

This corrected AndroidManifest.xml configuration explicitly sets the android:allowBackup attribute to false, preventing the application from being backed up using ADB.

By disabling ADB backup, attackers cannot extract sensitive application data, reducing the risk of data theft in case of unauthorized access to the device.

It is recommended to apply this configuration to all applications that handle sensitive user data.

References