"Go" Android application development allowbackup a little reflection on the leaking of sensitive information

Reprint: http://blog.csdn.net/yanbober/article/details/46417531

1 background

In fact, this article may be a bit of a fuss, but back to think about it is necessary, a little sewer capsized feeling. I believe you all know that Android API level 8 starts with the ability to back up and restore data for your application. The switch of this feature can be configured by the value of the Allowbackup property of the Androidmanifest.xml file in the application, which is true by default, so the user can make a data backup of our application. I believe a lot of people have been as I have been in the same way on the Android this feature, and then has not been taken care of. However, the story of the beginning is the following:

Not long ago suddenly received a bug feedback from the domestic famous white hat organization cloud platform , about the organization is not introduced, I believe you must know the seriousness of the problem, about fixing this bug is very fast things, But after fixing this bug I had to think about it (just like I did with SQL injection), so write this record.

In fact, the risk principle of allowbackup is to allow data backup of the device that opens USB debugging via ADB backup, once the backup file has been taken, it is not easy to say, for example, the evil person can restore your data to your device via ADB restore. Then play the app on your own device completely on your behalf, or use the code to analyze core information such as some account passwords for your login app in the backup file. In short, Google originally designed the core must be for the convenience of backup data to consider, but we developed the application seems to ignore the mobile phone lost or other people picked up the problem, such as contacts or business cards, payment category and other apps if the consequences of such problems are serious, so it is necessary to pay attention to.

2 instance Restore

In order to verify that this small problem may lead to a significant disclosure of sensitive information, we choose a few representative of the app to test, so that you can intuitively feel the leak of a little crisis.

Special Statement: The application in this example is only for verification, and this problem generally does not cause too much risk, so please keep learning mentality and not wantonly smear application developers; Of course, I have also passed the Cloud vulnerability platform to the following applications for vulnerability submission, It is believed that these applications will soon be resolved in the new iteration version.

Jane book Android 1.9.7 Release Test

Conclusion: There will be problems with account theft.

Verify: The login password on device A is as follows:

Then perform the following command on the device to back up the data to the computer:

XXX@ThinkPad:~/workspace/myself/temp$ adb backup -f back.ab -noapk com.jianshu.harukiNow unlock your device and confirm the backup operation.

• 1
• 2

In this case, change device B to install the app, but do not login to any account password, execute the following command:

XXX@ThinkPad:~/workspace/myself/temp$ adb restore back.abNow unlock your device and confirm the restore operation.

• 1
• 2

You can see that device B does not log in the account password, but only by restoring the backup data of a device successfully landed a device information.

"Sina Weibo" Android 5.1.0 Release Test

Testing the meager findings in the same way as above on device B to recover device A's data is invalid, device B still shows as follows:

That is to say Sina micro Bo Thoughtful, has fixed this kind of potential leakage risk, backup data recovery is invalid, still need to re-login can, to a praise.

"Mint" Android 5.4.5.1 Release Test

This application is based on the above similar operation you will find that the device B can not be logged in the account, only restore other people's backup account information can enter the other user account interface, as follows:

Above for device B, you can directly operate device A's account number on device B.

3 Reflections and summaries

"Craftsman Joshui Http://blog.csdn.net/yanbober Reprint Please indicate the source, respect the work result"

After reading the above two parts of the narrative you may also be aware of the potential seriousness of the problem, Google's beginner's mind is good, but once the ulterior motives of the people to aim at the breakthrough problem is serious. For example, another high-end, with ulterior motives to write a piece of code to perform data backup upload to their own cloud server, and then parse the backup data, small personal information leaked, big haha, you understand.

Since this is sure you will also care about the solution, the specific solution is relatively easy, as follows:

Scenario 1:

Set android:allowbackup= "false" directly in your Android manifest file, as follows:

<?xml version= "1.0" encoding= "Utf-8"?><ManifestXmlns:android="Http://schemas.android.com/apk/res/android"Package="Com.test.disallowbackup"Android:versioncode="1"Android:versionname="1.0" ><Uses-sdkandroid:minsdkversion="Ten"/><Applicationandroid:allowbackup="False"Android:label="@string/app_name" ><Activityandroid:name= "loginactivity" android:label= "@string/app_name" > <intent-filter> <action android:name=" Android.intent.action.MAIN "/> <category android:name=" Android.intent.category.LAUNCHER "/> </intent-filter> </activity> </application> </MANIFEST>         

Scenario 2:

Do not set android:allowbackup= "false" in your Android manifest file, allow backups to be performed, but when you apply the startup page to logically determine whether to re-login, for example, to see if the device uniquely identifies the device number and before the backup is consistent, Inconsistency will directly jump to the landing page while emptying the current application data and cache.

Well, the individual humble opinion, not convincing, just because the project was written by the dark cloud feedback a little summary, we have adopted a similar Sina Weibo program 1 approach.

"Go" Android application development allowbackup a little reflection on the leaking of sensitive information