CodeQL documentation

Application backup allowed

ID: java/android/backup-enabled Kind: problem Security severity: 7.5 Severity: recommendation Precision: very-high Tags: - security - external/cwe/cwe-312 Query suites: - java-security-extended.qls - java-security-and-quality.qls 

Click to see the query in the CodeQL repository

In the Android manifest file, you can use the android:allowBackup attribute of the application element to define whether the application will have automatic backups or not.

If your application uses any sensitive data, you should disable automatic backups to prevent attackers from extracting it.

Recommendation

For Android applications which process sensitive data, set android:allowBackup to false in the manifest file.

Note: Since Android 6.0 (Marshmallow), automatic backups for applications are switched on by default.

Example

In the following two (bad) examples, the android:allowBackup setting is enabled:

<manifest ... >  <!-- BAD: 'android:allowBackup' set to 'true' -->  <application  android:allowBackup="true">  <activity ... >  </activity>  </application> </manifest> 
<manifest ... >  <!-- BAD: no 'android:allowBackup' set, defaults to 'true' -->  <application>  <activity ... >  </activity>  </application> </manifest> 

In the following (good) example, android:allowBackup is set to false:

<manifest ... >  <!-- GOOD: 'android:allowBackup' set to 'false' -->  <application  android:allowBackup="false">  <activity ... >  </activity>  </application> </manifest> 

References