logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Insecure service configuration - ADB Backup - Android

Need

Disable ADB backup to prevent unauthorized data extraction

Context

  1. Usage of Android development for mobile applications
  2. Ensuring security of sensitive user data in Android applications

Description

Insecure Code Example

<manifest ...>
    <application
        android:name=".MyApplication"
        android:allowBackup="true"
        android:label="@string/app_name"
        android:theme="@style/AppTheme">
    </application>
</manifest>

In this AndroidManifest.xml configuration, the `android:allowBackup` attribute is either set to `true` or is missing, which defaults to `true`. This means that Android's ADB backup feature is enabled, allowing users (or attackers) with ADB access to extract app data, including sensitive user information. This vulnerability can be exploited if a device is compromised or if an attacker gains temporary access to a user's unlocked device, allowing them to execute `adb backup` commands to retrieve application data. To mitigate this risk, the `android:allowBackup` attribute should be explicitly set to `false` in the AndroidManifest.xml file.

Steps

  1. Open the AndroidManifest.xml file of your application.
  2. Locate the `<application>` tag and check the value of `android:allowBackup`.
  3. If it is set to `true` or missing, explicitly set `android:allowBackup="false"`.
  4. Save the changes and rebuild the application to enforce the security setting.

Secure Code Example

<manifest ...>
    <application
        android:name=".MyApplication"
        android:allowBackup="false"
        android:label="@string/app_name"
        android:theme="@style/AppTheme">
    </application>
</manifest>

This corrected AndroidManifest.xml configuration explicitly sets the `android:allowBackup` attribute to `false`, preventing the application from being backed up using ADB. By disabling ADB backup, attackers cannot extract sensitive application data, reducing the risk of data theft in case of unauthorized access to the device. It is recommended to apply this configuration to all applications that handle sensitive user data.

References

  • 055 - Insecure service configuration - ADB Backup

    • Last updated

    2025/04/03