What is allowBackup?

Android AllowBackup

Android :allowBackup Whether to allow applications to participate in the backup and recovery infrastructure. If this property is set to false, the application will never be backed up or restored, even with a full-system backup approach (which typically stores all application data through ADB). The default value for this property is true.

Loophole harm

AllowBackup is described briefly in the Android developer documentation. So what happens if we start allowBackup?

  1. Android API Level 8 and above provides a backup and recovery function for application data. The function is switched on and off by the allowBackup attribute value in the Androidmanifest.xml file. Its property value defaults to True. When the allowBackup flag is true, users can backup and restore application data through adb backup and adb restore, which may bring some security risks.

  2. The security risk comes from the fact that ADB Backup allows anyone who can turn on USB debugging to copy app data from an Android phone to a peripheral. Once the app data is backed up, all app data can be read by the user. Adb Restore allows users to specify a source of restored data (that is, backup application data) to restore the creation of application data. Therefore, after an application data is backed up, users can install the same application on other Android phones or emulators, restore the backup application data to the device, and open the application on the device to restore the state of the backed up application.

  3. In the address book application, once the application supports backup and recovery functions, the attacker can use ADB Backup and ADB Restore to restore the same newly installed application to view chat history and other information; For payment financial applications, attackers can use this to make malicious payments and steal deposits. Therefore, for security reasons, it is important for creators to set the allowBackup flag value to false to turn off the backup and restore function of the application, in case of information leakage and property loss.

The solution

Set the “Android :allowBackup” attribute of application to “True” in androidManifest.xml.