rspec/rules/S6358/xml/rule.adoc

Android has a built-in backup mechanism that can save and restore application
data. When application backup is enabled, local data from your application can
be exported to Google Cloud or to an external device via ``++adb backup++``. 
Enabling Android backup exposes your application to disclosure of sensitive
data. It can also lead to corruption of local data when restoration is performed
from an untrusted source.

By default application backup is enabled and it includes:

* Shared preferences files
* Files saved in one of the paths returned by 
** https://developer.android.com/reference/android/content/Context#getDatabasePath(java.lang.String)[getDatabasePath(String)]
** https://developer.android.com/reference/android/content/Context#getFilesDir()[getFilesDir()]
** https://developer.android.com/reference/android/content/Context#getDir(java.lang.String,%20int)[getDir(String, int)]
** https://developer.android.com/reference/android/content/Context#getExternalFilesDir(java.lang.String)[getExternalFilesDir(String)]


== Ask Yourself Whether

* Application backup is enabled and sensitive data is stored in local files, local databases, or shared preferences.
* Your application never validates data from files that are included in backups.

There is a risk if you answered yes to any of those questions.


== Recommended Secure Coding Practices

* Disable application backup unless it is required for your application to work properly.
* Narrow the scope of backed-up files by using either
** backup rules (see ``++android:fullBackupContent++`` attribute).
** a custom ``++BackupAgent++``.
** the dedicated `no_backup` folder (see ``++android.content.Context#getNoBackupFilesDir()++``).
* Do not back up local data containing sensitive information unless they are properly encrypted.
* Make sure that the keys used to encrypt backup data are not included in the backup.
* Validate data from backed-up files. They should be considered untrusted as they could have been restored from an untrusted source.


== Sensitive Code Example

[source,xml]
----
<application
    android:allowBackup="true"> <!-- Sensitive -->
</application>
----

== Compliant Solution

Disable application backup.

[source,xml]
----
<application
    android:allowBackup="false">
</application>
----

If targeting Android 6.0 or above (API level 23), define files to include/exclude from the application backup.

[source,xml]
----
<application
    android:allowBackup="true"
    android:fullBackupContent="@xml/backup.xml">
</application>
----

== See

* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control]
* https://developer.android.com/guide/topics/data/autobackup[Back up user data with Auto Backup]
* OWASP - https://mobile-security.gitbook.io/masvs/security-requirements/0x07-v2-data_storage_and_privacy_requirements[Mobile AppSec Verification Standard - Data Storage and Privacy Requirements]
* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m1-improper-platform-usage[Mobile Top 10 2016 Category M1 - Improper platform usage]
* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m2-insecure-data-storage[Mobile Top 10 2016 Category M2 - Insecure Data Storage]
* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
* CWE - https://cwe.mitre.org/data/definitions/312[CWE-922 - Insecure Storage of Sensitive Information]


ifdef::env-github,rspecator-view[]
== Implementation Specification
(visible only on this page)

=== Message

Make sure backup of application data is safe here.


=== Highlighting

The opening <application> tag

endif::env-github,rspecator-view[]