Recipe Name:
Manifest best practices: Disable Backups
Description:
Enabling backups could lead to undesired manipulation
Level:
error
Language:
- xml
Tags:
- security
- framework specific
- mobile
- Android
Documentation
The Android best practices and coding guidelines, recommends that android:allowBackup should be set to false in the Android Manifest.
Disabling the android:allowBackup attribute will ensure that no backups are created. Since using this functionality is insecure. when the Android system is allowed to create backups, copies are made of the application and its data. These backups can be studied by attackers or tampered with before using it to recover from the backup. The default value of android:allowBackup is true.
<application android:allowBackup="true" />After
<application android:allowBackup="false" />Resources
Recipe
id: scw:android:disable-backups
version: 10
metadata:
name: 'Manifest best practices: Disable Backups'
shortDescription: Enabling backups could lead to undesired manipulation
level: error
language: xml
scwCategory: code_tampering:backups_enabled
cweCategory: 530
enabled: true
descriptionFile: descriptions/AndroidManifestbestpracticesDisableBackups.html
tags: security;framework specific;mobile;Android
search:
attribute:
allOf:
- in:
element:
tagName:
is: application
- in:
file:
name: AndroidManifest.xml
name: android:allowBackup
value:
matches: true|^$
availableFixes:
- name: Set allowBackup to false
actions:
- set:
to: '"false"'