Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FVP-02-008 WP5: Android app allows backups of application data #803

Closed
bakulf opened this issue Apr 7, 2021 · 0 comments · Fixed by #817
Closed

FVP-02-008 WP5: Android app allows backups of application data #803

bakulf opened this issue Apr 7, 2021 · 0 comments · Fixed by #817
Assignees
Labels
p3 Low Criticality Issues
Milestone

Comments

@bakulf
Copy link
Collaborator

bakulf commented Apr 7, 2021

The allowBackup property in the AndroidManifest.xml file specifies if the data pertinent
to the apps can be backed up.2

Without setting the android:allowBackup flag to false, the
backup feature is enabled by default. In case an attacker is able to send adb commands
to user-phones, they could get access to all of the stored data from the protected data
folders, inclusive of the VPN configuration data.
Affected File:
android/AndroidManifest.xml
As this feature does not require a rooted phone, disallowing backups completely should
be considered. Due to the fact that an absence of the flag will set it to true by default, it is
recommended to explicitly set the allowBackup flag to false within the application tag.

┆Issue is synchronized with this Jira Task

@bakulf bakulf added p3 Low Criticality Issues audit-issue labels Apr 7, 2021
strseb added a commit that referenced this issue Apr 8, 2021
@bakulf bakulf modified the milestone: v2.2 Apr 9, 2021
@strseb strseb added this to Merged in v2.3 Apr 19, 2021
@birdsarah birdsarah added this to the Release v2.3 milestone Apr 29, 2021
@birdsarah birdsarah removed this from Merged in v2.3 Apr 29, 2021
@birdsarah birdsarah added this to Triage parking lot in Mozilla VPN Product Board via automation Apr 29, 2021
@strseb strseb moved this from Triage parking lot to Done/Merged in Mozilla VPN Product Board Apr 29, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
p3 Low Criticality Issues
Projects
Development

Successfully merging a pull request may close this issue.

3 participants