MasterofProject

Reflection on the Android application development of allowBackup sensitive information leakage

Label AllowBackuAndroidApplication vulnerability
6011 people read comment(14) Collection Report
Classification:

1 background

Craftsmen if waterHttp://prog3.com/sbdm/blog/yanboberReprint please indicate the source, respect for labor]

In fact, the articles may be some make a mountain out of a molehill, but think back is very necessary, point the gutter capsize the feeling of. I believe we all know Android API level 8 provides for application to backup and data recovery function, the switch this function can through application in the androidmanifest.xml file properties allowBackup values is configured, the default is true, so the user can for our application for data backup. Believe that a lot of people and I have always been as the ear of the wind over the Android this feature, and then has not been to take care of the. However, the story is the beginning:

Not long ago suddenly received a Bug feedback from the domestic famousWhite hat organization cloud platform, about the organization will not be introduced, I believe we must know the seriousness of, about bug fixes this is something very quickly, but is restored after the bug had to let me into thinking (as before processing SQL injection), so write this paper records.

In fact allowBackup risk theories of the mainly allow by ADB backup to open the USB debugging equipment for data backup, once the backup file that is not to say, such as evil people can by ADB restore your data back to their own devices, although after completely on their own devices in your name to play around with the app, or through code analysis the backup file you landing app of some account passwords and other key information. In a word, core of the original design of Google is certainly in order to facilitate the consideration of data backup, but everyone to develop their own applications seem to ignore the phone is lost or others' picked up, such as contacts or business cards, payment and other app if once appear such consequences are very serious. Therefore, it is necessary to pay attention to what.

2 instance reduction

In order to verify that the small problem may bring about a major sensitive information leakage problem, we select a few representative App to be tested, so that you can visually make you feel the leak of a little crisis.

Special statement:The example in this paper involves the application of only for validation, and the problems generally will not cause too much risk, so please keep learning mentality and not wantonly slandered application developers; of course, I also have the cloud platform vulnerabilities to below relates to the application of the vulnerability to present, I believe that applying these new iterative version will soon be out of the way.

"Jane" 1.9.7 Android version of the test

Conclusion:There will be the problem of account stolen.

VerificationThe login account password on the device A is as follows:

Write the picture here.

And then execute the following command on the device to back up the data to the computer:

XXX@ThinkPad~/workspace/myself/temp$Backup -f back.ab -noapk com.jianshu.haruki ADB
NowYour device unlockAndThe backup operation. confirm

At this time for a device B installation of this application, but do not log any account password, the following orders:

XXX@ThinkPad~/workspace/myself/temp$Restore back.ab ADB
NowYour device unlockAndThe restore operation. confirm

Can see, the device B no account password login, only by restoring the backup data A device on the successful landing of the A device information.

"Sina micro blog" 5.1.0 Android version of the test

In accordance with the above similar process test was found in the device B above the device A recovery equipment B data is invalid, the device is still shown as follows:

Write the picture here.

That is to say Sina microblogging very comprehensive consideration, has been restored such potential risk of leakage, backup data recovery is invalid, still need to re login before you can give a praise.

"MINT" 5.4.5.1 Android version of the test

This application based on the above similar operation you will find that you can completely on the device B do not have access to the account, only to restore the backup account information to other people can enter the user account interface, as follows:

Write the picture here.

Above for the screenshot of the device on the B, can be directly on the device A operating equipment B account.

3 reflection and summary

Craftsmen if waterHttp://prog3.com/sbdm/blog/yanboberReprint please indicate the source, respect for labor]

After reading the above two parts of narrative you may will be aware of this potential severity, early in the heart of the Google is good, but once the ulterior motives of the people took aim at the breakthrough point of the problem is serious. Another example is a little high, people with ulterior motives specifically written a piece of code to perform the backup data uploaded to the cloud server and parses the data backup, small leakage of personal information, ha ha, you know.

Since it is certain that you will care about the solution, the specific solution is relatively easy, as follows:

Program 1:

Directly set the android:allowBackup= 'false' in your Android manifest file, as follows:

<? Version= XML "1" encoding= "UTF-8"?
<Manifest Xmlns:android="Http://schemas.android.com/apk/res/android"
          Package="Com.test.disallowbackup"
          Android:versionCode="1"
          Android:versionName="1">
    <Uses-sdk Android:minSdkVersion="10">

    <Application
            Android:allowBackup="False"
            Android:label="@string/app_name">
        <Activity Android:name="LoginActivity"
                  Android:label="@string/app_name">
            <Intent-filter>
                <Action Android:name="Android.intent.action.MAIN">
                <Category Android:name="Android.intent.category.LAUNCHER">
            < /Intent-filter>
        < /Activity>
    < /Application>
< /Manifest>

Program 2:

Not in your Android manifest file set android:allowBackup= "false", allows to perform a backup, but in use your start page for logic to determine whether to re landing, such as check equipment that uniquely identifies the device number and backup is consistent, inconsistent directly jump landing pages and emptied the application data and cache.

Well, personal humble opinion, the lack of convincing, just because a little project by the dark cloud feedback and write summary only, at present, we use the similar Sina Weibo practice.

Craftsmen if waterHttp://prog3.com/sbdm/blog/yanboberReprint please indicate the source, respect for labor]

Write the picture here.

top
Eleven
step on
One
Guess you're looking for
View comments
* the above user comments only represent their personal views, does not represent the views or position of the CSDN website
    personal data
    • Visit290404 times
    • Integral:Four thousand four hundred and forty-six
    • Grade
    • Rank:3659th name
    • Original93
    • Reproduced:10
    • Translation:0
    • Comments:694
    Contact information

    QQ exchange group: 519666583

    Yanbober@sina.com Email:

    GitHub

    Blog column