PTKDMobile App Security
Knowledge base / PTKD-STO-BACKUP
medium M9 MASVS-STORAGE-2 static analysis PTKD-STO-BACKUP

Application data is backed up

android:allowBackup="true" lets app data be extracted via adb backup on many devices.

How it's exploited

With allowBackup enabled, adb backup (or a desktop "phone manager") exports the app's private data without root: databases, shared prefs, tokens. Cloud backups can also carry secrets off-device.

Why it matters

Anyone with brief USB access to an unlocked device walks away with the app's private storage.

How to fix it

  1. Set android:allowBackup="false", or define android:fullBackupContent / dataExtractionRules that exclude secrets.
  2. Keep tokens in Keystore-backed storage, which never enters backups.
Scoped backup rules (Android 12+)
<data-extraction-rules>
  <cloud-backup><exclude domain="sharedpref" path="auth.xml"/></cloud-backup>
  <device-transfer><exclude domain="sharedpref" path="auth.xml"/></device-transfer>
</data-extraction-rules>

References