Credentials In Device Backups

Description

If backups include app storage by default, sensitive data such as tokens, passwords, or private files may be copied to backup archives. Attackers who access those backups can extract secrets without direct device compromise.

Examples

Android Backup Extraction

If android:allowBackup="true" (default in many apps):

adb backup -f app.ab -noapk com.example.app
# Convert with Android Backup Extractor (ABE)
java -jar abe.jar unpack app.ab app.tar
tar -tf app.tar | rg shared_prefs|databases
tar -xOf app.tar apps/com.example.app/sp/shared_prefs/auth.xml | cat

Tokens or PII in shared preferences/databases confirm exposure.

iOS iTunes Backup

Create an unencrypted backup and inspect app container files using common forensic tools.

Remediation

Disable or scope backups
- Set android:allowBackup="false" or exclude sensitive paths via android:fullBackupContent.
Encrypt and minimize
- Store tokens in Keystore/Keychain and encrypt local caches; avoid long‑term storage of secrets.
Educate users/admins
- Encourage encrypted backups only; detect restores and rotate tokens on first launch post‑restore.

Haxoris Wiki

Credentials In Device Backups

Description

Examples

Android Backup Extraction

iOS iTunes Backup

Remediation