Backup Enabled

Description

If backups are enabled by default, app data (shared preferences, databases, files) may be included in device or cloud backups, exposing sensitive information outside the device’s protection.

Examples

Detect Backup Settings (Android)

apkanalyzer manifest print app-release.apk | rg -n "allowBackup|fullBackupContent"

Extract Android Backup

adb backup -f app.ab -noapk com.example.app
java -jar abe.jar unpack app.ab app.tar
tar -tf app.tar | rg -i "shared_prefs|databases"

Remediation

Disable or scope backups
- Set android:allowBackup="false" or explicitly exclude sensitive files via fullBackupContent.
Encrypt sensitive data
- Use Keystore/Keychain; avoid storing secrets in backups entirely.
Detect and rotate
- On restore, rotate tokens/keys and re‑establish trust.

Haxoris Wiki

Backup Enabled

Description

Examples

Detect Backup Settings (Android)

Extract Android Backup

Remediation