Config files : Backup allowed

The manifest file of the application does not explicitly prohibit backup (android:allowBackup="false"). The application also does not override the BackupAgent class. User data, including passwords and authentication tokens, can be compromised.

Android applications store data in external or internal memory. All applications have access to external memory, therefore confidential information (e.g., passwords) is usually stored in the internal memory. Android OS provides a mechanism for protecting the internal memory from unauthorized access. However, this mechanism can be bypassed via a backup.

The ability of the application to make backups of its data is set in the allowBackup parameter in the manifest file. This parameter is set to true by default. If the application author wants to implement his/her own backup logic (e.g., to additionally protect data), he/she overrides the BackupAgent class. In this case, BackupAgent is not overridden.

An attacker can use the ADB (Android Debug Bridge) utility to bypass authentication mechanisms and start a device backup in debug mode. In debug mode, the internal memory data is available for reading and writing. A significant part of popular applications store sensitive data (passwords) in the internal memory without encryption, relying on the protection mechanisms provided by the operating system. An attacker can unpack the backup file and extract confidential data.

The attack can be carried out directly (requires a short-term physical access to the device) or remotely (via malware on the computer to which the device is connected). Root rights are not required.

According to the Palo Alto Networks research, about 85% of Android devices (as of July 2014) and about 95% of popular applications, including those installed on new devices by default (browser, email client), are susceptible to this vulnerability.