The Manifest file of the application does not explicitly prohibit backup (android:allowBackup="false"). The application also redefines the BackupAgent class. User data, including passwords and authentication tokens, can be compromised.

Android applications store data in the external or internal memory. All applications have access to external memory, so confidential information (e.g., passwords) is usually stored in the internal memory. Android OS provides a mechanism for protecting the internal memory from unauthorized access. However, this mechanism can be bypassed by the backup.

The ability of the application to make backups of its data is set in the allowBackup parameter in the Manifest file. This parameter is set to true by default. If the application author wants to implement his/her own backup logic (e.g., to additionally protect data), he/she overrides the BackupAgent class. In this case, BackupAgent is overridden, but its implementation may contain vulnerabilities.

An attacker can use the ADB (Android Debug Bridge) utility to bypass authentication mechanisms and launch device backup in debug mode. In debug mode, the internal memory data is available for reading and writing. A significant part of popular applications store sensitive data (passwords) in the internal memory without encryption, relying on the protection mechanisms provided by the operating system. An attacker can unpack the backup file and extract confidential data.

The attack can be carried out directly (requires a short-term physical access to the device) or remotely (via malware on the computer to which the device is connected). Root rights are not required.

According to the Palo Alto Networks research, about 85% of Android devices (as of July 2014) and about 95% of popular applications, including those installed on new devices by default (browser, email client), are susceptible to this vulnerability.

Config files : Open redirect

DerScanner Severity Score

Do you want to fix Config files : Open redirect in your application?

See also