Auto Backup Allowed by Default

Auto Backup Allowed by Default

Overview of the Vulnerability

Mobile security misconfigurations can occur at any level of the application stack and can involve unpatched software, unprotected files or pages, or unauthorized access to the application. When automatic backup is allowed by default, sensitive user data can be unknowingly stored on the mobile device.

An attacker could abuse an application that has auto backup allowed by default to access this sensitive data from the application once they have physical access to the device. This could allow the attacker to bypass any in-app authentication and access sensitive data which they could abuse to perform further attacks on the application, the business, or its users.

Business Impact

This vulnerability can lead to reputational damage as customers may view the application as insecure.

Steps to Reproduce

  1. Install the application on an android mobile device

  2. In the mobile device, enable USB debugging

  3. Use the android ADB tool to backup the data of the mobile device

  4. In this backup, view that sensitive data from the application was included in the backup automatically

Proof of Concept (PoC)

The screenshot below shows the mobile security misconfiguration:

{{screenshot}}

Guidance

Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. Your submission must include evidence of the vulnerability and not be theoretical in nature.

For this finding, include a screenshot of either the application's data included within an android backup file, or a screenshot of the application's manifest file showing the line android:allowBackup="true" in the application's manifest file.

Attempt to abuse the information stored within the android application backup in some impactful way. If this is possible, provide a full Proof of Concept (PoC).

Recommendation(s)

It is recommended that the mobile application’s security is managed through a repeatable configuration process which covers application hardening, updates, and patches. There should also be a verification process through the development and delivery cycles which tests the effectiveness of the configurations and settings.

For further information, please refer to: https://owasp.org/www-project-mobile-top-10/

PreviousMobile Security MisconfigurationNextSystem Clipboard Enabled

Last updated