allowBackup documentation updates

egregius313 · atorralba · web-flow · commit 08a17b355eea · 2022-09-09T09:30:49.000-04:00
Make error messages and descriptions clearer about application backups not being disabled, rather than focusing on `android:allowBackup` specifically.

Co-authored-by: Tony Torralba &lt;atorralba@users.noreply.github.com&gt;
diff --git a/java/ql/lib/change-notes/2022-08-18-android-manifest-backup-predicate.md b/java/ql/lib/change-notes/2022-08-18-android-manifest-backup-predicate.md
@@ -1,4 +1,4 @@
 ---
 category: feature
 ---
-* Added a new predicate, `allowsBackup`, in the `AndroidApplicationXmlElement` class. This predicate detects if the application element has its `android:allowBackup` attribute enabled.
+* Added a new predicate, `allowsBackup`, in the `AndroidApplicationXmlElement` class. This predicate detects if the application element does not disable the `android:allowBackup` attribute.
diff --git a/java/ql/src/Security/CWE/CWE-312/AllowBackupAttributeEnabled.ql b/java/ql/src/Security/CWE/CWE-312/AllowBackupAttributeEnabled.ql
@@ -1,6 +1,6 @@
 /**
- * @name Android allowBackup attribute enabled
- * @description Enabling the `android:allowBackup` attribute may allow an attacker to extract sensitive data.
+ * @name Application backup allowed
+ * @description Allowing application backups may allow an attacker to extract sensitive data.
  * @kind problem
  * @problem.severity recommendation
  * @security-severity 7.5
@@ -15,4 +15,4 @@ import semmle.code.xml.AndroidManifest
 
 from AndroidApplicationXmlElement androidAppElem
 where androidAppElem.allowsBackup()
-select androidAppElem, "The 'android:allowBackup' attribute is enabled."
+select androidAppElem, "Backups are allowed in this Android application."
