Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit eadb8a3

Browse files
egregius313egregius313
authored
Merge pull request #10106 from egregius313/egregius313/android-backup-allowed
Java: Query to detect Android backup allowed
2 parents a8a7909 + 817f12c commit eadb8a3

31 files changed

Lines changed: 279 additions & 2 deletions

java/ql/lib/change-notes/2022-08-18-android-manifest-backup-predicate.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
---
2+
category: feature
3+
---
4+
* Added a new predicate, `allowsBackup`, in the `AndroidApplicationXmlElement` class. This predicate detects if the application element does not disable the `android:allowBackup` attribute.

java/ql/lib/semmle/code/xml/AndroidManifest.qll

Lines changed: 50 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -72,6 +72,56 @@ class AndroidApplicationXmlElement extends XmlElement {
7272
* Holds if this application element has explicitly set a value for its `android:permission` attribute.
7373
*/
7474
predicate requiresPermissions() { this.getAnAttribute().(AndroidPermissionXmlAttribute).isFull() }
75+
76+
/**
77+
* Holds if this application element does not disable the `android:allowBackup` attribute.
78+
*
79+
* https://developer.android.com/guide/topics/data/autobackup
80+
*/
81+
predicate allowsBackup() {
82+
not this.getFile().(AndroidManifestXmlFile).isInBuildDirectory() and
83+
(
84+
// explicitly sets android:allowBackup="true"
85+
this.allowsBackupExplicitly()
86+
or
87+
// Manifest providing the main intent for an application, and does not explicitly
88+
// disallow the allowBackup attribute
89+
this.providesMainIntent() and
90+
// Check that android:allowBackup="false" is not present
91+
not exists(AndroidXmlAttribute attr |
92+
this.getAnAttribute() = attr and
93+
attr.getName() = "allowBackup" and
94+
attr.getValue() = "false"
95+
)
96+
)
97+
}
98+
99+
/**
100+
* Holds if this application element sets the `android:allowBackup` attribute to `true`.
101+
*
102+
* https://developer.android.com/guide/topics/data/autobackup
103+
*/
104+
private predicate allowsBackupExplicitly() {
105+
exists(AndroidXmlAttribute attr |
106+
this.getAnAttribute() = attr and
107+
attr.getName() = "allowBackup" and
108+
attr.getValue() = "true"
109+
)
110+
}
111+
112+
/**
113+
* Holds if the application element contains a child element which provides the
114+
* `android.intent.action.MAIN` intent.
115+
*/
116+
private predicate providesMainIntent() {
117+
exists(AndroidActivityXmlElement activity |
118+
activity = this.getAChild() and
119+
exists(AndroidIntentFilterXmlElement intentFilter |
120+
intentFilter = activity.getAChild() and
121+
intentFilter.getAnActionElement().getActionName() = "android.intent.action.MAIN"
122+
)
123+
)
124+
}
75125
}
76126

77127
/**

java/ql/src/Security/CWE/CWE-312/AllowBackupAttributeEnabled.qhelp

Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,45 @@
1+
<!DOCTYPE qhelp PUBLIC
2+
"-//Semmle//qhelp//EN"
3+
"qhelp.dtd">
4+
<qhelp>
5+
<overview>
6+
<p>In the Android manifest file, you can use the <code>android:allowBackup</code> attribute of the <code>application</code> element to define whether the
7+
application will have automatic backups or not.</p>
8+
9+
<p>If your application uses any sensitive data, you should disable automatic backups to prevent attackers from extracting it.</p>
10+
</overview>
11+
12+
<recommendation>
13+
<p>For Android applications which process sensitive data, set <code>android:allowBackup</code> to <code>false</code> in the manifest
14+
file.</p>
15+
16+
<p>Note: Since Android 6.0 (Marshmallow), automatic backups for applications are switched on by default.
17+
</p>
18+
</recommendation>
19+
20+
<example>
21+
22+
<p>In the following two (bad) examples, the <code>android:allowBackup</code> setting is enabled:</p>
23+
24+
<sample src="AllowBackupTrue.xml" />
25+
26+
<sample src="AllowBackupEmpty.xml"/>
27+
28+
<p>In the following (good) example, <code>android:allowBackup</code> is set to <code>false</code>:</p>
29+
30+
<sample src="AllowBackupFalse.xml"/>
31+
32+
</example>
33+
<references>
34+
<li>
35+
Android Documentation:
36+
<a href="https://developer.android.com/guide/topics/data/autobackup#EnablingAutoBackup">Back up user data with Auto Backup</a>
37+
</li>
38+
<li>
39+
OWASP Mobile Security Testing Guide:
40+
<a href="https://github.com/OWASP/owasp-mstg/blob/b7a93a2e5e0557cc9a12e55fc3f6675f6986bb86/Document/0x05d-Testing-Data-Storage.md#backups">
41+
Android Backups
42+
</a>
43+
</li>
44+
</references>
45+
</qhelp>

java/ql/src/Security/CWE/CWE-312/AllowBackupAttributeEnabled.ql

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
/**
2+
* @name Application backup allowed
3+
* @description Allowing application backups may allow an attacker to extract sensitive data.
4+
* @kind problem
5+
* @problem.severity recommendation
6+
* @security-severity 7.5
7+
* @id java/android/backup-enabled
8+
* @tags security
9+
* external/cwe/cwe-312
10+
* @precision very-high
11+
*/
12+
13+
import java
14+
import semmle.code.xml.AndroidManifest
15+
16+
from AndroidApplicationXmlElement androidAppElem
17+
where androidAppElem.allowsBackup()
18+
select androidAppElem, "Backups are allowed in this Android application."

java/ql/src/Security/CWE/CWE-312/AllowBackupEmpty.xml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
<manifest ... >
2+
<!-- BAD: no 'android:allowBackup' set, defaults to 'true' -->
3+
<application>
4+
<activity ... >
5+
</activity>
6+
</application>
7+
</manifest>

java/ql/src/Security/CWE/CWE-312/AllowBackupFalse.xml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
<manifest ... >
2+
<!-- GOOD: 'android:allowBackup' set to 'false' -->
3+
<application
4+
android:allowBackup="false">
5+
<activity ... >
6+
</activity>
7+
</application>
8+
</manifest>

java/ql/src/Security/CWE/CWE-312/AllowBackupTrue.xml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
<manifest ... >
2+
<!-- BAD: 'android:allowBackup' set to 'true' -->
3+
<application
4+
android:allowBackup="true">
5+
<activity ... >
6+
</activity>
7+
</application>
8+
</manifest>

java/ql/src/change-notes/2022-08-18-android-allowbackup-query.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
---
2+
category: newQuery
3+
---
4+
* Added a new query, `java/android/backup-enabled`, to detect if Android applications allow backups.

java/ql/test/query-tests/security/CWE-312/AndroidManifest.xml renamed to java/ql/test/query-tests/security/CWE-312/android/CleartextStorage/AndroidManifest.xml

File renamed without changes.

java/ql/test/query-tests/security/CWE-312/CleartextStorageAndroidDatabaseTest.expected renamed to java/ql/test/query-tests/security/CWE-312/android/CleartextStorage/CleartextStorageAndroidDatabaseTest.expected

File renamed without changes.

0 commit comments

Comments
 (0)