Page MenuHomePhabricator
Differential D4663

Disable shared preferences data from being automatically backed up in google cloud
ClosedPublic
Actions

Authored by marcin on Jul 28 2022, 12:00 AM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, May 19, 10:59 AM
Unknown Object (File)
Wed, May 15, 5:02 AM
Unknown Object (File)
Sun, May 5, 10:13 PM
Unknown Object (File)
Fri, May 3, 3:45 PM
Unknown Object (File)
Thu, May 2, 8:25 PM
Unknown Object (File)
Apr 18 2024, 2:07 PM
Unknown Object (File)
Apr 18 2024, 2:07 PM
Unknown Object (File)
Apr 18 2024, 2:07 PM
View All 100 Files
Subscribers
abosh
adrian
ashoat

Details

Reviewers
tomek
atul
ashoat
Commits
rCOMM5de3374a439e: Disable shared preferences data from being automatically backed up in google…
Summary

From Android API 23 and so on data that application writes to shared preferences are backed up in google cloud if not deleted prior to application being uninstalled. We do not want this behaviour since we are about to deliver backup service for that purpose.

Test Plan

Temporarily add a line that logs encryption key in SQLiteQueryExecutor::initialize(). Ensure in Android log cat that encryption key changes with every application re-install.
Independently execute the following steps:

  1. Change allowBackup to true. Install the app.
  2. In Android studio check Device File Explorer for the file: data/data/app.comm.android/shared_prefs/SecureStore.xml. Save the content under "comm.encryptionKey" identifier. Kill the app
  3. Execute the following instructions: https://developer.android.com/guide/topics/data/testingbackup apart from "Test restore" section.
  4. Uninstall the app. Install it again.
  5. Repeat step 2. Ensure contents are exactly the same.
  6. Uninstall the app. Revert allowBackup to false. Install the app.
  7. Repeat step 2. Ensure contents differ.
  8. Try to complete step 3. Ensure that command adb shell bmgr backupnow app.comm.android now fails.

Steps and outputs above prove that allowBackup=true enables us to restore secrets after applications is uninstalled which is undesirable. It also proves that allowBackup=false disables this possibility. Therefore setting allowBackup=false is a necessary step that is a subject of this differential.

Diff Detail

Repository
rCOMM Comm
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

marcin created this revision.Jul 28 2022, 12:00 AM
Herald added subscribers: abosh, adrian, ashoat. · View Herald TranscriptJul 28 2022, 12:01 AM
Harbormaster completed remote builds in B10929: Diff 15038.Jul 28 2022, 12:13 AM
marcin requested review of this revision.Jul 28 2022, 12:13 AM
marcin updated this revision to Diff 15039.Jul 28 2022, 12:39 AM

Necessary local rebase

marcin added a child revision: D4664: Ensure new encryption key is generated every time iOS/Android application creates database for the first time.Jul 28 2022, 12:47 AM
Harbormaster completed remote builds in B10930: Diff 15039.Jul 28 2022, 12:52 AM
ashoat accepted this revision.Jul 28 2022, 6:37 AM
This revision is now accepted and ready to land.Jul 28 2022, 6:37 AM
tomek accepted this revision.Aug 4 2022, 3:16 AM
tomek added a comment.Aug 4 2022, 3:20 AM

We do not want this behaviour since we are about to deliver backup service for that purpose.

Is there a disadvantage of doing both? Using Google cloud backup might be the preferred way for some users. Or do we think that using that cloud doesn't provide enough security e.g. using E2E encryption won't work?

ashoat requested changes to this revision.Aug 4 2022, 9:59 PM

The context is in ENG-1451, but I'd also like some more clarification.

Some quick questions:

  1. Is it the case that deleting the app won't delete the backup in Google Cloud?
  2. Is it possible to recover the expo-secure-store secrets from the Google Cloud?
  3. Do the expo-secure-store secrets have any value if the app SQLite database has been deleted?
  4. Does the app SQLite database all get backed up in Google Cloud?

(Sorry for accepting and then requesting changes! Just want to get answers to the above questions first)

This revision now requires changes to proceed.Aug 4 2022, 9:59 PM
marcin requested review of this revision.Aug 10 2022, 6:26 AM
  1. Is it the case that deleting the app won't delete the backup in Google Cloud?

In this article: https://mobikul.com/application-restored-data-shared-preference-even-reinstall/ it is specified that:

Since Android API 23 ( or Android “6.0” or Android “Marshmellow”) the BackupManager stores all the data of an application including the Shared preference on the cloud. Thus when your application is reinstalled, the shared preference data is restored.

Therefore it is clear that backup in Google Cloud is not deleted upon app uninstallation. It it was, it wouldn't be possible to restore backed-up data when application is re-installed.

  1. Is it possible to recover the expo-secure-store secrets from the Google Cloud?

If android:allowBackup="true" expo-secure-store secrets will be restored from google cloud when application is reinstalled, so the answer to this question is yes. If android:allowBackup="false" it is not possible since those secrets will not stored on google cloud in the first place.

  1. Do the expo-secure-store secrets have any value if the app SQLite database has been deleted?

To be honest I do not understand this question. Data stored in secure store is not programatically connected to sqlite database. Deleting database from the device file system does not automatically alter expo-secure-store. It is our application responsibility to delete everything ot once. Further differentials in this stack implement database deletion along with clearing expo-secure-store. But perhaps you asked this question to know whether a potential hacker can get something meaningful from secure store even if the database is deleted. Currently no. Expo-secure-store contains only encryption key used to encrypt the database. If there is no database then this encryption key is rather useless. Further differentials in this stack make sure that new encryption key is recreated every time database was deleted. Therefore no encryption key will be re-used to encrypt newly created database. In other words - if a hacker somehow manages to steal encryption key, but the database was deleted they will not be able to use it if database was re-created.

  1. Does the app SQLite database all get backed up in Google Cloud?

If android:allowBackup="true" then yes. It is explicitly stated in this article: https://blog.novoda.com/android-backup-and-restore-returning-users-part-2/. There is a sentence:

First of all, while Auto Backup is smart enough to avoid backing up cache folders, you likely have something you don’t want to back up in your app’s data folder. Examples would be databases, downloaded assets, install or device-specific IDs, sensitive information about the user, and FCM tokens. For the latter there is a very helpful Lint warning to remind you to add exclusions, so at least that’s covered, but the rest is on you.

After this sentence article describes ways to exclude custom files from being backed-up. Therefore we can conclude that simply setting android:allowBackup="true" will backup the database as well.

ashoat accepted this revision.Aug 10 2022, 7:03 AM
  1. Is it possible to recover the expo-secure-store secrets from the Google Cloud?

If android:allowBackup="true" expo-secure-store secrets will be restored from google cloud when application is reinstalled, so the answer to this question is yes. If android:allowBackup="false" it is not possible since those secrets will not stored on google cloud in the first place.

Have you tested this? It would be great if you could amend the test plan to include backing up, deleting, and then restoring the app via Google Cloud, both before and after this diff. Please do this (and execute the updated test plan) before landing!

But perhaps you asked this question to know whether a potential hacker can get something meaningful from secure store even if the database is deleted. Currently no. Expo-secure-store contains only encryption key used to encrypt the database. If there is no database then this encryption key is rather useless. Further differentials in this stack make sure that new encryption key is recreated every time database was deleted. Therefore no encryption key will be re-used to encrypt newly created database. In other words - if a hacker somehow manages to steal encryption key, but the database was deleted they will not be able to use it if database was re-created.

Yes, that's what I was asking. Thanks for explaining!

This revision is now accepted and ready to land.Aug 10 2022, 7:03 AM
marcin edited the test plan for this revision. (Show Details)Aug 17 2022, 6:12 AM
marcin added a comment.Aug 17 2022, 6:14 AM

Prior to updating the test plan I executed all steps that it involves and received the same outputs.

marcin updated this revision to Diff 16303.Sep 5 2022, 4:54 AM

Rebase on master

Harbormaster completed remote builds in B11871: Diff 16303.Sep 5 2022, 5:04 AM
Closed by commit rCOMM5de3374a439e: Disable shared preferences data from being automatically backed up in google… (authored by marcin). · Explain WhySep 5 2022, 7:03 AM
This revision was automatically updated to reflect the committed changes.
marcin added a commit: rCOMM5de3374a439e: Disable shared preferences data from being automatically backed up in google….

Revision Contents
Changeset List

PathSize
native/
android/
app/
src/
main/
2 lines

Diff 16318

View Options

native/android/app/src/main/AndroidManifest.xml

Loading...