Page MenuHomePhabricator

Disable shared preferences data from being automatically backed up in google cloud
ClosedPublic

Authored by marcin on Jul 28 2022, 12:00 AM.
Tags
None
Referenced Files
Unknown Object (File)
Tue, Nov 5, 10:59 AM
Unknown Object (File)
Oct 10 2024, 3:17 PM
Unknown Object (File)
Oct 10 2024, 3:17 PM
Unknown Object (File)
Oct 10 2024, 3:17 PM
Unknown Object (File)
Oct 10 2024, 3:16 PM
Unknown Object (File)
Oct 10 2024, 3:16 PM
Unknown Object (File)
Oct 10 2024, 3:12 PM
Unknown Object (File)
Sep 27 2024, 9:04 AM

Details

Summary

From Android API 23 and so on data that application writes to shared preferences are backed up in google cloud if not deleted prior to application being uninstalled. We do not want this behaviour since we are about to deliver backup service for that purpose.

Test Plan

Temporarily add a line that logs encryption key in SQLiteQueryExecutor::initialize(). Ensure in Android log cat that encryption key changes with every application re-install.
Independently execute the following steps:

  1. Change allowBackup to true. Install the app.
  2. In Android studio check Device File Explorer for the file: data/data/app.comm.android/shared_prefs/SecureStore.xml. Save the content under "comm.encryptionKey" identifier. Kill the app
  3. Execute the following instructions: https://developer.android.com/guide/topics/data/testingbackup apart from "Test restore" section.
  4. Uninstall the app. Install it again.
  5. Repeat step 2. Ensure contents are exactly the same.
  6. Uninstall the app. Revert allowBackup to false. Install the app.
  7. Repeat step 2. Ensure contents differ.
  8. Try to complete step 3. Ensure that command adb shell bmgr backupnow app.comm.android now fails.

Steps and outputs above prove that allowBackup=true enables us to restore secrets after applications is uninstalled which is undesirable. It also proves that allowBackup=false disables this possibility. Therefore setting allowBackup=false is a necessary step that is a subject of this differential.

Diff Detail

Repository
rCOMM Comm
Lint
No Lint Coverage
Unit
No Test Coverage

Event Timeline

This revision is now accepted and ready to land.Jul 28 2022, 6:37 AM

We do not want this behaviour since we are about to deliver backup service for that purpose.

Is there a disadvantage of doing both? Using Google cloud backup might be the preferred way for some users. Or do we think that using that cloud doesn't provide enough security e.g. using E2E encryption won't work?

ashoat requested changes to this revision.Aug 4 2022, 9:59 PM

The context is in ENG-1451, but I'd also like some more clarification.

Some quick questions:

  1. Is it the case that deleting the app won't delete the backup in Google Cloud?
  2. Is it possible to recover the expo-secure-store secrets from the Google Cloud?
  3. Do the expo-secure-store secrets have any value if the app SQLite database has been deleted?
  4. Does the app SQLite database all get backed up in Google Cloud?

(Sorry for accepting and then requesting changes! Just want to get answers to the above questions first)

This revision now requires changes to proceed.Aug 4 2022, 9:59 PM
  1. Is it the case that deleting the app won't delete the backup in Google Cloud?

In this article: https://mobikul.com/application-restored-data-shared-preference-even-reinstall/ it is specified that:

Since Android API 23 ( or Android “6.0” or Android “Marshmellow”) the BackupManager stores all the data of an application including the Shared preference on the cloud. Thus when your application is reinstalled, the shared preference data is restored.

Therefore it is clear that backup in Google Cloud is not deleted upon app uninstallation. It it was, it wouldn't be possible to restore backed-up data when application is re-installed.

  1. Is it possible to recover the expo-secure-store secrets from the Google Cloud?

If android:allowBackup="true" expo-secure-store secrets will be restored from google cloud when application is reinstalled, so the answer to this question is yes. If android:allowBackup="false" it is not possible since those secrets will not stored on google cloud in the first place.

  1. Do the expo-secure-store secrets have any value if the app SQLite database has been deleted?

To be honest I do not understand this question. Data stored in secure store is not programatically connected to sqlite database. Deleting database from the device file system does not automatically alter expo-secure-store. It is our application responsibility to delete everything ot once. Further differentials in this stack implement database deletion along with clearing expo-secure-store. But perhaps you asked this question to know whether a potential hacker can get something meaningful from secure store even if the database is deleted. Currently no. Expo-secure-store contains only encryption key used to encrypt the database. If there is no database then this encryption key is rather useless. Further differentials in this stack make sure that new encryption key is recreated every time database was deleted. Therefore no encryption key will be re-used to encrypt newly created database. In other words - if a hacker somehow manages to steal encryption key, but the database was deleted they will not be able to use it if database was re-created.

  1. Does the app SQLite database all get backed up in Google Cloud?

If android:allowBackup="true" then yes. It is explicitly stated in this article: https://blog.novoda.com/android-backup-and-restore-returning-users-part-2/. There is a sentence:

First of all, while Auto Backup is smart enough to avoid backing up cache folders, you likely have something you don’t want to back up in your app’s data folder. Examples would be databases, downloaded assets, install or device-specific IDs, sensitive information about the user, and FCM tokens. For the latter there is a very helpful Lint warning to remind you to add exclusions, so at least that’s covered, but the rest is on you.

After this sentence article describes ways to exclude custom files from being backed-up. Therefore we can conclude that simply setting android:allowBackup="true" will backup the database as well.

  1. Is it possible to recover the expo-secure-store secrets from the Google Cloud?

If android:allowBackup="true" expo-secure-store secrets will be restored from google cloud when application is reinstalled, so the answer to this question is yes. If android:allowBackup="false" it is not possible since those secrets will not stored on google cloud in the first place.

Have you tested this? It would be great if you could amend the test plan to include backing up, deleting, and then restoring the app via Google Cloud, both before and after this diff. Please do this (and execute the updated test plan) before landing!

But perhaps you asked this question to know whether a potential hacker can get something meaningful from secure store even if the database is deleted. Currently no. Expo-secure-store contains only encryption key used to encrypt the database. If there is no database then this encryption key is rather useless. Further differentials in this stack make sure that new encryption key is recreated every time database was deleted. Therefore no encryption key will be re-used to encrypt newly created database. In other words - if a hacker somehow manages to steal encryption key, but the database was deleted they will not be able to use it if database was re-created.

Yes, that's what I was asking. Thanks for explaining!

This revision is now accepted and ready to land.Aug 10 2022, 7:03 AM

Prior to updating the test plan I executed all steps that it involves and received the same outputs.