Skip to content

MASTG-BEST-0004: Exclude Sensitive Data from Backups

For the sensitive files found, instruct the system to exclude them from the backup:

  • If you are using Auto Backup, mark them with the exclude tag in backup_rules.xml (for Android 11 or lower using android:fullBackupContent) or data_extraction_rules.xml (for Android 12 and higher using android:dataExtractionRules), depending on the target API. Make sure to use both the cloud-backup and device-transfer parameters.
  • If you are using the key-value approach, set up your BackupAgent accordingly.

Refer to "Security recommendations for backups - Mitigations" for more information.

Tests

MASTG-TEST-0216: Sensitive Data Not Excluded From Backup MASTG-TEST-0262: References to Backup Configurations Not Excluding Sensitive Data