Skip to content

MASTG-DEMO-0035: Data Exclusion using backup_rules.xml with adb backup

Download MASTG-DEMO-0035 APK Open MASTG-DEMO-0035 Folder Build MASTG-DEMO-0035 APK

Sample

This demo uses the sample from Data Exclusion using backup_rules.xml with Backup Manager.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
package org.owasp.mastestapp

import android.content.Context
import android.util.Log
import java.io.File
import java.io.FileOutputStream
import java.io.IOException

class MastgTest (private val context: Context){

    fun mastgTest(): String {

        val internalStorageDir = context.filesDir

        val fileName = File(internalStorageDir, "secret.txt")
        val fileNameOfBackupExcludedFile = File(internalStorageDir, "backup_excluded_secret.txt")
        val fileContent = "secr3tPa\$\$W0rd\n"

        try {
            FileOutputStream(fileName).use { output ->
                output.write(fileContent.toByteArray())
                Log.d("WriteInternalStorage", "File written to internal storage successfully.")
            }
            FileOutputStream(fileNameOfBackupExcludedFile).use { output ->
                output.write(fileContent.toByteArray())
                Log.d("WriteInternalStorage", "File written to internal storage successfully.")
            }
        } catch (e: IOException) {
            Log.e("WriteInternalStorage", "Error writing file to internal storage", e)
            return "ERROR!!\n\nError writing file to internal storage"
        }

        return "SUCCESS!!\n\nFiles saved to $internalStorageDir"
    }
}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    xmlns:tools="http://schemas.android.com/tools">

    <application
        android:allowBackup="true"
        android:dataExtractionRules="@xml/data_extraction_rules"
        android:fullBackupContent="@xml/backup_rules"
        android:icon="@mipmap/ic_launcher"
        android:label="@string/app_name"
        android:roundIcon="@mipmap/ic_launcher_round"
        android:supportsRtl="true"
        android:theme="@style/Theme.MASTestApp"
        tools:targetApi="31">
        <activity
            android:name=".MainActivity"
            android:exported="true"
            android:theme="@style/Theme.MASTestApp">
            <intent-filter>
                <action android:name="android.intent.action.MAIN" />

                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>
        </activity>
    </application>

</manifest>

1
2
3
4
5
<?xml version="1.0" encoding="utf-8"?>
<full-backup-content>
    <include domain="file" path="." requireFlags="clientSideEncryption" />
    <exclude domain="file" path="backup_excluded_secret.txt" />
</full-backup-content>

Steps

  1. Install the target app on your device.
  2. Open the app and exercise it to trigger file creations.
  3. Execute run.sh.
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
#!/bin/bash

package_name="org.owasp.mastestapp"

../../../../utils/mastg-android-backup-adb.sh $package_name

ls -l1 apps/org.owasp.mastestapp/f > output.txt

# Cleanup
rm backup.ab backup.tar
find apps/org.owasp.mastestapp/ -mindepth 1 -maxdepth 1 ! -name 'f*' -exec rm -rf {} +

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
#!/bin/bash

# Default package name
if [ -z "$1" ]; then
    echo "No package name provided. Usage: $0 <package_name>"
    exit 1

else
    package_name="$1"
fi

adb backup -apk -nosystem $package_name
tail -c +25 backup.ab | python3 -c "import zlib,sys;sys.stdout.buffer.write(zlib.decompress(sys.stdin.buffer.read()))" > backup.tar
tar xvf backup.tar

echo "Done, extracted as apps/ to current directory"

For simplicity, in run.sh we restrict the files to the filesDir directory in the backup structure (apps/org.owasp.mastestapp/f).

Observation

The output contains:

  • output.txt: the list of files from the backup.
  • apps/org.owasp.mastestapp/f/: the directory containing a copy of the backup files.
output.txt
1
2
profileInstalled
secret.txt

Evaluation

The test fails because secret.txt is part of the backup and it contains sensitive data.

apps/org.owasp.mastestapp/f/secret.txt
1
secr3tPa$$W0rd

Note that backup_excluded_secret.txt file is not part of the backup, which is expected as it was marked as exclude in the backup_rules.xml file.