Skip to content

MASTG-DEMO-0035: Data Exclusion using backup_rules.xml with adb backup

Content in BETA

This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Download MASTG-DEMO-0035 APK Open MASTG-DEMO-0035 Folder Build MASTG-DEMO-0035 APK

Sample

This demo uses the sample from Data Exclusion using backup_rules.xml with Backup Manager.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
package org.owasp.mastestapp

import android.content.Context
import android.util.Log
import java.io.File
import java.io.FileOutputStream
import java.io.IOException

class MastgTest (private val context: Context){

    fun mastgTest(): String {

        val internalStorageDir = context.filesDir

        val fileName = File(internalStorageDir, "secret.txt")
        val fileNameOfBackupExcludedFile = File(internalStorageDir, "backup_excluded_secret.txt")
        val fileContent = "secr3tPa\$\$W0rd\n"

        try {
            FileOutputStream(fileName).use { output ->
                output.write(fileContent.toByteArray())
                Log.d("WriteInternalStorage", "File written to internal storage successfully.")
            }
            FileOutputStream(fileNameOfBackupExcludedFile).use { output ->
                output.write(fileContent.toByteArray())
                Log.d("WriteInternalStorage", "File written to internal storage successfully.")
            }
        } catch (e: IOException) {
            Log.e("WriteInternalStorage", "Error writing file to internal storage", e)
            return "ERROR!!\n\nError writing file to internal storage"
        }

        return "SUCCESS!!\n\nFiles saved to $internalStorageDir"
    }
}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    xmlns:tools="http://schemas.android.com/tools">

    <application
        android:allowBackup="true"
        android:dataExtractionRules="@xml/data_extraction_rules"
        android:fullBackupContent="@xml/backup_rules"
        android:icon="@mipmap/ic_launcher"
        android:label="@string/app_name"
        android:roundIcon="@mipmap/ic_launcher_round"
        android:supportsRtl="true"
        android:theme="@style/Theme.MASTestApp"
        tools:targetApi="31">
        <activity
            android:name=".MainActivity"
            android:exported="true"
            android:theme="@style/Theme.MASTestApp">
            <intent-filter>
                <action android:name="android.intent.action.MAIN" />

                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>
        </activity>
    </application>

</manifest>

1
2
3
4
5
<?xml version="1.0" encoding="utf-8"?>
<full-backup-content>
    <include domain="file" path="." requireFlags="clientSideEncryption" />
    <exclude domain="file" path="backup_excluded_secret.txt" />
</full-backup-content>

Steps

  1. Install the target app on your device.
  2. Open the app and exercise it to trigger file creations.
  3. Execute run.sh.
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
#!/bin/bash

package_name="org.owasp.mastestapp"

../../../../utils/mastg-android-backup-adb.sh $package_name

ls -l1 apps/org.owasp.mastestapp/f > output.txt

# Cleanup
rm backup.ab backup.tar
find apps/org.owasp.mastestapp/ -mindepth 1 -maxdepth 1 ! -name 'f*' -exec rm -rf {} +

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
#!/bin/bash

# Default package name
if [ -z "$1" ]; then
    echo "No package name provided. Usage: $0 <package_name>"
    exit 1

else
    package_name="$1"
fi

adb backup -apk -nosystem $package_name
tail -c +25 backup.ab | python3 -c "import zlib,sys;sys.stdout.buffer.write(zlib.decompress(sys.stdin.buffer.read()))" > backup.tar
tar xvf backup.tar

echo "Done, extracted as apps/ to current directory"

For simplicity, in run.sh we restrict the files to the filesDir directory in the backup structure (apps/org.owasp.mastestapp/f).

Observation

The output contains:

  • output.txt: the list of files from the backup.
  • apps/org.owasp.mastestapp/f/: the directory containing a copy of the backup files.
output.txt
1
2
profileInstalled
secret.txt

Evaluation

The test fails because secret.txt is part of the backup and it contains sensitive data.

apps/org.owasp.mastestapp/f/secret.txt
1
secr3tPa$$W0rd

Note that backup_excluded_secret.txt file is not part of the backup, which is expected as it was marked as exclude in the backup_rules.xml file.