adb backup removal
Today I’ve submitted a patch to the AOSP to continue something which was probably, externally, one of the
least popular things I did while I was at Google; Start eradicating
adb backup support from Android devices.
The reason is I think it’s dangerous. Not for everyone, certainly not for a majority of folk, but for a small number of people there is a use case which I see as having potentially very serious consequences; Whistle-blowers, dissidents, and potentially even journalists reporting from less than friendly countries.
How can that be?
Either way it will give the local authorities (or others employing similar tactics) the ability to unlock your phone.
While this may not seem to scary, once you have an unlocked phone it takes a few minutes to get a lot of
interesting data from it using
adb backup via a few steps.
It’s something that, say, a law enforcement officer or border control guard could do while “inspecting” your
device after requiring you to hand over the unlock code for it. They might turn their back on you for
5 minutes to look at it, and even connect it to a charging cable, so you’re not worried about them draining
your battery. In that time they can get enough data to learn a lot about your life.
What’s in the backup?
Some apps allow backups, and in those cases an adb backup contains all the data the app offers up for backing up. That’ll not only show that the app is installed on your device, but, depending on how the app stores its backup data, it could also give anyone with access to the backup clear-text access to the apps' data.
Many apps opt out of the backup system, so you may think there’s no trace of them, but that’s not necessarily true….
One of the most interesting things is the launcher favorites database. If you extract your backup
to a directory (using a command you can find on Stack Overflow), you’ll find it in
apps/com.google.android.apps.nexuslauncher/db. Running a bog-standard copy of
sqlite3 against it
will let you query the favorites table to see what the user has been using frequently.
In my case, querying the launcher database from a backup of Android 11 with the latest security patches gives the following;
alsutton@svr204:~/temp/3/apps/com.google.android.apps.nexuslauncher/db$ sqlite3 launcher.db SQLite version 3.32.2 2020-06-04 12:58:43 Enter ".help" for usage hints. sqlite> select title from favorites; Phone Messages Play Store Chrome Camera Slack Signal sqlite>
This was after installing Signal and running it three times. So with something that could be a one line script someone can determine I’m likely to be a user of end-to-end encryption.
The backup also contained the pictures I’ve taken with the phone. In my case it’s a boring picture of a painting on my wall, not the type of thing that’ll trigger a major incident, but then again I tend to only take boring ‘photos.
Now imagine being a “person of interest” leaving a country and within 10 minutes the border official can determine that you have Signal installed and see what photos you have. 10 minutes in some airports is not enough time to get from border control to either a boarding gate or an exit, and if you’re on a watch list you’re likely to get priority treatment for the data coming off your device.
Update: Third-party apps targeting Android 12, when it’s released, will not have their data included in an
backup unless they’re declared as debuggable
(Thanks to Toby Thierer for pointing this out). Unfortunately
the launcher favorites database mentioned is still included in an
adb backup backup.
But adb backups’ password!
Yes, you should always use a password for your
adb backup backup, but if you remember the start of this post
I mentioned the key disclosure laws some countries have. The official has the unlocked device completely
under their control and so can make a backup without a password.
For many folk this isn’t a problem. I doubt anyone would be interested in a backup of my ‘phone if they got hold of it, but for a few folk this could be a real problem, and when you’re talking about an OS which is in use on over 2bn devices, a problem for 0.00001% of users is a real problem for 200 people.
Hopefully you can see now why I feel that, for all the benefits folk get from
adb backup, there are
some folk who might pay a heavy price for its’ existence, and why I feel it should be removed.