adb backup removal

Tue, Aug 3, 2021 4-minute read

Today I’ve submitted a patch to the AOSP to continue something which was probably, externally, one of the least popular things I did while I was at Google; Start eradicating adb backup support from Android devices.

Why?

The reason is I think it’s dangerous. Not for everyone, certainly not for a majority of folk, but for a small number of people there is a use case which I see as having potentially very serious consequences; Whistle-blowers, dissidents, and potentially even journalists reporting from less than friendly countries.

How can that be?

Around the world there are many jurisdictions where your password can be obtained relatively easily. Some have key disclosure laws, while in others the approach shown by XKCD #538 might be used;

XKCD 538

Either way it will give the local authorities (or others employing similar tactics) the ability to unlock your phone.

While this may not seem to scary, once you have an unlocked phone it takes a few minutes to get a lot of interesting data from it using adb backup via a few steps. It’s something that, say, a law enforcement officer or border control guard could do while “inspecting” your device after requiring you to hand over the unlock code for it. They might turn their back on you for 5 minutes to look at it, and even connect it to a charging cable, so you’re not worried about them draining your battery. In that time they can get enough data to learn a lot about your life.

What’s in the backup?

Some apps allow backups, and in those cases an adb backup contains all the data the app offers up for backing up. That’ll not only show that the app is installed on your device, but, depending on how the app stores its backup data, it could also give anyone with access to the backup clear-text access to the apps' data.

Many apps opt out of the backup system, so you may think there’s no trace of them, but that’s not necessarily true….

One of the most interesting things is the launcher favorites database. If you extract your backup to a directory (using a command you can find on Stack Overflow), you’ll find it in apps/com.google.android.apps.nexuslauncher/db. Running a bog-standard copy of sqlite3 against it will let you query the favorites table to see what the user has been using frequently.

In my case, querying the launcher database from a backup of Android 11 with the latest security patches gives the following;

alsutton@svr204:~/temp/3/apps/com.google.android.apps.nexuslauncher/db$ sqlite3 launcher.db
SQLite version 3.32.2 2020-06-04 12:58:43
Enter ".help" for usage hints.
sqlite> select title from favorites;
Phone
Messages
Play Store
Chrome
Camera
Slack
Signal
sqlite> 

This was after installing Signal and running it three times. So with something that could be a one line script someone can determine I’m likely to be a user of end-to-end encryption.

The backup also contained the pictures I’ve taken with the phone. In my case it’s a boring picture of a painting on my wall, not the type of thing that’ll trigger a major incident, but then again I tend to only take boring ‘photos.

Now imagine being a “person of interest” leaving a country and within 10 minutes the border official can determine that you have Signal installed and see what photos you have. 10 minutes in some airports is not enough time to get from border control to either a boarding gate or an exit, and if you’re on a watch list you’re likely to get priority treatment for the data coming off your device.

Update: Third-party apps targeting Android 12, when it’s released, will not have their data included in an adb backup backup unless they’re declared as debuggable (Thanks to Toby Thierer for pointing this out). Unfortunately the launcher favorites database mentioned is still included in an adb backup backup.

But adb backups’ password!

Yes, you should always use a password for your adb backup backup, but if you remember the start of this post I mentioned the key disclosure laws some countries have. The official has the unlocked device completely under their control and so can make a backup without a password.

You’re scare-mongering!

For many folk this isn’t a problem. I doubt anyone would be interested in a backup of my ‘phone if they got hold of it, but for a few folk this could be a real problem, and when you’re talking about an OS which is in use on over 2bn devices, a problem for 0.00001% of users is a real problem for 200 people.

Feedback

Hopefully you can see now why I feel that, for all the benefits folk get from adb backup, there are some folk who might pay a heavy price for its’ existence, and why I feel it should be removed.

If you have feedback on things that could be improved, added, or should be removed you can find me on Mastodon, GitHub, and Twitter.