Merge pull request #10106 from egregius313/egregius313/android-backup-allowed

Java: Query to detect Android backup allowed

Author: egregius313

java/ql/lib/change-notes/2022-08-18-android-manifest-backup-predicate.md

@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* Added a new predicate, `allowsBackup`, in the `AndroidApplicationXmlElement` class. This predicate detects if the application element does not disable the `android:allowBackup` attribute.

java/ql/lib/semmle/code/xml/AndroidManifest.qll

@@ -72,6 +72,56 @@ class AndroidApplicationXmlElement extends XmlElement {
    * Holds if this application element has explicitly set a value for its `android:permission` attribute.
    */
   predicate requiresPermissions() { this.getAnAttribute().(AndroidPermissionXmlAttribute).isFull() }
+
+  /**
+   * Holds if this application element does not disable the `android:allowBackup` attribute.
+   *
+   * https://developer.android.com/guide/topics/data/autobackup
+   */
+  predicate allowsBackup() {
+    not this.getFile().(AndroidManifestXmlFile).isInBuildDirectory() and
+    (
+      // explicitly sets android:allowBackup="true"
+      this.allowsBackupExplicitly()
+      or
+      // Manifest providing the main intent for an application, and does not explicitly
+      // disallow the allowBackup attribute
+      this.providesMainIntent() and
+      // Check that android:allowBackup="false" is not present
+      not exists(AndroidXmlAttribute attr |
+        this.getAnAttribute() = attr and
+        attr.getName() = "allowBackup" and
+        attr.getValue() = "false"
+      )
+    )
+  }
+
+  /**
+   * Holds if this application element sets the `android:allowBackup` attribute to `true`.
+   *
+   * https://developer.android.com/guide/topics/data/autobackup
+   */
+  private predicate allowsBackupExplicitly() {
+    exists(AndroidXmlAttribute attr |
+      this.getAnAttribute() = attr and
+      attr.getName() = "allowBackup" and
+      attr.getValue() = "true"
+    )
+  }
+
+  /**
+   * Holds if the application element contains a child element which provides the
+   * `android.intent.action.MAIN` intent.
+   */
+  private predicate providesMainIntent() {
+    exists(AndroidActivityXmlElement activity |
+      activity = this.getAChild() and
+      exists(AndroidIntentFilterXmlElement intentFilter |
+        intentFilter = activity.getAChild() and
+        intentFilter.getAnActionElement().getActionName() = "android.intent.action.MAIN"
+      )
+    )
+  }
 }
 
 /**

java/ql/src/Security/CWE/CWE-312/AllowBackupAttributeEnabled.qhelp

@@ -0,0 +1,45 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>In the Android manifest file, you can use the <code>android:allowBackup</code> attribute of the <code>application</code> element to define whether the
+application will have automatic backups or not.</p>
+
+<p>If your application uses any sensitive data, you should disable automatic backups to prevent attackers from extracting it.</p>
+</overview>
+
+<recommendation>
+<p>For Android applications which process sensitive data, set <code>android:allowBackup</code> to <code>false</code> in the manifest
+file.</p>
+
+<p>Note: Since Android 6.0 (Marshmallow), automatic backups for applications are switched on by default. 
+</p>
+</recommendation>
+
+<example>
+
+<p>In the following two (bad) examples, the <code>android:allowBackup</code> setting is enabled:</p>
+
+<sample src="AllowBackupTrue.xml" />
+
+<sample src="AllowBackupEmpty.xml"/>
+
+<p>In the following (good) example, <code>android:allowBackup</code> is set to <code>false</code>:</p>
+
+<sample src="AllowBackupFalse.xml"/>
+
+</example>
+<references>
+<li>
+   Android Documentation:
+   <a href="https://developer.android.com/guide/topics/data/autobackup#EnablingAutoBackup">Back up user data with Auto Backup</a>
+</li>
+<li>
+   OWASP Mobile Security Testing Guide:
+   <a href="https://github.com/OWASP/owasp-mstg/blob/b7a93a2e5e0557cc9a12e55fc3f6675f6986bb86/Document/0x05d-Testing-Data-Storage.md#backups">
+    Android Backups
+   </a>
+</li>
+</references>
+</qhelp>

java/ql/src/Security/CWE/CWE-312/AllowBackupAttributeEnabled.ql

@@ -0,0 +1,18 @@
+/**
+ * @name Application backup allowed
+ * @description Allowing application backups may allow an attacker to extract sensitive data.
+ * @kind problem
+ * @problem.severity recommendation
+ * @security-severity 7.5
+ * @id java/android/backup-enabled
+ * @tags security
+ *       external/cwe/cwe-312
+ * @precision very-high
+ */
+
+import java
+import semmle.code.xml.AndroidManifest
+
+from AndroidApplicationXmlElement androidAppElem
+where androidAppElem.allowsBackup()
+select androidAppElem, "Backups are allowed in this Android application."

java/ql/src/Security/CWE/CWE-312/AllowBackupEmpty.xml

@@ -0,0 +1,7 @@
+<manifest ... >
+    <!-- BAD: no 'android:allowBackup' set, defaults to 'true' -->
+    <application>
+        <activity ... >
+        </activity>
+    </application>
+</manifest>

java/ql/src/Security/CWE/CWE-312/AllowBackupFalse.xml

@@ -0,0 +1,8 @@
+<manifest ... >
+    <!-- GOOD: 'android:allowBackup' set to 'false' -->
+    <application
+        android:allowBackup="false">
+        <activity ... >
+        </activity>
+    </application>
+</manifest>

java/ql/src/Security/CWE/CWE-312/AllowBackupTrue.xml

@@ -0,0 +1,8 @@
+<manifest ... >
+    <!-- BAD: 'android:allowBackup' set to 'true' -->
+    <application
+        android:allowBackup="true">
+        <activity ... >
+        </activity>
+    </application>
+</manifest>

java/ql/src/change-notes/2022-08-18-android-allowbackup-query.md

@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* Added a new query, `java/android/backup-enabled`, to detect if Android applications allow backups.