Devs Beware – Automatic Backup Privacy Risks
One new feature of “Android M” (speculation on potential names welcomed on the back of a postcard) which gained little attention at Google I/O so far was the introduction of a new, automatic backup feature for application data.
Obviously, it’s still early days yet, though you can download the developer preview (if you’re brave!), so we can’t be sure of the final implementation, but there are a few gotchas here that developers should be aware of.
The first is that these backups will be automatic. They will default to being on, meaning the average user will likely leave this feature on. This makes sense, but has serious implications for certain use-cases of applications.
The destination of choice for the backups is Google Drive. It makes sense, considering it’s Google’s main user-facing storage service. The downside is that Google Drive is not particularly secure – third party applications can request access to it, and your computer might well sync its content. Sure, Google say they’ll encrypt it, but quite how that’s done, and where the keys will be stored is another matter.
All teh Things!!1!
(sic) The big worry here for users is that, by default, applications will back up all their private data (files not in external storage). As an app developer, you can set certain files to be backed up (or ignored from backup), or even disable backup completely for your app.
If your app is one that contains sensitive data, or private keys, or anything users might have an expectation of privacy of, uploading an application backup into Google Drive likely isn’t best. It might be as simple as some authentication tokens, or a local copy of messages sent over a private messaging service. Either way, as a developer, you should take care right now to ensure your app won’t send data it shouldn’t back up.
Nevertheless, if your app stores data your users wouldn’t want synced to the cloud, it would be wise to make sure you go ahead and disable backup on those files. If your app encrypts data using strong encryption algorithms, and uses a key derived securely from a user password), you should be OK. The problem arises if sensitive data is stored unencrypted on the device, then backed up without the user’s knowledge.
If you’re a user who doesn’t want this automatic backup to take place, you can disable it within the Settings interface on the M Developer Preview. If you’re a developer, take a look at the information on the new APIs, which detail how to hold files back from backup if they contain data your users wouldn’t want transmitted to Google.