This app is full of 3rd party SDKs...
Conversation
This is a React Native app, they used this tool to create their app
1
2
17
Set the allowBackup to FALSE, I said FALSE
1
3
16
Why? If you are storing valuable data in the user device, having allowBackup to true is a problem.
2
3
17
Replying to
- "adb is authenticated": Simply false. There is no authentication required for adb.
- The flag allowBackup to true is a very well known vulnerability, there is plenty of CVE (ex nvd.nist.gov/vuln/detail/CV)
1
The device does need to be unlocked for that and similarly to accept a host's key and then to confirm a backup. It's true that it doesn't require that the user authenticates themselves beyond the device being unlocked. Enabling developer options for 1st time does require it now.
1
I think the main issue with app backup security is the cloud backup aspect. Cloud backups get enabled on devices with Play when the device is first set up unless the user explicitly opts out. It can then sync app data from Google's servers to any device connected to the account.