Skip to content

[MEDIUM] MW-SEC-015: Disable Backup in AndroidManifest #1981

Open
#2000
Open
[MEDIUM] MW-SEC-015: Disable Backup in AndroidManifest#1981
#2000
Labels
cipher-auditFrom Cipher security audit Jan 2026securitySecurity-related issues
@therajanmaurya

Description

@therajanmaurya
therajanmaurya
opened on Feb 24, 2026

Severity: 🟡 MEDIUM

Audit Reference: TC-75B094E1 (Cipher Security Assessment - Jan 24, 2026)

Vulnerability Description

Backup enabled in manifest allows ADB extraction of app data (tokens, credentials) with physical access or malware with ADB permissions.

Technical Changes Required

AndroidManifest.xml

<application
    android:allowBackup="false"
    android:fullBackupContent="false"
    ...>

Acceptance Criteria

  • android:allowBackup="false" set in AndroidManifest.xml
  • ADB backup command produces empty/minimal backup
  • Cloud backup does not include sensitive app data

Target Release

v4.1.0-security

Note: This is a quick fix that complements MW-SEC-002 (Encrypted Storage)

Metadata

Metadata

Assignees

No one assigned

    Labels

    cipher-auditFrom Cipher security audit Jan 2026securitySecurity-related issues

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions