Add Auto Backup Allowed by Default (#284)

plr0man · adamrdavid · web-flow · commit 5911b2c8e3e0 · 2020-04-24T10:49:55.000-07:00
Co-authored-by: Adam David &lt;adamrdavid@gmail.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -15,6 +15,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/) and this p
 - server_side_injection.ssti.custom
 - sensitive_data_exposure.via_localstorage_sessionstorage.sensitive_token
 - sensitive_data_exposure.via_localstorage_sessionstorage.non_sensitive_token
+- mobile_security_misconfiguration.auto_backup_allowed_by_default
 - server_security_misconfiguration.no_rate_limiting_on_form.change_password
 - server_side_injection.content_spoofing.impersonation_via_broken_link_hijacking
 
diff --git a/mappings/cvss_v3/cvss_v3.json b/mappings/cvss_v3/cvss_v3.json
@@ -868,6 +868,10 @@
         {
           "id": "clipboard_enabled",
           "cvss_v3": "AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N"
+        },
+        {
+          "id": "auto_backup_allowed_by_default",
+          "cvss_v3": "AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"
         }
       ]
     },
diff --git a/mappings/remediation_advice/remediation_advice.json b/mappings/remediation_advice/remediation_advice.json
@@ -1233,6 +1233,13 @@
         {
           "id": "clipboard_enabled",
           "remediation_advice": "Ensure that copy/paste functionality is disabled on sensitive content like credit card numbers, social security numbers etc. as other apps on the same device can access data stored in clipboard.\nThe example below disables clipboard for the `textField` TextView in Android:\n```java\ntextField.setCustomSelectionActionModeCallback(new ActionMode.Callback() {\n  public boolean onCreateActionMode(ActionMode actionMode, Menu menu) {\n    return false;\n  }\n\n  public boolean onPrepareActionMode(ActionMode actionMode, Menu menu) {\n    return false;\n  }\n\n  public boolean onActionItemClicked(ActionMode actionMode, MenuItem item) {\n    return false;\n  }\n\n  public void onDestroyActionMode(ActionMode actionMode) {\n  }\n});\ntextField.setLongClickable(false);\ntextField.setTextIsSelectable(false);\n```\nThe example below disables clipboard for UITextField in iOS:\n```swift\noverride public func canPerformAction(_ action: Selector, withSender sender: Any?) -> Bool {\n  if action == #selector(copy(_:)) || action == #selector(paste(_:)) {\n    return false\n  }\n  return true\n}\n```"
+        },
+        {
+          "id": "auto_backup_allowed_by_default",
+          "remediation_advice": "Consider disabling auto backup of any sensitive application data. In Android you can disable auto backup by setting `android:allowBackup` in your app manifest file to false.",
+          "references": [
+            "https://developer.android.com/guide/topics/data/autobackup"
+          ]
         }
       ]
     },
diff --git a/vulnerability-rating-taxonomy.json b/vulnerability-rating-taxonomy.json
@@ -1853,6 +1853,12 @@
           "name": "Clipboard Enabled",
           "type": "subcategory",
           "priority": 5
+        },
+        {
+          "id": "auto_backup_allowed_by_default",
+          "name": "Auto Backup Allowed by Default",
+          "type": "subcategory",
+          "priority": 5
         }
       ]
     },

Original file line number	Diff line number	Diff line change
`@@ -868,6 +868,10 @@`
`868`	`868`	`{`
`869`	`869`	`"id": "clipboard_enabled",`
`870`	`870`	`"cvss_v3": "AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N"`
	`871`	`+ },`
	`872`	`+ {`
	`873`	`+ "id": "auto_backup_allowed_by_default",`
	`874`	`+ "cvss_v3": "AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"`
`871`	`875`	`}`
`872`	`876`	`]`
`873`	`877`	`},`
Original file line number	Diff line number	Diff line change
`@@ -1233,6 +1233,13 @@`
`1233`	`1233`	`{`
`1234`	`1234`	`"id": "clipboard_enabled",`
`1235`	`1235`	"remediation_advice": "Ensure that copy/paste functionality is disabled on sensitive content like credit card numbers, social security numbers etc. as other apps on the same device can access data stored in clipboard.\nThe example below disables clipboard for the `textField` TextView in Android:\n```java\ntextField.setCustomSelectionActionModeCallback(new ActionMode.Callback() {\n public boolean onCreateActionMode(ActionMode actionMode, Menu menu) {\n return false;\n }\n\n public boolean onPrepareActionMode(ActionMode actionMode, Menu menu) {\n return false;\n }\n\n public boolean onActionItemClicked(ActionMode actionMode, MenuItem item) {\n return false;\n }\n\n public void onDestroyActionMode(ActionMode actionMode) {\n }\n});\ntextField.setLongClickable(false);\ntextField.setTextIsSelectable(false);\n```\nThe example below disables clipboard for UITextField in iOS:\n```swift\noverride public func canPerformAction(_ action: Selector, withSender sender: Any?) -> Bool {\n if action == #selector(copy(_:)) \|\| action == #selector(paste(_:)) {\n return false\n }\n return true\n}\n```"
	`1236`	`+ },`
	`1237`	`+ {`
	`1238`	`+ "id": "auto_backup_allowed_by_default",`
	`1239`	+ "remediation_advice": "Consider disabling auto backup of any sensitive application data. In Android you can disable auto backup by setting `android:allowBackup` in your app manifest file to false.",
	`1240`	`+ "references": [`
	`1241`	`+ "https://developer.android.com/guide/topics/data/autobackup"`
	`1242`	`+ ]`
`1236`	`1243`	`}`
`1237`	`1244`	`]`
`1238`	`1245`	`},`
Original file line number	Diff line number	Diff line change
`@@ -1853,6 +1853,12 @@`
`1853`	`1853`	`"name": "Clipboard Enabled",`
`1854`	`1854`	`"type": "subcategory",`
`1855`	`1855`	`"priority": 5`
	`1856`	`+ },`
	`1857`	`+ {`
	`1858`	`+ "id": "auto_backup_allowed_by_default",`
	`1859`	`+ "name": "Auto Backup Allowed by Default",`
	`1860`	`+ "type": "subcategory",`
	`1861`	`+ "priority": 5`
`1856`	`1862`	`}`
`1857`	`1863`	`]`
`1858`	`1864`	`},`