Disabling App Data Backup in Financial Android Apps: A Complete Guide

Table of Contents

When building financial apps, security should always be a top priority. Sensitive information like banking credentials, personal details, and financial records must be protected at all costs. One often-overlooked security measure is disabling app data backups. While Android’s automatic cloud backup feature is convenient, it can expose sensitive data if not managed properly. In this guide, we’ll walk through the steps to disable app data backup in Android apps, ensuring that user data remains secure.

Why Disable App Data Backup in Financial Apps?

While app data backup can be a convenient feature for many apps, it poses risks for apps that handle sensitive financial data. Here’s why it’s crucial to disable it:

  • Protecting Sensitive Data: If a device is compromised or when users switch to a new device, any backed-up data could be exposed during restoration, which is a major security concern.
  • Ensuring Compliance: Many financial institutions have strict data security requirements, and allowing data to be backed up to external storage might violate these regulations.
  • Reducing Risk: Disabling backups prevents data from being stored on potentially less secure platforms or devices, keeping it safe from unauthorized access.

Before disabling the backup, let’s first take a moment to see which files are usually being backed up.

What Gets Backed Up

By default, Auto Backup includes files from most directories assigned to your app by the system, such as:

  • Shared Preferences Files
  • Internal Storage Files: Files saved to your app’s internal storage and accessed via getFilesDir() or getDir(String, int)
  • Database Files: Files in the directory returned by getDatabasePath(String), including those created using SQLiteOpenHelper
  • External Storage Files: Files located in the directory returned by getExternalFilesDir(String)

Auto Backup doesn’t include files stored in certain directories, such as:

  • Cache Directory: Files saved in getCacheDir(), getCodeCacheDir(), and getNoBackupFilesDir()
    These files are temporary and are intentionally excluded from backup to avoid unnecessary storage and syncing.

You can customize the backup process by specifying which files should be included or excluded from Auto Backup, giving you greater control over the data your app manages.

How Disabling App Data Backup Works in Android

By default, Android automatically backs up an app’s data to Google Drive, including SharedPreferences, files, and other persistent data. This process is controlled by the android:allowBackup attribute in the app’s AndroidManifest.xml. By setting this attribute to false, the app ensures its data is not backed up, which is essential for securing financial apps and other apps that handle sensitive information.

XML
<application
    android:name=".FinancialApp"
    android:allowBackup="false"
    android:fullBackupContent="false"
    ... >
    <!-- other configurations -->
</application>

allowBackup="false":

  • This attribute prevents Android from automatically backing up the app’s data to Google Drive or any other backup service. This includes both user-initiated and system-initiated backups. Setting allowBackup="false" effectively disables the Android backup mechanism for the app, reducing the risk of unauthorized access to app data through backups.
  • Important Note: While this setting prevents automatic backups through Android’s system, it does not guarantee complete protection. Devices with root access or custom ROMs can bypass this setting and potentially access app data or perform backups using alternative methods.

fullBackupContent="false":

  • This attribute ensures that the app’s data is excluded from full device backups, regardless of the allowBackup setting. When set to false, it prevents the app’s data from being included in any full-device backup (such as Google’s full-device backup feature) even if allowBackup is set to true.
  • Important Note: This attribute prevents the app’s data from being included in standard full backups, but it does not protect against all possible data extraction methods. Devices with root access or custom ROMs may still be able to access the app’s data through other means, such as direct file system access.

While both allowBackup="false" and fullBackupContent="false" significantly reduce the chances of unauthorized backups and data exposure, they do not provide 100% protection, especially on rooted or compromised devices. That’s why, in financial apps, we check if the device is rooted and implement additional tampering checks to enhance security.

Securing Sensitive Data Locally

Disabling backups is only part of the equation in securing sensitive data. It’s also crucial to protect locally stored information. Jetpack’s Security library provides tools like EncryptedSharedPreferences and EncryptedFile in Kotlin, which ensure that data stored on the device remains encrypted. These components integrate seamlessly with Android’s architecture and provide strong encryption, making them excellent choices for securely handling sensitive data in financial or personal apps.

Using EncryptedSharedPreferences

Kotlin
import android.content.Context
import androidx.security.crypto.EncryptedSharedPreferences
import androidx.security.crypto.MasterKeys

fun getEncryptedSharedPreferences(context: Context): SharedPreferences {
    val masterKeyAlias = MasterKeys.getOrCreate(MasterKeys.AES256_GCM_SPEC)
    return EncryptedSharedPreferences.create(
        "financial_prefs",
        masterKeyAlias,
        context,
        EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
        EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM
    )
}

Here,

  • MasterKeys: Creates or retrieves a master key that is used to encrypt the shared preferences.
  • EncryptedSharedPreferences: Securely stores shared preferences with AES encryption, which is suitable for sensitive data.
  • PrefKeyEncryptionScheme & PrefValueEncryptionScheme: These schemes ensure both keys and values in SharedPreferences are encrypted, providing additional security.

Securely Storing Files with EncryptedFile

Sometimes, an app may need to store files, such as transaction records or receipts. Using EncryptedFile can help ensure these files are securely stored.

Kotlin
import androidx.security.crypto.EncryptedFile
import androidx.security.crypto.MasterKeys
import java.io.File

fun getEncryptedFile(context: Context, fileName: String): EncryptedFile {
    val masterKeyAlias = MasterKeys.getOrCreate(MasterKeys.AES256_GCM_SPEC)
    val file = File(context.filesDir, fileName)

    return EncryptedFile.Builder(
        file,
        context,
        masterKeyAlias,
        EncryptedFile.FileEncryptionScheme.AES256_GCM_HKDF_4KB
    ).build()
}

fun writeToEncryptedFile(context: Context, data: String) {
    val encryptedFile = getEncryptedFile(context, "sensitive_data.txt")
    encryptedFile.openFileOutput().use { output ->
        output.write(data.toByteArray())
    }
}
  • EncryptedFile: Provides AES256_GCM encryption to ensure that files are securely stored on disk.
  • FileEncryptionScheme: Specifies the encryption scheme to use for file security, which includes AES encryption with a secure HKDF key derivation function.

Additional Security Considerations

  • Use ProGuard: Obfuscate your app’s code to make it much harder for attackers to reverse-engineer.
  • Implement Strong User Authentication: For accessing sensitive areas of the app, use secure authentication methods like biometrics or PINs.
  • Clear Sensitive Data on Logout: Ensure that all stored sensitive data is cleared when the user logs out or exits.

Here’s a quick example of a function to clear sensitive data from EncryptedSharedPreferences:

Kotlin
fun clearSensitiveData(context: Context) {
    val encryptedPrefs = getEncryptedSharedPreferences(context)
    encryptedPrefs.edit().clear().apply()
}

This function retrieves the EncryptedSharedPreferences instance and clears all saved data, ensuring that no sensitive information remains stored in the app.

Testing Backup Disabling and Data Security

To ensure everything is working as expected, it’s crucial to test that app data isn’t backed up and that sensitive data remains secure:

  • Backup Testing: After setting up the backup restriction, install the app, add some data, and try to back it up through device settings or ADB. Check to confirm that none of the app’s data is backed up.
  • Encryption Verification: Attempt to access shared preferences or files outside the app’s context, such as by using a file manager or rooted device. This helps verify that sensitive data remains encrypted and unreadable, confirming the security setup is effective.

Testing these areas ensures that data protection features are robust and that user data remains secure, especially for apps managing sensitive information.

Conclusion 

Disabling app data backup in Android apps, especially financial ones, is essential for protecting user data and complying with strict security requirements. By making a few adjustments in the AndroidManifest and following secure data storage practices, you can help ensure that your app’s sensitive data remains safe from unauthorized backups and access. Implementing these steps and following security best practices will help you build a more secure financial app that safeguards your users’ valuable data.

Skill Up: Software & AI Updates!

Receive our latest insights and updates directly to your inbox

Related Posts

Java Mastery: Top 3 Powerful Strategies for Object-Oriented Programming Success

Java

Gain Clarity on the State Design Pattern in Kotlin: A Step-by-Step Guide

Design Patterns

Chain of Responsibility Design Pattern in Kotlin: A Detailed Guide

Design Patterns
error: Content is protected !!