What is Android allowBackup and How it Affects Your App
Android allows a rather impressive setting by the name of allowBackup. As the name suggests, it has to do with setting up the automatic backing of application data. But like any other convenience in Android land, automatic backups are not without their hassles and security concerns. Let’s take a look at what Android allowBackup does, and what it means for the app developer.
There are two ways you can perform backup and restore your app data: using the default cloud provider (Google Drive) or setting a custom cloud backup.
Using Google Drive for backup
Google Drive is the default destination for app backups. To enable this, all you need to do is make sure that your manifest file reads like this:
As explained in the Android documentation, this will trigger automatic backups when the following conditions are met:
- The device is connected to a WiFi network.
- The device is idle and is charging.
- More than 24 hours have passed since the last backup.
- The user has turned on the backup service on their phone. This can be accessed through Setting → Backup and reset.
The advantage here is that as a developer you don’t need to think about service reliability. You just define the right settings and you’re done! There is a disadvantage, though: you are limited to 25MB of data per user per device. In practice, however, this is more than enough if you just need to save settings and preferences.
Using external backup service
For more sophisticated needs, you can register an external service for backup. This is a bit more involved as you’ll need to create a new application and register it as a data backup service. Once registered, you need to make sure the following keys exist in the manifest file:
Once this is done, you need to extend the BackupAgentHelper class, after which you get access to the following methods for performing backups and restores:
- onBackup(ParcelFileDescriptor oldState, BackupDataOutput data, ParcelFileDescriptor newState)
- onRestore(BackupDataInput data, int appVersionCode, ParcelFileDescriptor newState)
The dangers of auto-backup
Android backups rely on the Android Debug Bridge (ADB) command to perform backup and restore. ADB, however, has been a soft target for hackers and is still not trusted by respected developers. The idea that someone can inject malicious code into your backup data is unsettling, to say the least. This generally isn’t a problem for end users as it requires debugging to be enabled on the device, but since a lot of Android users are fond of exploring and rooting their devices, it can become a serious problem.
In the end, auto-backups at the developer’s discretion: at one end they provide the kind of convenience that is every developer’s dreams, and at the other, they carry potential security flaws. What to do? One thing developers can do is encrypt the backup data and while restoring, accept only that data which passes the cryptography test. While much more demanding than just setting allowBackup to true and heading off for a nap, this is essential if you’re serious about user data.