security: disable auto backup, rewrite backup rules as allowlist, harden data extraction rules for Android 12+
This commit is contained in:
parent
403a8c02e2
commit
95ea9ffed5
|
|
@ -6,7 +6,7 @@
|
||||||
|
|
||||||
<application
|
<application
|
||||||
android:name=".CloserApp"
|
android:name=".CloserApp"
|
||||||
android:allowBackup="true"
|
android:allowBackup="false"
|
||||||
android:dataExtractionRules="@xml/data_extraction_rules"
|
android:dataExtractionRules="@xml/data_extraction_rules"
|
||||||
android:fullBackupContent="@xml/backup_rules"
|
android:fullBackupContent="@xml/backup_rules"
|
||||||
android:icon="@mipmap/ic_launcher"
|
android:icon="@mipmap/ic_launcher"
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,22 @@
|
||||||
<?xml version="1.0" encoding="utf-8"?>
|
<?xml version="1.0" encoding="utf-8"?>
|
||||||
|
<!--
|
||||||
|
BACKUP RULES - ALLOWLIST APPROACH
|
||||||
|
|
||||||
|
The relationship app uses allowlist (whitelist) backup rules for security.
|
||||||
|
Only explicitly listed items may be backed up. Any new storage (databases,
|
||||||
|
shared preferences, DataStore files, etc.) must be manually evaluated and
|
||||||
|
added to this allowlist if backup is safe and desired.
|
||||||
|
|
||||||
|
By default, no app data is backed up. Sensitive items like databases,
|
||||||
|
shared preferences, and DataStore files are excluded.
|
||||||
|
|
||||||
|
To add an item: add a <include> element with appropriate domain/path.
|
||||||
|
To exclude an item: add an <exclude> element with appropriate domain/path.
|
||||||
|
-->
|
||||||
<full-backup-content>
|
<full-backup-content>
|
||||||
<exclude domain="sharedpref" path="local_answers" />
|
<!-- No items included by default - sensitive data only -->
|
||||||
|
<!-- Explicit exclusions for clarity (all default storage types) -->
|
||||||
<exclude domain="database" path="." />
|
<exclude domain="database" path="." />
|
||||||
|
<exclude domain="sharedpref" path="." />
|
||||||
|
<exclude domain="file" path="." />
|
||||||
</full-backup-content>
|
</full-backup-content>
|
||||||
|
|
|
||||||
|
|
@ -1,11 +1,32 @@
|
||||||
<?xml version="1.0" encoding="utf-8"?>
|
<?xml version="1.0" encoding="utf-8"?>
|
||||||
|
<!--
|
||||||
|
DATA EXTRACTION RULES - ALLOWLIST APPROACH
|
||||||
|
|
||||||
|
Android 12+ backup/extraction rules for cloud backup and device transfer.
|
||||||
|
Uses allowlist (whitelist) approach for security - only explicitly listed
|
||||||
|
items may be backed up. Any new storage must be manually evaluated and
|
||||||
|
added to this allowlist if backup is safe and desired.
|
||||||
|
|
||||||
|
By default, no app data is backed up. Sensitive items like databases,
|
||||||
|
shared preferences, and DataStore files are excluded.
|
||||||
|
|
||||||
|
To add an item: add a <include> element with appropriate domain/path.
|
||||||
|
To exclude an item: add an <exclude> element with appropriate domain/path.
|
||||||
|
-->
|
||||||
<data-extraction-rules>
|
<data-extraction-rules>
|
||||||
<cloud-backup>
|
<cloud-backup>
|
||||||
<exclude domain="sharedpref" path="local_answers" />
|
<!-- No items included by default - sensitive data only -->
|
||||||
|
<!-- Explicit exclusions for all default storage types -->
|
||||||
<exclude domain="database" path="." />
|
<exclude domain="database" path="." />
|
||||||
|
<exclude domain="sharedpref" path="." />
|
||||||
|
<exclude domain="file" path="." />
|
||||||
</cloud-backup>
|
</cloud-backup>
|
||||||
|
|
||||||
<device-transfer>
|
<device-transfer>
|
||||||
<exclude domain="sharedpref" path="local_answers" />
|
<!-- No items included by default - sensitive data only -->
|
||||||
|
<!-- Explicit exclusions for all default storage types -->
|
||||||
<exclude domain="database" path="." />
|
<exclude domain="database" path="." />
|
||||||
|
<exclude domain="sharedpref" path="." />
|
||||||
|
<exclude domain="file" path="." />
|
||||||
</device-transfer>
|
</device-transfer>
|
||||||
</data-extraction-rules>
|
</data-extraction-rules>
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue