Skip to content

Enabling backup when the ClientSideEncryption is enabled #68

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: master
Choose a base branch
from

Conversation

mintsoft
Copy link

We can safely permit WireGuard to be backed up if we enforce the clientSideEncryption requirement and maintain the users privacy on the keys.

Signed-off-by: Jason A. Donenfeld <[email protected]>
@zx2c4-bot zx2c4-bot force-pushed the master branch 3 times, most recently from 91cdc96 to 57bd0ec Compare May 5, 2025 14:20
<?xml version="1.0" encoding="utf-8"?>
<full-backup-content>
<include domain="sharedpref" path="." requireFlags="clientSideEncryption" />
<include domain="database" path="." requireFlags="clientSideEncryption" />
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this app use that?

@@ -21,7 +21,7 @@ android {
namespace = pkg
defaultConfig {
applicationId = pkg
minSdk = 21
minSdk = 23
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this necessary? Can't these just be conditioned on having the right sdk value? clientSideEncryption, for example, is only available in API 28 and higher.

<full-backup-content>
<include domain="sharedpref" path="." requireFlags="clientSideEncryption" />
<include domain="database" path="." requireFlags="clientSideEncryption" />
<include domain="file" path="." requireFlags="clientSideEncryption" />
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we also want the deviceToDeviceTransfer requirement?

@@ -37,7 +37,8 @@

<application
android:name=".Application"
android:allowBackup="false"
android:allowBackup="true"
android:fullBackupContent="@xml/backup"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This only works for API ≤30. For API ≥31, you need android:dataExtractionRules and a different file. See https://developer.android.com/identity/data/autobackup for details.

@zx2c4
Copy link
Member

zx2c4 commented May 7, 2025

I left some comments on here. How safe is this clientSideEncryption and deviceToDeviceTransfer business? Can these be abused? Is this something we want on by default?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants