-
Notifications
You must be signed in to change notification settings - Fork 390
Enabling backup when the ClientSideEncryption is enabled #68
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Conversation
Signed-off-by: Jason A. Donenfeld <[email protected]>
Signed-off-by: Rob Emery <[email protected]>
enforced as Android 5 just ignores it Signed-off-by: Rob Emery <[email protected]>
91cdc96
to
57bd0ec
Compare
<?xml version="1.0" encoding="utf-8"?> | ||
<full-backup-content> | ||
<include domain="sharedpref" path="." requireFlags="clientSideEncryption" /> | ||
<include domain="database" path="." requireFlags="clientSideEncryption" /> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this app use that?
@@ -21,7 +21,7 @@ android { | |||
namespace = pkg | |||
defaultConfig { | |||
applicationId = pkg | |||
minSdk = 21 | |||
minSdk = 23 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this necessary? Can't these just be conditioned on having the right sdk value? clientSideEncryption, for example, is only available in API 28 and higher.
<full-backup-content> | ||
<include domain="sharedpref" path="." requireFlags="clientSideEncryption" /> | ||
<include domain="database" path="." requireFlags="clientSideEncryption" /> | ||
<include domain="file" path="." requireFlags="clientSideEncryption" /> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we also want the deviceToDeviceTransfer requirement?
@@ -37,7 +37,8 @@ | |||
|
|||
<application | |||
android:name=".Application" | |||
android:allowBackup="false" | |||
android:allowBackup="true" | |||
android:fullBackupContent="@xml/backup" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This only works for API ≤30. For API ≥31, you need android:dataExtractionRules and a different file. See https://developer.android.com/identity/data/autobackup for details.
I left some comments on here. How safe is this clientSideEncryption and deviceToDeviceTransfer business? Can these be abused? Is this something we want on by default? |
We can safely permit WireGuard to be backed up if we enforce the clientSideEncryption requirement and maintain the users privacy on the keys.