Skip to content

Enabling backup when the ClientSideEncryption is enabled #68

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Enabling backup when the ClientSideEncryption is enabled #68

wants to merge 5 commits into from

Conversation

mintsoft
Copy link

We can safely permit WireGuard to be backed up if we enforce the clientSideEncryption requirement and maintain the users privacy on the keys.

@zx2c4-bot zx2c4-bot force-pushed the master branch 3 times, most recently from 91cdc96 to 57bd0ec Compare May 5, 2025 14:20
zx2c4
zx2c4 reviewed May 7, 2025
View reviewed changes
zx2c4
zx2c4 reviewed May 7, 2025
View reviewed changes
ui/build.gradle.kts
defaultConfig {
applicationId = pkg
minSdk = 21
minSdk = 23
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this necessary? Can't these just be conditioned on having the right sdk value? clientSideEncryption, for example, is only available in API 28 and higher.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See below, this ensures that client encryption is enforced. Android 5 supports the backup keys, however it doesn't look at the clientSideEncryption setting, so it just ignores it and backs up anyway, which I think is undesirable behaviour.

zx2c4
zx2c4 reviewed May 7, 2025
View reviewed changes
ui/src/main/res/xml/backup.xml
<full-backup-content>
<include domain="sharedpref" path="." requireFlags="clientSideEncryption" />
<include domain="database" path="." requireFlags="clientSideEncryption" />
<include domain="file" path="." requireFlags="clientSideEncryption" />
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we also want the deviceToDeviceTransfer requirement?

Copy link
Author

@mintsoft mintsoft Jun 1, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That would prevent anything seedvault-y (i.e. my nightly backups) from backing up the app; defeating the purpose imo.

zx2c4
zx2c4 reviewed May 7, 2025
View reviewed changes
@zx2c4
Copy link
Member

zx2c4 commented May 7, 2025

I left some comments on here. How safe is this clientSideEncryption and deviceToDeviceTransfer business? Can these be abused? Is this something we want on by default?

mintsoft added 2 commits June 1, 2025 18:06
@mintsoft
Bumping to Android 6/SDK 23 so that client encryption is
e54628b 
enforced as Android 5 just ignores it

Signed-off-by: Rob Emery <git@mintsoft.net>
@mintsoft
Enabling backup when the ClientSideEncryption is enabled
d95ae0a 
Signed-off-by: Rob Emery <git@mintsoft.net>
@mintsoft
Copy link
Author

mintsoft commented Jun 1, 2025

I left some comments on here. How safe is this clientSideEncryption and deviceToDeviceTransfer business? Can these be abused? Is this something we want on by default?

The way this is configured, Android won't backup without clientSideEncryption being enabled, part of the reason for the bumping the SDK version is so you can force android to only provide protected backups (I've got some testing here from a different PR: https://codeberg.org/Freeyourgadget/Gadgetbridge/pulls/4123#issuecomment-2347840).

The deviceToDeviceTransfer only applies in the situation where the user has unlocked 2 android phones, directly connected them and run the device transfer wizard; I've had a look I've not seen situation where this can be abused.

@ignoramous
Copy link

Is this something we want on by default?

Au contraire, might want to disable Auto Backup entirely (android:allowBackup=false) as when a backup runs, Android kills (every night?) and restarts the app process in (what they call) restricted mode (no access to content providers or databases etc), or might want to mark the app as supporting backups in the foreground (android:backupInForeground=true) and/or extend the default BackupAgent for better control over the process.

@mintsoft
Copy link
Author

mintsoft commented Sep 6, 2025

might want to mark the app as supporting backups in the foreground and/or extend the default BackupAgent for better control over the process.

AFAIK neither of those are actually ideal behaviour. The backupInForeground permits the backup system to close the application for backing up, even if it is in the foreground and extending the backup agent allows the app to be very selective over which files are backed up, but I do not believe it permits the application to keep running throughout the process.

msfjarvis
msfjarvis requested changes Sep 19, 2025
View reviewed changes
mintsoft and others added 3 commits September 23, 2025 12:42
@mintsoft @msfjarvis
This doesn't need to be 23, the tunnel can be 21 without affecting th…
b5d0389 
…e backups

Co-authored-by: Harsh Shandilya <me@msfjarvis.dev>
Signed-off-by: Rob Emery <mintsoft@users.noreply.github.com>
@mintsoft
database not required
a24b92c
@mintsoft
For API>=31 the old XML is deprecated and we should be using dataExtr…
f5b7b68 
…actionRules
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zx2c4 zx2c4 zx2c4 left review comments

@msfjarvis msfjarvis msfjarvis requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mintsoft @zx2c4 @ignoramous @msfjarvis