[Security Improvement] SymantecPGP Viewer for Android: Weak backup security

Description

Symantec PGP Viewer does not implement allowBackup as false or have allowBackup (default true) having a defining backupagent attribute in its application. This allows android backup service to take backup of the application and reinstall on a different device with all the required keys to decrypt.

CVSS

NA

POC

1
$ adb backup com.symantec.pgpviewersymantec

Vulnerability?

I do not classify this as a critical security vulnerability. However, this is definitely a good security improvement that can be utilized to prevent unauthorized backups of application. But if this application is used for confidential communication, I would not consider this to be a secure practice.

Disclosure

In our past experience with Symantec, they stated end point based security vulnerabilities/ improvements are not a concern for SymantecPGPViewer. They intend only to fix security issues that compromise PGP integrity over the network. And hence won’t fix such issues.

Namaste.
You can know about me at my portfolio.
I follow my own Vulnerability Disclosure Policy.
Most of my work is listed here.