Description
Symantec PGP Viewer does not implement allowBackup as false or have allowBackup (default true) having a defining backupagent attribute in its application. This allows android backup service to take backup of the application and reinstall on a different device with all the required keys to decrypt.
CVSS
NA
POC
1 | $ adb backup com.symantec.pgpviewersymantec |
Vulnerability?
I do not classify this as a critical security vulnerability. However, this is definitely a good security improvement that can be utilized to prevent unauthorized backups of application. But if this application is used for confidential communication, I would not consider this to be a secure practice.
Disclosure
In our past experience with Symantec, they stated end point based security vulnerabilities/ improvements are not a concern for SymantecPGPViewer. They intend only to fix security issues that compromise PGP integrity over the network. And hence won’t fix such issues.
