[Security Improvement] SymantecPGP Viewer for Android: Weak backup security


Symantec PGP Viewer does not implement allowBackup as false or have allowBackup (default true) having a defining backupagent attribute in its application. This allows android backup service to take backup of the application and reinstall on a different device with all the required keys to decrypt.




$ adb backup com.symantec.pgpviewersymantec


I do not classify this as a critical security vulnerability. However, this is definitely a good security improvement that can be utilized to prevent unauthorized backups of application. But if this application is used for confidential communication, I would not consider this to be a secure practice.


In our past experience with Symantec, they stated end point based security vulnerabilities/ improvements are not a concern for SymantecPGPViewer. They intend only to fix security issues that compromise PGP integrity over the network. And hence won’t fix such issues.

You can know about me at my portfolio.
I follow my own Vulnerability Disclosure Policy.
Most of my work is listed here.