In a recent entry in the Android bug tracking forums, a developer reported that the Android backup services (via the BackupManager apps) are transmitting critical user information — including passwords — in the clear, back to Google servers.
Specifically, BackupManager can be installed from the Google Play store by any end user, and then configured to synchronize data with their Google account. In a production or enterprise environment, it is reasonable to assume that a user has a tremendous amount of potentially sensitive information stored on their mobile device, including wifi passwords for their company’s wireless routers and potentially even the passwords for their Google account itself.
Having this kind of information transmitted in the clear exposes an organization to significant risk. While Google’s security is excellent, it is conceivable that an intermediary server could be compromised, either via a criminal or by an agency with interest in capturing this kind of data — say, the NSA in the United States.
Both for these reasons and as a matter of good policy in general, organizations should monitor and control their users’ data, both within internal systems and from mobile devices. The perimeter for network security has shifted over the past decade; where once a good firewall and physical security on the server room was sufficient. However, the rise of BYOD, the increasing amount of sensitive data stored on those devices, and the expanding ecosystems that allow users to move that data to third party vendors (or even back to the service providers in less-than-secure fashions, as appears to be the case with BackupManager) introduced new requirements around security and data loss prevention.
Without reliable detection and control mechanisms, it is not possible for any organization to ensure that those requirements are being met. However, security-conscious organizations can remediate those exposure points; it is safe to assume that Google will address the plaintext transmission issues with BackupManager, but until that change exists, we strongly suggest disabling the app for your users today.
If you currently have access to CloudLock’s Apps Firewall, and specifically with its new functionality around mobile application classification, this type of control can be implemented in a matter of minutes. If you are not yet scanning for and controlling third party applications, this potential exposure is another example of why doing so is critical to a robust defense against data loss.