Data in the Clear and Mobile Application Risk In a recent entry in the Android bug tracking forums, a developer reported that the Android backup services (via the BackupManager apps) are transmitting…

Data in the Clear and Mobile Application Risk


In a recent entry in the Android bug tracking forums, a developer reported that the Android backup services (via the BackupManager apps) are transmitting critical user information — including passwords — in the clear, back to Google servers.

Specifically, BackupManager can be installed from the Google Play store by any end user, and then configured to synchronize data with their Google account. In a production or enterprise environment, it is reasonable to assume that a user has a tremendous amount of potentially sensitive information stored on their mobile device, including wifi passwords for their company’s wireless routers and potentially even the passwords for their Google account itself.

Backup Manager

Having this kind of information transmitted in the clear exposes an organization to significant risk. While Google’s security is excellent, it is conceivable that an intermediary server could be compromised, either via a criminal or by an agency with interest in capturing this kind of data — say, the NSA in the United States.

Both for these reasons and as a matter of good policy in general, organizations should monitor and control their users’ data, both within internal systems and from mobile devices. The perimeter for network security has shifted over the past decade; where once a good firewall and physical security on the server room was sufficient. However, the rise of BYOD, the increasing amount of sensitive data stored on those devices, and the expanding ecosystems that allow users to move that data to third party vendors (or even back to the service providers in less-than-secure fashions, as appears to be the case with BackupManager) introduced new requirements around security and data loss prevention.

Without reliable detection and control mechanisms, it is not possible for any organization to ensure that those requirements are being met. However, security-conscious organizations can remediate those exposure points; it is safe to assume that Google will address the plaintext transmission issues with BackupManager, but until that change exists, we strongly suggest disabling the app for your users today.

What's New Apps Firewall Mobile Apps

If you currently have access to CloudLock’s Apps Firewall, and specifically with its new functionality around mobile application classification, this type of control can be implemented in a matter of minutes. If you are not yet scanning for and controlling third party applications, this potential exposure is another example of why doing so is critical to a robust defense against data loss.

Browser Not Supported

Your browser version is outdated.

We would recommend you upgrade to a recent version to ensure that you have a good experience on the CloudLock site. Outdated browsers also increase your security risk. So please update your browser and come back later!

Click on the icon below to download the latest version of your browser