Application Backup Protection
| Plan | Platforms | MASVS |
|---|---|---|
| Team | iOS | MASVS-STORAGE-2 |
Overview
Application Backup Protection prevents sensitive MobileDefender SDK state from being included in iCloud, iTunes, or Finder backups. By excluding SDK-owned directories from backups, this control ensures that framework telemetry, configuration caches, and internal state cannot be extracted from backup archives.
Important: This control operates exclusively on MobileDefender's own directories. It does not affect your application's data, documents, or user files.
How It Works
When enabled, the SDK marks its private directories with Apple's NSURLIsExcludedFromBackupKey file attribute:
<Documents>/MobileDefender/<Application Support>/MobileDefender/
This is a standard iOS mechanism that instructs the operating system to skip these paths during iCloud, iTunes, and Finder backup operations. The exclusion is re-applied whenever the app returns to the foreground to ensure persistence across SDK lifecycle events.
Scope and Limitations
What Is Protected
- MobileDefender's internal cache and configuration state
- SDK telemetry logs stored in framework-owned directories
What Is NOT Protected
- Your application's Documents folder
- Your application's Library folder
- Any user data or files created by your app
- iCloud container contents
- Any paths outside the SDK's private subdirectories
The SDK intentionally excludes only its own directories to avoid interfering with your application's backup strategy. You remain fully responsible for managing backup inclusion/exclusion of your own app data.
Threats Mitigated
- Backup Extraction Attacks: Adversaries with access to iCloud backups or iTunes/Finder backup files cannot retrieve MobileDefender's internal state
- Cloud Storage Exposure: SDK telemetry and configuration are not synchronized to iCloud servers
- Forensic Analysis: Backup archives do not contain framework artifacts that could reveal detection capabilities
Caveats
- This control protects SDK state only. If your application stores sensitive data, you must implement your own backup exclusion strategy using
NSURLIsExcludedFromBackupKey. - System directories (
<Caches>/,<tmp>/) are already excluded from backups by iOS and are not modified by this control. - Requires iOS filesystem access; no additional permissions needed.
Support Matrix
| Platform | Minimum Version | Status |
|---|---|---|
| iOS | 12.0+ | ✅ Supported |
| Android | — | ❌ Not Available |
How to Enable the Control
Navigate to Preventative Controls from the AppTego portal, and expand the Data Sharing Protection section. Under this section you will find the iOS Backup Protection control. Click Enable to enable it for the next build or for it to be applied with a live push (if enabled).
API Configuration Example
{
"BackupProtection": {
"protection": true
}
}Set protection: false to allow MobileDefender directories to be included in backups (not recommended).