6

I have an Android smartphone that I don't trust. It has an old version of Android and has been vulnerable to Stagefright and a host of a hundred other vulnerabilities for months. Although there is no clear sign of compromise, because of the number of security holes open for so long, I simply don't trust the device, and assume that it has been compromised.

That being the case, I am switching to a new Android phone (that has the latest OS, and will receive all the latest patches for 2-3 years). Obviously there are zero-days that could cause my device to become compromised, but I would like to START with what I can with some confidence say is a clean device.

I also want to make my life easier, by restoring data from backup. I am assuming I can probably relatively safety re-sync my calendar and contacts from Google servers, but I am afraid to restore my apps.

What are relatively benign things I can restore from backup (that is Sync from Google servers) and what should I avoid?

Caveat: I am fully aware there is no such thing as a completely secure phone. I am simply looking to provide myself a reasonable level of assurance that I am not going to put myself in harms way by restoring backed up data.

n00b
  • 445
  • 2
  • 13
  • 4
    The Android app restoration process doesn't restore the exact version you had on your old phone - it installs the latest version of the app, which might well be updated to take advantages of the features in the new version of the OS. If you don't trust the apps you had installed, you don't have to install them again, but you're probably safer installing things from Play store than random third party sites. – Matthew Feb 04 '16 at 14:16
  • @Matthew Well said. Fortunately, Google Play will not back up third-party apps, so OP doesn't have to worry about that happening in the restore process. – Mark Buffalo Feb 05 '16 at 03:21

1 Answers1

4

Is it unsafe to restore backed up data from Google servers?

Not generally.

Like Matthew said in his comment, the restore process will not restore the vulnerable versions of previous applications unless the application is still vulnerable.

What Google does is simply store a list of applications you used. You will then have to re-download them, and most of them will probably be updated to remove previous vulnerabilities, making you much safer overall.

Imagine the horror of having to store dozens of different versions of a billion different applications. I can't see that being very efficient.

Your contacts and photos are likely safe as well.

Is there anything else to worry about?

The only thing you really have to worry about are the app permissions. Do you want to allow certain applications access to things you'd rather they didn't?

Updated Responses

In response to your update:

What are relatively benign things I can restore from backup (that is Sync from Google servers)

Pictures, lists of previously-installed programs, contacts. Essentially, nearly everything you had before.

and what should I avoid?

If you have any documents, avoid those. Though by now, it's possible the exploit that allowed those documents to introduce malware have been fixed in the updated applications. It's also possible it still hasn't been fixed. I would recommend avoiding them if you can.

If the documents need to be retained, you can still restore them. Don't open them, though. Save them to your computer, and dump them into a virtual machine on a different operating system such as Linux, and get the information you need from them. While it's possible to break out of a VM, it's unlikely.

Mark Buffalo
  • 22,498
  • 8
  • 74
  • 91
  • 1
    I guess my concern is if my device was compromised, there could be malware (system/configuration) files that get backed up and transferred over with the backup restore. I'm assuming the device has a root kit on it and there are X files that have malicious scripts on them. On a PC we advise people to never restore files from a compromised machine. Why is it ok on Android? – n00b Feb 05 '16 at 17:47
  • @n00b I updated my post. Does it help alleviate some concerns? – Mark Buffalo Feb 05 '16 at 17:52
  • 1
    yep. tick and plus one for you good sir. – n00b Feb 05 '16 at 17:55
  • "Imagine the horror of having to store dozens of different versions of a billion different applications" -- yes, Google *hates* storing stuff ;-) – Steve Jessop Mar 10 '16 at 18:25
  • @SteveJessop Yeah, I don't think that's a very good argument for what I was trying to say. I'll reword it some day. – Mark Buffalo Mar 10 '16 at 18:36