Android's Wifi backup feature is neither new, unique nor dangerous

The Internet has worked itself up into a bit of a tizzy over the weekend about an innocuous system-level feature that’s been around since Android 2.2 Froyo. The “Back up my data” option —  found under “Settings>Backup & reset” on most Android phones — allows certain stuff, including Wifi passwords, to be backed up to the cloud. The current setting label reads:

“Back up application data, Wi-Fi passwords and other settings to Google servers.”

And that’s exactly what it does. Uncheck the box and you’re informed that Google’s copy of the data will be purged from its servers, as it should be.

The checkbox is presented to users during the setup process, and the label is very clear about what will happen if you leave it enabled. The reason for the feature’s presence is also plain to see — it’s supposed to make the process of setting up new devices a little quicker by pulling down your personal settings and network details from the cloud. Yes, including your Wifi password.

If you’re not comfortable with Google keeping a copy of your stuff, simply uncheck the box. Same deal if you change your mind after the fact — uncheck the box, and Google’s copy of your Wifi passwords goes up in smoke. It’s been that way since the feature was first introduced some three years ago.

But in light of the recent controversy over government surveillance, the story seems to have taken on a new angle, with articles appearing suggesting Google is creating a vast database of all the world’s Wifi passwords in one convenient, NSA-accessible place.

While it’s true that Google, as an American company, could be compelled to surrender this data to the authorities, Wifi passwords are perhaps some of the least sensitive bits of data stored with your Google account. Next to the wealth of very personal information with which Google is entrusted, Wifi passwords, easily changed and easily removed from Google’s servers, are a minor detail.

Were Google collecting this stuff covertly through Android, it’d be a more serious matter. But the data backup feature is plain to see whenever you set up any Android device, while being easy to disable at any time. And that’s exactly what it is — a backup. You’re not giving Google permission to sniff around your networks independently using these details.

In a statement given to Ars Technica in July (opens in new tab), a Google spokesperson said that the personal backup data is “encrypted in transit,” but couldn’t speak to whether it was encrypted on Google’s servers. From an anti-snooping perspective, though, the question of whether it’s encrypted “at rest” is mostly academic. Unless extraordinary measures were taken, Google would surely have the means to decrypt it, and would be required by law to do so. Perhaps more to the point, if a government agency really wants to surveil your home network, they probably don’t need Google’s help to do so.

It’s also worth noting that the situation with regards to storing Wifi passwords in the cloud is by no means limited to Android — Apple’s iOS stores Wifi details (among other things) in iCloud backups. That’s why restoring an iPhone also brings back your Wifi passwords. Microsoft’s Windows 8 has a similar feature, too. As more of us juggle multiple devices, this kind of thing is going to become more common.

So as with many other Android “security” scares, we’re not going to lose any sleep over Google’s backing-up of our network details. But if you’d rather opt out, you’re just one checkbox away, just as you have been for the past three years.

Alex Dobie
Executive Editor

Alex was with Android Central for over a decade, producing written and video content for the site, and served as global Executive Editor from 2016 to 2022.

  • Agree with letting Google hold the passwords or not... If you think your wifi password is stopping the NSA from getting onto your wireless network if they want to then you're just kidding yourself.
  • I am more concerned google will be hacked or somehow leak my data than our incompetent government would care about snooping at me.
  • And your WiFi password will be valuable to.... who exactly? Change it on a regular basis, and there's no security issue here. at all.
  • I feel like my dad has set up a secure enough network that even the NSA can't access. First, the network isn't broadcasting it's name. Second, he uses a white-list for devices that can connect to anything on the network. It's a pain to bring a new device home because you need to wait for him to come home and add the device to the list. Posted via Android Central App
  • Networks with hidden SSIDs can be easily found with software such as InSSIDer. Once a hacker gets far enough to see the wifi traffic (even if it won't let them actually 'connect'), they can then see the MAC addresses of all the devices that are on the network. They can then easily spoof a MAC address to get them onto the network, surpassing any mac address white list. Hidden SSIDs and mac address filtering are a little extra security to keep your neighbors out, but any average hacker can easily get past.
  •'re consumer grade wireless router can stop the NSA. Your dad should work for them! /S
  • your.
  • LMAO!
  • Please tell me he at least uses WPA2 as well right? Hiding a network and using a white list is not creating a secure network.
  • LMAO, good luck in fooling yourself that your Dad's wifi can never be accessed by NSA or ANYONE! What a moron. NOTHING is safe from these sources. If you think not, your completely stupid. HAHAHAHA
  • Geez, guy, no need to berate the poor kid. He's talking about how his dad set up his home wi-fi network, not claiming to be a security expert. Sure, the NSA can probably bypass that, but couldn't you explain that nicely instead of being an immature arse?
  • i agree. if he's wrong just point it out respectfully. =)
  • No, "your" stupid.
  • Wow, sounds like someone needs a nap.... Have some respect, to a young adult some of them look up to the parent or parents as being that one person who don't let them down. Your just being an ass.
  • Wow, I didn't expect people to take me so seriously, haha.
  • Based on your wording I thought it was pretty obvious you weren't serious! Saying you "FEEL LIKE" your dad set up a network "EVEN" the NSA can't hack isn't even close to saying that he actually did set up such a network! Your attempt at humor was fine. Some people are just too uptight to see the humor.
  • This is the exact mindset the NSA wants you to have. Say your Dad Networking level is 100 there are people out there who are god like in power.. more like level 9000. You can never imagine how good they are. They are so powerful and unstoppable and they don't even see your Dad's setup as having a Security. My Advise.. Life is like a video game... Level up yourself.. Go to school and keep learning. Your post alone here contains some knowledge and this already makes you Level 29; you already have a good start. Welcome to the real world, Kid.
  • Time to move out. Then, there's always Starbucks.
  • Give me a few clients actually using the network, and a couple hours and it isn't so secure.
  • Hiding an SSID doesn't secure the network, nor does "white listing" or MAC filtering as it is called. A MAC address can be sniffed and spoofed at will. Even encrypted traffic has to have it's MAC address visible in plain text for every packet, otherwise layer 2 breaks. WPA2 encryption itself is way more secure than either turning off SSID broadcast and MAC filtering. Bypassing the latter 2 is very trivial. To the point that as long as you have strong encryption it is pointless to use the other two as a security measure. Not to say that encryption isn't susceptible to hacking either.
  • wow guys, chill out. I guess I'm bad at not being serious.
  • I don't think they have that ability! LOL
  • they would not sit in front of your house and try and hack your wifi.... I Highly doubt your even close to NSA proof..
  • I can hack you password driving by your house in less than 10 minutes. I do not need to hack Google...
  • If only you know where my house is...
  • Thank you! The whole story seemed as if it was a slow news day. Shame
  • herpaderp
  • Well played, business pro!! Well played!! Posted via Android Central App
  • All caps _and_ exclamation points.
    I bet your face was red when you banged that out.
  • I feel sorry for his keyboard, I hope it still has all its keys intact O_O
  • Here's the thing: There are millions of people using this feature. I highly doubt Google or the NSA will come to your location and connect to your WiFi network, unless of course, you did something illegal.
  • Because the NSA only surveils criminals, and doesn't do widespread dragnetting....
  • They monitor people from their own offices. They aren't going to waste time coming to your house, parking on your street, and waiting for you to get on the Internet and watch what you do unless they have a very good reason.
  • Not only NSA. FBI, DEA, local and State police and probably others...monitoring and perhaps random collecting under other pretexts. The scope of possible privacy breeches is large. That can't be good. Posted via Android Central App
  • Hey you providing the password and router SSID is much easier than driving the Google street view car around everywhere and simply jacking them! Geezzzzzz and it saves gas which saves the planet! You think the people would be happy for once?! LMAO! :p 5TH
  • This stupid fake "controversy" was started by Apple-fanboy site BGR in response to criticism over Apple's fingerprint scanner concerns. My only complaint with the feature is that it's wildy inconsistent. After wiping and loading ROMS a dozen times, I think maybe 40% of the time it has actually restored my passwords. Google relly needs to come up with a iCloud Backup type service that will restore an Android device, and all apps, instantly at login. Perhaps they could use Google Drive to store the files. I use Titanium Backup but it's not nearly as easy to use as iCloud...
  • Uhh. Google has done this since the release of 4.2 I've never had any problems. Flash new ROM. Sign-in. All apps download, passwords, browser history, pics, everything syncs. I'm wondering if Titanium backup is messing with Google's backup. It even saves data and settings within apps (if they were programmed correctly by the developer). I'm not sure why it's not working for you. Check the "backup & reset" options in the settings menu. And when you first start a new ROM, select "Yes, I want to restore all my apps and data"
  • I've been getting full backup/restore (including apps) since 4.0. I jumped to 4.0 from 2.2 though, so I can't speak on whether it was available for 2.3 or 3.x. Posted via Android Central App on my Galaxy Nexus
  • I use the Google Back up for all of my devices since my Droid 1, it has never save my wifi password, every time I have to manually type it in
  • That's weird. The backup service has restored my wi-fi configs every time I've loaded a ROM except for when I switched from CM to a Touchwizz ROM. Once I went back to CM, it restored the config perfectly.
  • Can't find this setting on my phone. I have a Razr M, any idea where it is or even if it's on my phone? Posted via Android Central App
  • If people are that worried about their data then they need to stay off the grid all together. Posted From my HTC One running PlayBook 3.0 via Android Central App
  • I never really got how the backup DATA worked. every time I change roms it only restores the app, not the actual data from the app.
    I have to resort to third party backups.
    Is this how it's intented to work?
  • I like this feature. I have a lot of wifi networks on my phone and it was nice not having to load all of them in when I got my Nexus 7.
  • I'll never trust Google until they reveal where they're hiding Elvis, Tupac and the aliens Posted from my brand new, super slim, gorgeous red Droid Ultra
  • Don't forget Bigfoot. Posted from my 1st gen Nexus 7 via Android Central App
  • He's been so busy mapping "street view" of the backwoods ; )No wonder he's always a step ahead of the damn trackers.
  • Had to use this feature three times this last week trying to fix a problem with my N 7. Was grateful to have it! Posted via Android Central App
  • But...if Google has my wifi password....and it gets leaked....I'd have to (gasp) CHANGE it! Oh FORLORN! Posted via Android Central App on my Galaxy Nexus
  • The shitty thing is that people are idiots, and they use the same password for their wifi router and their bank account. Seriously. People are that stupid.
  • I'm surprised that people still think that the ship of
    Govt wants something from you = They WILL get it
    hasn't sailed decades ago
  • That sweet piece of hardware!! Posted via Android Central App
  • Break out the tinfoil hats! :-)
  • Alex Dobie uses Dispel FUD. It was super-effective! Posted from my 1st gen Nexus 7 via Android Central App
  • When I first enabled this feature, I thought it was the most convenient thing in the world, especially when it comes to trying out new roms and the data wipes that usually come with it. I wasn't worried about security issues then, still not worried now. Of course I understood that you're backing up your wifi password, it states so in plain black-and-white and lets you choose not to enable it. Of course, if you have it enabled already, you can easily disable it and then change your wifi password. The issue is with everyone else's wifi passwords that you shared with google. Part of good wifi security is changing your password on a regular basis, but if people actually followed good security practices then Windows wouldn't have gotten its reputation as a security nightmare.
  • Interesting, All I know is that I received 2 replacement devices in July/August 2013. Then another in late August. Once I logged into my Google Play Account, most of my apps and the data reappeared on my current device. This included wi-fi passwords. For my home networks (I have 2) I change the passwords periodically anyway. This has been widely known for awhile so why is it an issue now?
  • There's one case to be concerned about saved wi-fi passwords. This saves the password for corporate wi-fi too. That's a little bit more important than a home wi-fi network. Google should at least give us more control over what it saves.
  • What does "Back up application data" mean? Does it include passwords for all yr apps including banking apps etc..?
  • Two states in the US legalize pot and 5 weeks later conspiracies start popping up all over the place! LOL Paranoid much!
  • I think it's reasonable if you want to take the risk for the convenience, I'm glad there's a choice. But ridiculing people for being paranoid about security when personal data is regularly pillaged from large corps? I wouldn't call that paranoid, so much as justified.
  • That happened last November, almost a year ago, not five months.
  • Give him a break. It's really hard to keep track of time when you're high.
  • correct me if I'm wrong, but.... (1) if the NSA or any other government agency or evil-doer gets your wifi password via Google server, won't they have to drive to within 100 feet of your house for this to be useful? (2) is Google's encrypted server really that safe? I'm sure the NSA's supercomputers are way more powerful than anything that Google owns ( (3)
  • I wonder if I'm the only one who got the NUD pun.
  • This is just ONE MORE reason that root won't be required. Before this, I had to backup wifi access points with Titanium backup and that required root. Now if I could just tether my unlimited plan without root (unless you're one of the select few who can use FoxFi) and the ability to do an entire system backup (like android) the only reason left to Root would be custom ROM.
  • That's not really news. End of July, the German IT news site reported this issue: 2013-07-16:
    (use Google Translate if neccessary) First, obviously Google doesn't always delete the WiFi passwords after unchecking the box. Second, maybe your WiFi is of no interest for any type of secret service – but using this feature for company WiFi is highly dangerous. Third, Apple encrypts the data for backup on device and only then transfers the encrypted passwords into the cloud. For restoring you need the password you set for encryption. Apple cannot decrypt anything (as long as they implemented the algorithms without any faults). So please: Don't pretend this not being a problem. It's quite a big problem, and Google could change this easily by just prompting for a password for encryption prior to uploading the backup.
  • If the data was encrypted on the device, and the private key (the part required for decryption) was only ever stored on the device, then you wouldn't be able to use the backed up data on a different device, making the backup *completely* worthless. Not to mention this would become annoying, since these kinds of backups happen frequently, and usually while you're not using the phone. I *could* see an advantage to Google making it an optional thing, where you put in the password used to generate the hash used as a private key. I suspect, though, that a lot of people would forget their password ;) Also, what is your source for this piece of information: "obviously Google doesn't always delete the WiFi passwords after unchecking the box" ? I don't see it being "obvious" at all, since everything from Google states the opposite. Now, if you use a corporate WiFi, and they have a problem with it getting backed up to Google's server, that something to take up with your employer. It really *isn't* an problem. Of all the data I willingly surrender to Google, my WiFi password is the least of my worries. As many others have said, if the NSA wants my information, they're not going to drive to my apartment and attach to my WiFi network to get it. They can already get it with a couple of keystrokes.
  • I think the wifi password issue is a valid concern. We have nothing but halfhearted assurances from Google about the security of the process and "Apple does it too!" is meaningless fanboy dreck. I still use backup on my S3, but I have no illusions about it being a secure process. Only a fool would actually "trust" a corporation like Google or any other, especially in light of recent events.
  • If you're referring to the Prism/NSA stuff, I don't think it's a "trust" issue with Google directly. Most of the big internet-based service providers have admitted that they have been (literally) forced to comply with this stuff and prevented from talking about it under threat of charges of treason. Our problem, here, is not Google/Yahoo/AOL/Apple/Facebook/etc. Our problem is a gestapo government who thinks they have a right to do anything they like, so long as it's in the name of "providing security". That said, the WiFi backup thing really shouldn't concern you so much. If the NSA wants your info, they're not going to drive all the way to your home and log onto your WiFi network to get it. They'll just send "tasking" orders to the router at your ISP to have the information routed to them at the comfort of their own offices.
  • I'm not worried about it, but it's perfectly valid to question Google about this and every other service they offer despite the author of the article urging everyone to essentially shut up and stop thinking about it. The conclusion that it's perfectly innocent is not based on any actual facts that I'm aware of. It probably is (I still use it), but no one outside of Google actually knows that for certain. It's true that the NSA can get anything they want given enough time, but that doesn't mean that we should stop asking questions and demanding answers both from the government and the companies we entrust with our data.
  • What question is it that you're wanting answered? Whether or not this data is deleted if you uncheck the box? Technically, Google has already answered that question, since the message box says that it will be. If you don't trust that, then what additional assurance would you get from a Google employee saying "yes, it is"? I agree with you that we should always ask for transparency in how our data is handled and what is being done with it. I think, in this case, Google has done all it can do with regard to telling you what is happening with this data. In fact, Google has gone to great lengths to provide us a way to view all this aggregated data that is attached to our accounts. If you don't trust one answer, why would you trust a confirmation of that answer? It's not like this is some sinister line of code that has been discovered. It's a setting on every phone going back three years. We *know* what it's intended purpose is. It explains what it does right there below the check box. The conclusion in the article is based on as much "fact" as you could possibly have, without personally, physically inspecting the code on Google's servers. Besides, even if Google was sharing your WiFi password with the NSA, they wouldn't be able to tell you about it, thanks to all those FISA requests included a gag-order.
  • Just because it can be broken doesn't mean you should trust anyone with it who has no need to know. Backing up is also silly since if you forget it change it in the router. Just deleted from all my Androids.
  • Because some of us have hundreds of wifi access points we connect to? We don't want to have to go through the whole process of having to login to all those again?
  • Anyone trying to sneak their way on to someones network by getting a password through an android phone backup to Google's servers will most likely have go through a list of a few hundred networks before they find the one they are looking for (if they find it)
  • How long after one chooses to not let Google maintain a backup of data is that data "purged" as you put it... In other words, how long is Google going to have that phone and network data (to use, for marketing+, or to provide in response to the frequent Government requests for our data...) ? The article has two comments that suggest immediate complete erasure... but absent something stating this explicitly, it cannot be assumed -especially in today's data hungry environment.. Could you please elaborate?..Thanks Posted via Android Central App
  • We're not talking about phone or network data here. You give that to Google all the time. The "panic" here is that (if you have this feature enabled) Google is storing your WiFi password on a server somewhere. While true that the government probably *could* demand this information from Google with one of their gestapo "FISA Letters", they don't need to. If they want your data, they don't have to get your WiFi password from Google, drive all the way to your house, connect to your WiFi and then "sniff" around your home network hoping they find something. They'll just send a "tasking" instruction to your ISP's router and wait for all your data to come to them. See? Nothing to worry about ;)