Merge "Revert "Update docs to match encryption requirements"" into pi-dev

3 files changed, 6 insertions, 21 deletions

diff --git a/core/java/android/app/backup/BackupAgent.java b/core/java/android/app/backup/BackupAgent.java
index 39b9181b9b6e..d1c957b8fedc 100644
--- a/core/java/android/app/backup/BackupAgent.java
+++ b/core/java/android/app/backup/BackupAgent.java
@@ -148,17 +148,10 @@ public abstract class BackupAgent extends ContextWrapper {
      * Flag for {@link BackupDataOutput#getTransportFlags()} and
      * {@link FullBackupDataOutput#getTransportFlags()} only.
      *
-     * <p>The transport has client-side encryption enabled. i.e., the user's backup is encrypted
-     * with a key known only to the device, and not to the remote storage solution where the backup
-     * data is stored. The key may be synced to a remote trusted hardware module if it has
-     * protections equivalent to those described in the
-     * <a href="https://developer.android.com/preview/features/security/ckv-whitepaper.html">Google
-     * Cloud Key Vault Service whitepaper</a>. Having direct access to the trusted hardware module
-     * must be insufficient to decrypt the user's backup data.
-     *
-     * <p>The backup data itself must be encrypted using an AES/GCM/NoPadding cipher. The key
-     * material must be randomly generated using {@link java.security.SecureRandom}, and must have
-     * at least 256 bits of entropy.
+     * <p>The transport has client-side encryption enabled. i.e., the user's backup has been
+     * encrypted with a key known only to the device, and not to the remote storage solution. Even
+     * if an attacker had root access to the remote storage provider they should not be able to
+     * decrypt the user's backup data.
      */
     public static final int FLAG_CLIENT_SIDE_ENCRYPTION_ENABLED = 1;
 
diff --git a/core/java/android/app/backup/BackupDataOutput.java b/core/java/android/app/backup/BackupDataOutput.java
index 4f90cf7781e0..5a66f3407417 100644
--- a/core/java/android/app/backup/BackupDataOutput.java
+++ b/core/java/android/app/backup/BackupDataOutput.java
@@ -107,12 +107,8 @@ public class BackupDataOutput {
 
     /**
      * Returns flags with additional information about the backup transport. For supported flags see
-     * {@link android.app.backup.BackupAgent}.
+     * {@link android.app.backup.BackupAgent}
      *
-     * <p>Returns the same flags that {@link BackupTransport#getTransportFlags()} returns.
-     *
-     * @see BackupAgent#FLAG_CLIENT_SIDE_ENCRYPTION_ENABLED
-     * @see BackupAgent#FLAG_DEVICE_TO_DEVICE_TRANSFER
      * @see FullBackupDataOutput#getTransportFlags()
      */
     public int getTransportFlags() {
diff --git a/core/java/android/app/backup/FullBackupDataOutput.java b/core/java/android/app/backup/FullBackupDataOutput.java
index f1d9dc6fa93c..18f428339941 100644
--- a/core/java/android/app/backup/FullBackupDataOutput.java
+++ b/core/java/android/app/backup/FullBackupDataOutput.java
@@ -26,12 +26,8 @@ public class FullBackupDataOutput {
 
     /**
      * Returns flags with additional information about the backup transport. For supported flags see
-     * {@link android.app.backup.BackupAgent}.
+     * {@link android.app.backup.BackupAgent}
      *
-     * <p>Returns the same flags that {@link BackupTransport#getTransportFlags()} returns.
-     *
-     * @see BackupAgent#FLAG_CLIENT_SIDE_ENCRYPTION_ENABLED
-     * @see BackupAgent#FLAG_DEVICE_TO_DEVICE_TRANSFER
      * @see BackupDataOutput#getTransportFlags()
      */
     public int getTransportFlags() {