Counter measures against exfiltration of user data (for unlocked devices)

[grote]

Threat: Device is unlocked in hands of the attacker. They then use Seedvault to exfiltrate data of all apps.

Counter measures:

• require device credential when changing recovery code (currently done), circumvention: clear app data, create new code, make new backup with known code
• require device credential when making manual backup, circumvention: wait for automatic backup to happen or kick one off with adb shell bmgr

We should come up with more counter-measures that are harder or impossible to circumvent.

[grote]

One option could be to require device credential even on initial setup when writing down recovery code, would be slightly worse UX, but should ensure that the attacker can't know the recovery code without also providing device credential authentication which seems to be our only defense here anyway.

[chirayudesai]

adb shell bmgr

If adb isn't enabled, enabling Developer options does need device credentials.