Enables Encrypted Backups

[mintsoft]

Fixes #3857

As discussed it is only enabled in the situation where client side encryption is enabled so the credentials are protected (#3846 (comment))

I don't think it's necessary to implement BackupAgent as the manifest assertions should be sufficient?

[mintsoft]

Been testing the version compatibility with Android; Android 5 will ignore the requirement for client encryption (see testing for a different app: https://codeberg.org/Freeyourgadget/Gadgetbridge/pulls/4123#issuecomment-2347840)

I've not checked the minimum sdk version for thunderbird/k9 yet; but the "simplest" solution is to ensure minimum of sdk 23/Android 6 and it'll behave as desired.

[cketti]

Thanks for the pull request ❤️

One thing we can't include in backups is OAuth access/refresh tokens. That could lead to multiple devices trying to use the same token. That would most likely be flagged by providers and could lead to the account being locked.

I currently don't have a suggestion on how to make backups work with that constraint in mind (other than using a custom BackupAgent). Do you have an idea?

[mintsoft]

Hmm, where are they stored? If they're all together etc we can probably exclude them in the backup.xml et voila.

[kewisch]

@mintsoft Are there any other settings aside from OAuth access/refresh tokens that we should be excluding? I believe all current settings are stored together, so they would need to be separated. How would you be solving that, indeed a custom BackupAgent?

[mintsoft]

AFAIK its only those tokens. How to separate depends on where they are, if they were in a dedicated file or under a sharedpref tree then you can exclude them in the backup.xml if it's not easily separable then yes, a BackupAgent is the only real option.