Skip to main content
Tech

Android Backup: What Actually Gets Saved (and What Won't)

Android backup isn't one system, it's three, and none of them cover authenticator app seeds. Here is what Google One, Google Photos, and WhatsApp actually save, what gets skipped, and how to migrate phones without losing your 2FA codes.

milanbuha00July 13, 20269 min read
ShareXin

You're staring at the "Erase all data" button, or you've just unboxed a new phone, and Android is telling you it's "backed up and ready." That message is doing a lot of quiet work to reassure you, and it is only partly true. Android doesn't have one backup — it has several, run by different systems, with different rules, and at least one category of data that none of them touch at all. Get this wrong and the damage isn't cosmetic: it's your two-factor codes locked to a dead phone, or a WhatsApp history that turns out to have never left your old device.

TL;DR

  • Android's built-in Google One device backup covers SMS/MMS, call log, contacts sync, device settings, and per-app data — but only up to a 25 MB per app cap, and only for apps that allow it.
  • Google Photos is a completely separate backup with its own toggle — turning off "device backup" does not touch your photos, and turning off Google Photos does not touch your messages.
  • WhatsApp backs itself up to Google Drive on its own schedule, outside the Android system backup, and it is not encrypted by default.
  • 2FA/authenticator seeds (Google Authenticator, Authy, etc.) are not part of any device backup. They need their own export or sync, done inside the authenticator app itself.
  • Installed apps aren't preserved as files — Android keeps a list and lets the Play Store re-download them, which is fine for apps, useless for sideloaded APKs.
25 MBthe maximum size Android's Auto Backup for Apps will save per app — many apps with real save data or local files simply won't fit, and the developer decides if the app participates at all (Android Developers)

Three backups are doing three different jobs, not one

The single "backed up" checkmark on your phone hides three independent systems. The first is the Android/Google One device backup (Settings → Google → Backup), which handles SMS and MMS, call history, contacts sync, device settings like Wi-Fi networks and display preferences, and a per-app data snapshot through a feature developers opt into called Auto Backup for Apps. As of July 7, 2026, Google folded all of these into your regular 15 GB Google Account storage cap for the first time — previously SMS, call history, and settings didn't count against your quota at all. Google says the typical increase is small — its own estimate is around 40 MB per account — but it now ships individual on/off toggles for SMS & MMS, call history, and device settings, so you can exclude any of them.

The second system is Google Photos, which has never been part of that device backup. It's a separate app, with its own account-level toggle, its own upload-quality settings, and its own place in your storage quota. Turning off device backup does nothing to your photo uploads, and vice versa — treat them as two independent decisions.

The third system is app-specific cloud backup, where an individual app — WhatsApp is the obvious example — manages its own upload to Google Drive or its own servers, on its own schedule, with its own encryption choices, entirely outside anything Android controls centrally. If you already strip unnecessary telemetry out of your OS with something like our Windows 11 debloat guide, the same instinct applies here: know which of the three systems actually moved your data before you trust the "backed up" label.

The coverage table: what's actually saved, item by item

This is the part most explainers skip. Here's where each data type really lives — or doesn't.

Communications & personal data

Data typeWhere it's actually backed up
SMS & MMS messagesAndroid device backup (Google One) — separate toggle, now counts toward your 15 GB quota (July 2026)
Call logAndroid device backup (Google One) — same toggle family as SMS/MMS
ContactsGoogle Contacts account sync — a distinct toggle tied to your Google Account, not the "device backup" switch
Google Photos (photos/videos)Google Photos app backup — entirely separate feature, own toggle and quality settings
WhatsApp chats & mediaWhatsApp's own backup to Google Drive — separate app, separate schedule, not encrypted unless you turn that on inside WhatsApp

Apps, settings & files

Data typeWhere it's actually backed up
Installed apps (the APK itself)Not backed up — only a list of app IDs is kept; the Play Store re-downloads each app fresh on setup
In-app data (settings, saves, local state)Android Auto Backup for Apps — only if the developer allows it, capped at 25 MB per app
Device settings (Wi-Fi, display, etc.)Android device backup (Google One) — its own toggle, added July 2026
Files & Downloads folderNot backed up by default; a limited opt-in downloads backup started rolling out in 2026, and it covers only that one folder
Authenticator / 2FA app seedsNot part of any device backup — must be exported or synced manually, inside the authenticator app itself

Tip

Before you rely on any row in that table, open the app in question and check its own backup or export setting directly — "included in device backup" and "actually restorable on a new phone" aren't always the same thing, especially for apps under the 25 MB cap that quietly truncate what they save.

Why authenticator apps sit outside every backup

This is the one that catches people. Google Authenticator has no automatic tie-in to the Google One device backup — it is treated the same as any third-party app, and by default it doesn't even use the Auto Backup for Apps mechanism for its codes. What it does have, since a 2023 update, is an optional Google Account sync you enable inside the app itself: if the cloud icon next to an account shows a green checkmark, that entry is synced to your Google Account and will reappear when you sign in on a new phone. If it doesn't, the only way to move it is the manual Transfer accounts → Export accounts QR-code flow, done before you wipe the old device. Authy works differently again — it has its own encrypted cloud backup tied to your phone number, unrelated to anything Google does.

Warning

If you factory reset or switch phones without exporting your authenticator codes first, you can permanently lose access to every account protected by that app — not just delayed access, but a full account-recovery process, one service at a time, for however many accounts you had 2FA turned on for. Neither "Back up to Google One" nor a green Photos checkmark will save you here.

Store exported backup codes somewhere encrypted and actually searchable when you need them at 11pm during a lockout — a password manager comparison like our Bitwarden vs 1Password vs KeePassXC vs Dashlane breakdown is a reasonable place to start if you don't already have one.

WhatsApp's chat backup is its own island

WhatsApp doesn't use the Android system backup at all. It manages its own periodic upload to a private folder in Google Drive, configured from inside WhatsApp's own Settings → Chats → Chat backup screen, not from anywhere in Android's Backup settings. That separation matters for two reasons: turning off Android's device backup does nothing to stop it, and by default those Drive backups are not end-to-end encrypted — Meta has been rolling out an opt-in encrypted-backup toggle that protects the archive with a password or a 64-digit key, but you have to turn it on. WhatsApp is also reportedly building its own hosted cloud-backup option as an alternative to Google Drive, which would move the whole system outside Google's storage entirely.

Note

"It's in Google Drive" isn't the same as "it's encrypted." If you haven't explicitly enabled WhatsApp's end-to-end encrypted backup, whoever has access to your Google account also has access to your chat history.

The migration checklist before you reset or switch phones

When I migrated phones last year, I didn't trust a single "everything's backed up" screen to carry everything across — I walked through each system in the table above one at a time, because that's the only way to know what actually survives the wipe. In my setup that meant exporting authenticator codes by hand, confirming WhatsApp's own backup had actually run recently rather than assuming it had, and copying anything in Downloads I cared about over to my home server rather than trusting a folder Android had never promised to save.

Settings → Google → Backup                    (Pixel / stock Android)
Settings → System → Backup                     (many OEM skins)
Settings → Accounts → Google → Back up data     (older UI)

Checklist before wiping or switching phones:
  [ ] Google One device backup ran recently (check the "last backup" timestamp)
  [ ] SMS & MMS, call history, device settings toggles are set the way you want
  [ ] Google Photos backup is caught up (open the app, check upload status)
  [ ] WhatsApp → Settings → Chats → Chat backup shows a recent date
  [ ] Authenticator app: codes exported via Transfer accounts, or cloud-sync
      icon shows synced
  [ ] Anything in Downloads/Files you actually need is copied off-device

Note on adb: `adb backup` will not save you here. It was deprecated in
Android 12 and removed from platform-tools in 2023, and it no longer
reliably pulls third-party app data on Android 13 and later — don't plan
a migration around it.

That habit of trusting the actual mechanism instead of the reassuring label is the same one behind keeping your own infrastructure — the way I'd rather run a backup job on my own Proxmox host than assume a vendor's default covers me.

If you've de-Googled: SeedVault and self-hosted backup

None of the above applies if you're running GrapheneOS, LineageOS, or another de-Googled ROM without Google Play Services. Those systems typically ship SeedVault, an open-source backup tool built into the ROM rather than installed as a regular app. It encrypts everything with a BIP39 mnemonic phrase you control, can run automatic scheduled backups, and can write to a USB drive or a self-hosted target like Nextcloud instead of any Google service. GrapheneOS bundles it directly; LineageOS adopted it as its default backup solution. The tradeoff is the one you'd expect: nothing here talks to Google Authenticator's cloud sync or WhatsApp's Drive backup either, so the same per-app rules from the table above still apply — you're just running the "device backup" layer on infrastructure you control instead of Google's.

Frequently asked questions

Does Android's built-in backup save my WhatsApp messages?

No. WhatsApp manages its own backup to Google Drive from inside its own settings, completely separate from Android's device backup. Turning Android's backup on or off has no effect on it.

Will I lose my 2FA codes if I factory reset my phone?

Very likely, unless you exported them first. Authenticator seeds are not part of Google One's device backup. Google Authenticator only carries over automatically if you've enabled its own account sync (shown by a green checkmark on the account), and Authy relies on its own separate encrypted backup tied to your phone number.

Are my installed apps included in an Android backup?

Only as a list. Android remembers which apps you had and lets the Play Store re-download them during setup — the actual APK files aren't preserved, which matters mainly for sideloaded apps not available on the Play Store.

What's the difference between Google One backup and Google Photos backup?

They're entirely separate systems with separate toggles. Google One's device backup covers SMS, call log, contacts sync, settings, and per-app data. Google Photos backs up photos and videos on its own schedule and isn't affected by the device-backup toggle at all.

Is there a Google-free way to back up an Android phone?

Yes, on de-Googled ROMs like GrapheneOS or LineageOS. Both support SeedVault, an open-source backup tool that encrypts data with a passphrase you control and can save to USB storage or a self-hosted server instead of any Google account.

Related stories

More from Tech

Stay in the loop

Get the latest articles delivered to your inbox. No spam, unsubscribe anytime.

Read next

Browser Privacy: Chrome vs Firefox vs Brave, Configured

Chrome, Firefox, and Brave all leak something by default. This guide scores them on fingerprinting resistance, third-party cookies, telemetry, and DNS-over-HTTPS, then gives the exact settings to fix each one — plus why Chrome lost the full uBlock Origin for good.

Continue Reading