Bug/Hole/Feature(?) of Android – Any application can access your google credentials
Suppose you used the XMPP sample posted earlier and setup your user id / password to connect to Google Talk. A simple App (see screen shot and code below) can access that stored password. Basically i wrote a simple app to run an arbitrary query (against the built-in content providers) and display the results and ran into this interesting feature(?). Running the following queries allows any app to get the google login credentials of the owner of the device.
content://googleaccounts/accounts/ content://settings/googlelogin


I’ve tested your code and it seems that content://googleaccounts/accounts/ returns login and hashed password, however content://settings/googlelogin returns login and password in plain text, so basically any application can read your account settings.
I wonder how this account credentials will be accessible in the final Android release. May be it’s just a matter of permissions settings in AndroidManifest.xml ?
Best,
Pawel Solyga
solydzajs
November 25, 2007 at 3:03 pm
[...] il se pourrait qu’une vraie faille d’Android ait été découverte par Davanum, encore lui ! Cette faille permettrait à n’importe quelle [...]
Un vrai bug sur Android?
November 25, 2007 at 4:14 pm
Hi Davanum,
I believe that is becuase of:
- prelease version
- lack of documentation
- lack of security measures implemented in emulator (we can query intents but we are not required to authorize to use them if exposed).
There is a lot of undocumented Google api in SDK so that seems reasonable they provide system-wide authorization service – otherwise it could be difficult to write custom one. That way we will have access to existing authorization to G apis i think,
regards,
Peter
Peter Blazejewicz
November 26, 2007 at 6:01 am
Could this be their intention? I could see the argument for this feature, that if you sign in at the beginning – you would want all the other apps that use Google features to authenticate w/o requiring user action. Seems to be a big hole miss if this wasn’t their intention.
nameless1
December 5, 2007 at 4:33 pm
[...] reserve our judgement until after the Official launch which shouldnt be too far. [ via Mr. Srinivas [...]
Security hole in Android « Smart Android
September 15, 2008 at 8:18 am