Bug/Hole/Feature(?) of Android - Any application can access your google credentials

Suppose you used the XMPP sample posted earlier and setup your user id / password to connect to Google Talk. A simple App (see screen shot and code below) can access that stored password. Basically i wrote a simple app to run an arbitrary query (against the built-in content providers) and display the results and ran into this interesting feature(?). Running the following queries allows any app to get the google login credentials of the owner of the device.

content://googleaccounts/accounts/
content://settings/googlelogin

hole 1

hole 2

Download the sources and Application - Hole-HelloActivity.zip


About this entry