Bug/Hole/Feature(?) of Android - Any application can access your google credentials

Suppose you used the XMPP sample posted earlier and setup your user id / password to connect to Google Talk. A simple App (see screen shot and code below) can access that stored password. Basically i wrote a simple app to run an arbitrary query (against the built-in content providers) and display the results and ran into this interesting feature(?). Running the following queries allows any app to get the google login credentials of the owner of the device.

content://googleaccounts/accounts/
content://settings/googlelogin

hole 1

hole 2

Download the sources and Application - Hole-HelloActivity.zip

About this entry

You’re currently reading “Bug/Hole/Feature(?) of Android - Any application can access your google credentials,” an entry on Show me the code!

Published:: 11.25.07 / 1pm

Category:: Uncategorized

Tags:

4 Comments

Jump to comment form | comments rss [?] | trackback uri [?]

solydzajs 11.25.07 / 3pm

I’ve tested your code and it seems that content://googleaccounts/accounts/ returns login and hashed password, however content://settings/googlelogin returns login and password in plain text, so basically any application can read your account settings.

I wonder how this account credentials will be accessible in the final Android release. May be it’s just a matter of permissions settings in AndroidManifest.xml ?

Best,
Pawel Solyga
Un vrai bug sur Android? 11.25.07 / 4pm

[...] il se pourrait qu’une vraie faille d’Android ait été découverte par Davanum, encore lui ! Cette faille permettrait à n’importe quelle [...]
Peter Blazejewicz 11.26.07 / 6am

Hi Davanum,
I believe that is becuase of:
- prelease version
- lack of documentation
- lack of security measures implemented in emulator (we can query intents but we are not required to authorize to use them if exposed).
There is a lot of undocumented Google api in SDK so that seems reasonable they provide system-wide authorization service - otherwise it could be difficult to write custom one. That way we will have access to existing authorization to G apis i think,

regards,
Peter
nameless1 12.5.07 / 4pm

Could this be their intention? I could see the argument for this feature, that if you sign in at the beginning - you would want all the other apps that use Google features to authenticate w/o requiring user action. Seems to be a big hole miss if this wasn’t their intention.

Have your say

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Monthly Archives

About

Davanum Srinivas
(davanum AT gmail.com / dims AT yahoo.com)

AssertNotEquals(”Davanum Srinivas” , “IBM”);