Show me the code! – By Davanum Srinivas

Web Services, Apache, Websphere, IBM, etc.

Bug/Hole/Feature(?) of Android – Any application can access your google credentials

with 5 comments

Suppose you used the XMPP sample posted earlier and setup your user id / password to connect to Google Talk. A simple App (see screen shot and code below) can access that stored password. Basically i wrote a simple app to run an arbitrary query (against the built-in content providers) and display the results and ran into this interesting feature(?). Running the following queries allows any app to get the google login credentials of the owner of the device.

content://googleaccounts/accounts/
content://settings/googlelogin

hole 1

hole 2

Download the sources and Application – Hole-HelloActivity.zip

Written by Davanum Srinivas

November 25, 2007 at 1:55 pm

Posted in Uncategorized

« Totally *Unofficial* Android GTalk Client (Send/Receive XMPP Messages)
[HOWTO] Poke into the dex file »

5 Responses

Subscribe to comments with RSS.

  1. I’ve tested your code and it seems that content://googleaccounts/accounts/ returns login and hashed password, however content://settings/googlelogin returns login and password in plain text, so basically any application can read your account settings.

    I wonder how this account credentials will be accessible in the final Android release. May be it’s just a matter of permissions settings in AndroidManifest.xml ?

    Best,
    Pawel Solyga

    solydzajs

    November 25, 2007 at 3:03 pm

    Reply

  2. [...] il se pourrait qu’une vraie faille d’Android ait été découverte par Davanum, encore lui ! Cette faille permettrait à n’importe quelle [...]

    Un vrai bug sur Android?

    November 25, 2007 at 4:14 pm

    Reply

  3. Hi Davanum,
    I believe that is becuase of:
    - prelease version
    - lack of documentation
    - lack of security measures implemented in emulator (we can query intents but we are not required to authorize to use them if exposed).
    There is a lot of undocumented Google api in SDK so that seems reasonable they provide system-wide authorization service – otherwise it could be difficult to write custom one. That way we will have access to existing authorization to G apis i think,

    regards,
    Peter

    Peter Blazejewicz

    November 26, 2007 at 6:01 am

    Reply

  4. Could this be their intention? I could see the argument for this feature, that if you sign in at the beginning – you would want all the other apps that use Google features to authenticate w/o requiring user action. Seems to be a big hole miss if this wasn’t their intention.

    nameless1

    December 5, 2007 at 4:33 pm

    Reply

  5. [...] reserve our judgement until after the Official launch which shouldnt be too far. [ via Mr. Srinivas [...]

    Security hole in Android « Smart Android

    September 15, 2008 at 8:18 am

    Reply

Leave a Reply