Comments on: Bug/Hole/Feature(?) of Android - Any application can access your google credentials http://davanum.wordpress.com/2007/11/25/bugholefeature-of-android-any-application-can-access-your-google-credentials/ Web Services, Android, Open Source, Apache, etc. Fri, 25 Jul 2008 06:17:48 +0000 http://wordpress.org/?v=MU By: nameless1 http://davanum.wordpress.com/2007/11/25/bugholefeature-of-android-any-application-can-access-your-google-credentials/#comment-633 nameless1 Wed, 05 Dec 2007 21:33:26 +0000 http://davanum.wordpress.com/2007/11/25/bugholefeature-of-android-any-application-can-access-your-google-credentials/#comment-633 Could this be their intention? I could see the argument for this feature, that if you sign in at the beginning - you would want all the other apps that use Google features to authenticate w/o requiring user action. Seems to be a big hole miss if this wasn't their intention. Could this be their intention? I could see the argument for this feature, that if you sign in at the beginning - you would want all the other apps that use Google features to authenticate w/o requiring user action. Seems to be a big hole miss if this wasn’t their intention.

]]> By: Peter Blazejewicz http://davanum.wordpress.com/2007/11/25/bugholefeature-of-android-any-application-can-access-your-google-credentials/#comment-556 Peter Blazejewicz Mon, 26 Nov 2007 11:01:39 +0000 http://davanum.wordpress.com/2007/11/25/bugholefeature-of-android-any-application-can-access-your-google-credentials/#comment-556 Hi Davanum, I believe that is becuase of: - prelease version - lack of documentation - lack of security measures implemented in emulator (we can query intents but we are not required to authorize to use them if exposed). There is a lot of undocumented Google api in SDK so that seems reasonable they provide system-wide authorization service - otherwise it could be difficult to write custom one. That way we will have access to existing authorization to G apis i think, regards, Peter Hi Davanum,
I believe that is becuase of:
- prelease version
- lack of documentation
- lack of security measures implemented in emulator (we can query intents but we are not required to authorize to use them if exposed).
There is a lot of undocumented Google api in SDK so that seems reasonable they provide system-wide authorization service - otherwise it could be difficult to write custom one. That way we will have access to existing authorization to G apis i think,

regards,
Peter

]]> By: Un vrai bug sur Android? http://davanum.wordpress.com/2007/11/25/bugholefeature-of-android-any-application-can-access-your-google-credentials/#comment-552 Un vrai bug sur Android? Sun, 25 Nov 2007 21:14:57 +0000 http://davanum.wordpress.com/2007/11/25/bugholefeature-of-android-any-application-can-access-your-google-credentials/#comment-552 [...] il se pourrait qu’une vraie faille d’Android ait été découverte par Davanum, encore lui ! Cette faille permettrait à n’importe quelle [...] [...] il se pourrait qu’une vraie faille d’Android ait été découverte par Davanum, encore lui ! Cette faille permettrait à n’importe quelle [...]

]]> By: solydzajs http://davanum.wordpress.com/2007/11/25/bugholefeature-of-android-any-application-can-access-your-google-credentials/#comment-549 solydzajs Sun, 25 Nov 2007 20:03:34 +0000 http://davanum.wordpress.com/2007/11/25/bugholefeature-of-android-any-application-can-access-your-google-credentials/#comment-549 I've tested your code and it seems that content://googleaccounts/accounts/ returns login and hashed password, however content://settings/googlelogin returns login and password in plain text, so basically any application can read your account settings. I wonder how this account credentials will be accessible in the final Android release. May be it's just a matter of permissions settings in AndroidManifest.xml ? Best, Pawel Solyga I’ve tested your code and it seems that content://googleaccounts/accounts/ returns login and hashed password, however content://settings/googlelogin returns login and password in plain text, so basically any application can read your account settings.

I wonder how this account credentials will be accessible in the final Android release. May be it’s just a matter of permissions settings in AndroidManifest.xml ?

Best,
Pawel Solyga

]]>