Comments on: Bug/Hole/Feature(?) of Android – Any application can access your google credentials http://davanum.wordpress.com/2007/11/25/bugholefeature-of-android-any-application-can-access-your-google-credentials/ Web Services, Apache, Websphere, IBM, etc. Wed, 11 Nov 2009 14:37:43 +0000 http://wordpress.com/ hourly 1 By: Security hole in Android « Smart Android http://davanum.wordpress.com/2007/11/25/bugholefeature-of-android-any-application-can-access-your-google-credentials/#comment-1860 Security hole in Android « Smart Android Mon, 15 Sep 2008 13:18:16 +0000 http://davanum.wordpress.com/2007/11/25/bugholefeature-of-android-any-application-can-access-your-google-credentials/#comment-1860 [...] reserve our judgement until after the Official launch which shouldnt be too far. [ via Mr. Srinivas [...] [...] reserve our judgement until after the Official launch which shouldnt be too far. [ via Mr. Srinivas [...]

]]> By: nameless1 http://davanum.wordpress.com/2007/11/25/bugholefeature-of-android-any-application-can-access-your-google-credentials/#comment-633 nameless1 Wed, 05 Dec 2007 21:33:26 +0000 http://davanum.wordpress.com/2007/11/25/bugholefeature-of-android-any-application-can-access-your-google-credentials/#comment-633 Could this be their intention? I could see the argument for this feature, that if you sign in at the beginning - you would want all the other apps that use Google features to authenticate w/o requiring user action. Seems to be a big hole miss if this wasn't their intention. Could this be their intention? I could see the argument for this feature, that if you sign in at the beginning – you would want all the other apps that use Google features to authenticate w/o requiring user action. Seems to be a big hole miss if this wasn’t their intention.

]]> By: Peter Blazejewicz http://davanum.wordpress.com/2007/11/25/bugholefeature-of-android-any-application-can-access-your-google-credentials/#comment-556 Peter Blazejewicz Mon, 26 Nov 2007 11:01:39 +0000 http://davanum.wordpress.com/2007/11/25/bugholefeature-of-android-any-application-can-access-your-google-credentials/#comment-556 Hi Davanum, I believe that is becuase of: - prelease version - lack of documentation - lack of security measures implemented in emulator (we can query intents but we are not required to authorize to use them if exposed). There is a lot of undocumented Google api in SDK so that seems reasonable they provide system-wide authorization service - otherwise it could be difficult to write custom one. That way we will have access to existing authorization to G apis i think, regards, Peter Hi Davanum,
I believe that is becuase of:
- prelease version
- lack of documentation
- lack of security measures implemented in emulator (we can query intents but we are not required to authorize to use them if exposed).
There is a lot of undocumented Google api in SDK so that seems reasonable they provide system-wide authorization service – otherwise it could be difficult to write custom one. That way we will have access to existing authorization to G apis i think,

regards,
Peter

]]> By: Un vrai bug sur Android? http://davanum.wordpress.com/2007/11/25/bugholefeature-of-android-any-application-can-access-your-google-credentials/#comment-552 Un vrai bug sur Android? Sun, 25 Nov 2007 21:14:57 +0000 http://davanum.wordpress.com/2007/11/25/bugholefeature-of-android-any-application-can-access-your-google-credentials/#comment-552 [...] il se pourrait qu’une vraie faille d’Android ait été découverte par Davanum, encore lui ! Cette faille permettrait à n’importe quelle [...] [...] il se pourrait qu’une vraie faille d’Android ait été découverte par Davanum, encore lui ! Cette faille permettrait à n’importe quelle [...]

]]> By: solydzajs http://davanum.wordpress.com/2007/11/25/bugholefeature-of-android-any-application-can-access-your-google-credentials/#comment-549 solydzajs Sun, 25 Nov 2007 20:03:34 +0000 http://davanum.wordpress.com/2007/11/25/bugholefeature-of-android-any-application-can-access-your-google-credentials/#comment-549 I've tested your code and it seems that content://googleaccounts/accounts/ returns login and hashed password, however content://settings/googlelogin returns login and password in plain text, so basically any application can read your account settings. I wonder how this account credentials will be accessible in the final Android release. May be it's just a matter of permissions settings in AndroidManifest.xml ? Best, Pawel Solyga I’ve tested your code and it seems that content://googleaccounts/accounts/ returns login and hashed password, however content://settings/googlelogin returns login and password in plain text, so basically any application can read your account settings.

I wonder how this account credentials will be accessible in the final Android release. May be it’s just a matter of permissions settings in AndroidManifest.xml ?

Best,
Pawel Solyga

]]>