Show me the code! – By Davanum Srinivas

November 25, 2007

Bug/Hole/Feature(?) of Android – Any application can access your google credentials

Filed under: Uncategorized — Davanum Srinivas @ 1:55 pm

Suppose you used the XMPP sample posted earlier and setup your user id / password to connect to Google Talk. A simple App (see screen shot and code below) can access that stored password. Basically i wrote a simple app to run an arbitrary query (against the built-in content providers) and display the results and ran into this interesting feature(?). Running the following queries allows any app to get the google login credentials of the owner of the device.

content://googleaccounts/accounts/
content://settings/googlelogin

hole 1

hole 2

Download the sources and Application – Hole-HelloActivity.zip

5 Comments »

  1. I’ve tested your code and it seems that content://googleaccounts/accounts/ returns login and hashed password, however content://settings/googlelogin returns login and password in plain text, so basically any application can read your account settings.

    I wonder how this account credentials will be accessible in the final Android release. May be it’s just a matter of permissions settings in AndroidManifest.xml ?

    Best,
    Pawel Solyga

    Comment by solydzajs — November 25, 2007 @ 3:03 pm

  2. […] il se pourrait qu’une vraie faille d’Android ait été découverte par Davanum, encore lui ! Cette faille permettrait à n’importe quelle […]

    Pingback by Un vrai bug sur Android? — November 25, 2007 @ 4:14 pm

  3. Hi Davanum,
    I believe that is becuase of:
    – prelease version
    – lack of documentation
    – lack of security measures implemented in emulator (we can query intents but we are not required to authorize to use them if exposed).
    There is a lot of undocumented Google api in SDK so that seems reasonable they provide system-wide authorization service – otherwise it could be difficult to write custom one. That way we will have access to existing authorization to G apis i think,

    regards,
    Peter

    Comment by Peter Blazejewicz — November 26, 2007 @ 6:01 am

  4. Could this be their intention? I could see the argument for this feature, that if you sign in at the beginning – you would want all the other apps that use Google features to authenticate w/o requiring user action. Seems to be a big hole miss if this wasn’t their intention.

    Comment by nameless1 — December 5, 2007 @ 4:33 pm

  5. […] reserve our judgement until after the Official launch which shouldnt be too far. [ via Mr. Srinivas […]

    Pingback by Security hole in Android « Smart Android — September 15, 2008 @ 8:18 am


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: