Thursday, January 8, 2015

Android app with full control over your Google account

Some time ago after I had defended my diploma thesis on OAuth security my groupmate asked me: "Hey, have you looked into Android OAuth?", and I felt slightly lost since I realized there is yet another OAuth implementation, and I didn't know how it works.

Lately I found some time to resolve this problem. The task seemed challenging at the beginning since Android OAuth is a part of Google Play, which is closed source: this was the first time I had to reverse-engineer to see how the open standard works (namely OAuth). Instead of explaining the whole design myself in this write up, I recommend to read sbktech's blog where he has recently published his full, descriptive, and easy to read explanation of Android OAuth internals. I would just add a few notes about my own findings to the existing sbktech's post:

TL;DR: I was able to find two vulnerabilities in Google Play system apk which allowed me to bypass the Android application permission model: an installed app asking no permissions could get full access to the device owner's Google account (it is sufficient for a new app install or Chrome sync access).

As a first step to understand the weak parts of the OAuth logic I binded to the service manually and made, perhaps, a classic mistake with "NetworkOnMainThreadException", which thankfully brought me the "getToken() -> ... -> network request" callstack in a logcat to explore:

W/GLSUser (  602): GoogleAccountDataService.getToken()
I/GoogleHttpClient(  602): Falling back to old SSLCertificateSocketFactory
I/GoogleHttpClient(  602): Using GMS GoogleHttpClient
W/GLSActivity(  602): [GetToken] - getToken exception!
W/GLSActivity(  602): android.os.NetworkOnMainThreadException
W/GLSActivity(  602): at android.os.StrictMode$AndroidBlockGuardPolicy.onNetwork(
W/GLSActivity(  602): at
W/GLSActivity(  602): at
W/GLSActivity(  602): at
W/GLSActivity(  602): at
W/GLSActivity(  602): at
W/GLSActivity(  602): at
W/GLSActivity(  602): at
W/GLSActivity(  602): at
W/GLSActivity(  602): at
W/GLSActivity(  602): at
W/GLSActivity(  602): at
W/GLSActivity(  602): at
W/GLSActivity(  602): at
W/GLSActivity(  602): at
W/GLSActivity(  602): at
W/GLSActivity(  602): at gaz.a(SourceFile:823)
W/GLSActivity(  602): at gaz.c(SourceFile:692)
W/GLSActivity(  602): at gaz.execute(SourceFile:601)
W/GLSActivity(  602): at xt.execute(SourceFile:365)
W/GLSActivity(  602): at xt.execute(SourceFile:447)
W/GLSActivity(  602): at avc.a(SourceFile:258)
W/GLSActivity(  602): at avd.a(SourceFile:575)
W/GLSActivity(  602): at avd.a(SourceFile:649)
W/GLSActivity(  602): at avd.a(SourceFile:812)
W/GLSActivity(  602): at avi.a(SourceFile:282)
W/GLSActivity(  602): at avh.a(SourceFile:163)
W/GLSActivity(  602): at axm.a(SourceFile:133)
W/GLSActivity(  602): at axf.a(SourceFile:337)
W/GLSActivity(  602): at axf.a(SourceFile:132)
W/GLSActivity(  602): at arx.a(SourceFile:92)
W/GLSActivity(  602): at arh.a(SourceFile:107)
W/GLSActivity(  602): at wj.onTransact(SourceFile:63)
W/GLSActivity(  602): at android.os.Binder.execTransact(
W/GLSActivity(  602): at Method)
W/System.err( 1093): android.os.NetworkOnMainThreadException
W/System.err( 1093): at android.os.Parcel.readException(
W/System.err( 1093): at android.os.Parcel.readException(
W/System.err( 1093): at$myConnection.onServiceConnected(
W/System.err( 1093): at$ServiceDispatcher.doConnected(
W/System.err( 1093): at$ServiceDispatcher$
W/System.err( 1093): at android.os.Handler.handleCallback(
W/System.err( 1093): at android.os.Handler.dispatchMessage(
W/System.err( 1093): at android.os.Looper.loop(
W/System.err( 1093): at
D/ConnectivityService(  389): handleInetConditionHoldEnd: net=0, condition=0, published condition=0
W/System.err( 1093): at java.lang.reflect.Method.invokeNative(Native Method)
W/System.err( 1093): at java.lang.reflect.Method.invoke(
W/System.err( 1093): at$
W/System.err( 1093): at
W/System.err( 1093): at dalvik.system.NativeStart.main(Native Method)

I restored the logic of those three-letter classes from arh to gaz (that's the Google Play part) and felt an extreme sympathy to the avd class because of the two following reasons:

1. URL parameter injection

The below function of the avd class parsed the getToken Bundle extras argument and inserted all _opt_XXX parameters from it inside the HTTP request as XXX, obviously allowing to set has_permission=1 without any user consent:

  public final List a(String paramString1, String paramString2, int paramInt, String paramString3, boolean paramBoolean1, Bundle paramBundle, boolean paramBoolean2, String paramString4, boolean paramBoolean3, boolean paramBoolean4, CaptchaSolution paramCaptchaSolution, PACLConfig paramPACLConfig, FACLConfig paramFACLConfig, String paramString5)
    if (str8.startsWith("_opt_"))
      localaux1.a(str8.replaceFirst("_opt_", ""), paramBundle.getString(str8));


2. Magic scopes "SID" and "LSID"

The GooglePlay also gladly granted me a couple of undocumented scopes, actually giving me back those SID and LSID session cookies in clear:

  public final TokenResponse a(TokenResponse paramTokenResponse, Map paramMap, int paramInt, String paramString1, boolean paramBoolean1, boolean paramBoolean2, String paramString2, PACLConfig paramPACLConfig, FACLConfig paramFACLConfig)
      if (("SID".equals(paramString1)) || ("LSID".equals(paramString1)))
         str1 = (String)paramMap.get(paramString1);


Additionally, I made a few more steps on my way to the PoC:

  • I impersonated the gms app by setting
  • I bypassed the signature verification by copy-pasting the signatures and setting them through _opt_client_sig=<sig> (sorry, no crypto flaws here)
  • I collected signatures for all versions of gms (two in total: 58e1c4133f7441ec3d2c270270a14802da47ba0e and 38918a453d07199354f8b19af05ec6562ced5788), so that my code worked on all Android 4/5 phones
  • I was able to leak the device owner's email through the AccountManager.newChooseAccountIntent for using it in GoogleAuthUtil.getToken (this intent silently returns the user's email if you signed into the only one Google account)

As a result, considering an installed app requiring no permissions, (1) allowed me to just leak all possible oauth2 scopes, while with (2) I was able to take over Google account.


December 2, 2014 — Reported the vulnerability to the Android security, @natashenka confirmed the repro works
January 6, 2015 — Response form Android security saying that the fix was pushed in mid-December, I checked that the repro stopped working on all my phones
January 9, 2015 — Public disclosure

Thanks to @evdokimovds from DSecRG for helping with unpacking tools and to @jduck from droidsec for verifying the code on multiple Android phones.


  1. It's interesting that many of the bloggers your tips helped to clarify a few things for me as well as giving.. very specific nice content. And tell people specific ways to live their lives.Sometimes you just have to yell at people and give them a good shake to get your point across.
    Mobile App Development Company
    Android app Development Company
    ios app development Company
    Mobile App Development Companies
    Mobile App Development Company in india

  2. Hello my dear,

    I see your blog every day ... your blog is Very useful for me and I love so much ...

    You can see

    Chat and meet friends & singles around you and the world for free!

    Visit Now - Dating app

  3. hi welcome to this blog. really you have posted an informative blog. it will be really helpful to many peoples. thank you for sharing this blog.
    selenium training in chennai

  4. This article is so informatic and it really helped me to know more about the Selenium Testing. This selenium article helps the beginners to learn the best training course. So keep updating the content regularly.
    Selenium Training in Chennai | Best Selenium Training institute in Chennai | Selenium Course in Chennai

  5. Finding the time and actual effort to create a superb article like this is great thing. I’ll learn many new stuff right here! Good luck for the next post buddy.
    Mobile Application development Company

  6. great blog Vendorzapp provides Mobile apps for small business, Ecommerce android apps India, iOS ecommerce apps, Ecommerce website Pune, Ready ecommerce website and apps. Android ecommerce apps then visit now Ecommerce android apps India, iOS ecommerce apps, ecommerce website for small business call us +91-9850889625

  7. Hai Thanks for sharing valuable info about Andriod. Now a day’s everyone is depend on andriod . This blog post is really helped a lot. Nice tutorial. Please keep sharing updated tutorials…

  8. Given so much info in it, These type of articles keeps the users interest in the website, and keep on sharing more ... good luck.
    Android Training in velachery | Android Training in chennai | Android Training in chennai with placement

  9. This information is impressive; I am inspired with your post writing style & how continuously you describe this topic. After reading your post, thanks for taking the time to discuss this, I feel happy about it and I love learning more about this topic.Android Training institute in chennai with placement | Best Android Training in velachery

  10. Very Informative! This blog is great source of information which is very useful for me. Thank you very much for sharing this!
    Excellent blog..Thanks for your ideas. android development company Canada

  11. Great post… Thanks for sharing it. You have posted an informative blog to me and averyone. I have something to share with you. Indoor Navigation System Android App

  12. Thank you for your post. This is excellent information. It is amazing and wonderful to visit your site.
    ios app training

  13. The feeling was shared. This page is great. You can refer to this page. It also has similar content.
    APK Downloader

  14. Thanks for the great post on your blog, it really gives me an insight on this topic.

    how to design a mobile app

  15. Nice blog..! I really loved reading through this article... Thanks for sharing such an amazing post with us and keep blogging...
    ios app development course

  16. Thanks for your informative blog!!! Keep on updating your with such awesome information.
    Android Online Training

  17. great blog Vendorzapp provides Mobile apps for small business, Ecommerce android apps India, iOS ecommerce apps, Ecommerce website Pune, Ready ecommerce website and apps.

    Android Training in Chennai

  18. Great blog!! You have clearly explained baout Android app. It's very informative and useful for me to gather more information about android app
    Mobile Development training chennai

  19. Nice blog..! I really loved reading through this article... Thanks for sharing such an amazing post with us and keep blogging...
    ios app development course

  20. I love the blog. Great post. It is very true, people must learn how to learn before they can learn. lol i know it sounds funny but its very true. . .
    youtube apps

  21. very nice blogs!!! i have to learning for lot of information for this sites...Sharing for wonderful information about the web design and web development.Thanks for sharing this valuable information to our vision. You have posted a trust worthy blog keep sharing.
    android app development
    Hire android app developer india

  22. If you want your ex-girlfriend or ex-boyfriend to come crawling back to you on their knees (even if they're dating somebody else now) you gotta watch this video
    right away...

    (VIDEO) Have your ex CRAWLING back to you...?

  23. RxASAP app for android home page app for online pharmacy shopping. pills like viaga, cialis...

  24. Nice to read this article... Thanks for sharing.....
    Android training

  25. New RXASAP makes it easy for US customers to place orders directly from Android pharmacy app

  26. Nice post. Thanks for sharing and providing relevant information.This is really useful.
    Android Training in Lucknow | Best Android Training in Lucknow

  27. Online pharmacy android app - direct link: review!

  28. Extremely interesting! Much obliged additionally to share the blog. Extremely helpful to comprehend the impact of Android Training & Placement in Ahmedabad.

  29. Thanks for your marvelous posting! It is very useful and good. Come on. I want to introduce the best aso services for you, I try it and I feel it is so good to rank app to top in app store search results, have you ever heard it?

  30. Thanks for the information. Very helpful blog for people who want know that Android Training in Ahmedabad, here I am sharing additional details of best Android App Development just go with this Android App Development

  31. Hi Guys, who did install pharmacy app? RXASAP

  32. The information which you have provided is very good. It is very useful who is looking for selenium Online Training Bangalore

  33. Great post! This is very useful for me and gain more information, Thanks for sharing with us.

    Selenium Training in Chennai

  34. A very nice information thank you so much. For more details please visit.
    Click here: Android Application Development Training in Hyderabad

  35. This is the best explanation I have seen so far on the web. I was looking for a simple yet informative about this topic finally your site helped me a lot.
    selenium course
    selenium Testing Training
    Selenium Training in Velachery
    Selenium Training in T Nagar

  36. This is an informative post and it is very useful and knowledgeable. therefore, I would like to thank you for the efforts you have made in writing this article.
    iphone app training course
    iphone app training course in bangalore
    ios app development in hyderabad

  37. E-Commerce has captured a major segment of the market with the advent of technology in the current decade. This has necessitated the presence of the optimized mobile website and mobile app for E-Commerce marketers.

    e commerce app android

  38. Keep up the good work; I read few posts on this website, including I consider that your blog is fascinating and has sets of the fantastic piece of information. Thanks for your valuable efforts. W3webschool - Kolkata SEO Training
    SEO Training

  39. Nice Blog thanks for the blog. Good to share with my friends.
    Wedding Photographer

  40. Your post is really awesome. Your blog is really helpful for me to develop my skills in a right way. Thanks for sharing this unique information with us.
    - Learn Digital Academy

  41. Thank you for sharing your article. Great efforts put it to find the list of articles which is very useful to know, Definitely will share the same to other forums.

    best openstack training in chennai | openstack course fees in chennai | openstack certification in chennai | openstack training in chennai velachery

  42. Thanks for sharing nice information with us. i like your post and all you share with us is uptodate and quite informative, i would like to bookmark the page so i can come here again to read you, as you have done a wonderful job.
    Best Cross Platform Mobile Development

  43. thanks for sharing this article to us , it is very nice article thanks for sharing this article to us , it is very nice article ,
    i really like like this article because i got good info about this article thanks for sharing this article to us best regards.
    hardware and networking course in hyderabad

  44. Appreciation for really being thoughtful and also for deciding on certain marvelous guides most people really want to be aware of.
    industrial safety course in chennai

  45. The great service in this blog and the nice technology is visible in this blog. I am really very happy for the nice approach is visible in this blog and thank you very much for using the nice technology in this blog
    safety course in chennai

  46. This article is well written and quite informative.
    More articles should be written and you have just found a follower.and more visit.
    mainframe training in hyderabad

  47. Really cool post, highly informative and professionally written and I am glad to be a visitor of this perfect blog, thank you for this rare info!
    safety course in chennai

  48. I ‘d mention that most of us visitors are endowed to exist in a fabulous place with very many wonderful individuals with very helpful things.
    occupational health and safety course in chennai

  49. Thanks for such a great article here. I was searching for something like this for quite a long time and at last, I’ve found it on your blog. It was definitely interesting for me to read about their market situation nowadays.iot certification chennai | iot training courses in chennai | iot training institutes in chennai | industrial iot training chennai

  50. Thank you for sharing great information about Android. I would like to say thanks once again for this information. Keep posting all the new information.
    What is Android
    What is android system webview
    Android News
    Android Apps

  51. Thanks for posting useful information.You have provided an nice article, Thank you very much for this one. And i hope this will be useful for many people.. and i am waiting for your next post keep on updating these kinds of knowledgeable things...Really it was an awesome article...very interesting to read..please sharing like this information......
    samsung mobile service center in chennai
    samsung mobile service center
    samsung mobile service chennai
    samsung mobile repair
    samsung mobile service center near me
    samsung service centres in chennai
    samsung mobile service center in velachery

  52. Outstanding blog thanks for sharing such wonderful blog with us ,after long time came across such knowlegeble blog. keep sharing such informative blog with us.
    lenovo mobile service center near me
    lenovo mobile service centre in chennai
    lenovo service center in velachery
    lenovo service center in porur
    lenovo service center in vadapalani

  53. Nice post. Thanks for sharing! I want people to know just how good this information is in your article. It’s interesting content and Great work.
    Thanks & Regards,
    VRIT Professionals,
    No.1 Leading Web Designing Training Institute In Chennai.

    And also those who are looking for
    Web Designing Training Institute in Chennai
    SEO Training Institute in Chennai
    Photoshop Training Institute in Chennai
    PHP & Mysql Training Institute in Chennai
    Android Training Institute in Chennai

  54. Very nice post here thanks for it .I always like and such a super contents of these post.Excellent and very cool idea and great content of different kinds of the valuable information's.
    Check out : best training insitute for machine learning
    artificial intelligence and machine learning course in chennai
    machine learning with python course in chennai
    best machine learning institutes in chennai

  55. Nice blog..! I really loved reading through this article. Thanks for sharing such a amazing post with us and keep blogging... angular 4 training in chennai | angularjs training in omr | best angularjs training institute in chennai | angularjs training in omr

  56. Thanks for sharing the details! thanks for sharing information,nice article.
    i would like to more information from your side!
    please added more then tips!Am working in
    websphere training in hyderabad

  57. Hey Nice Blog!! Thanks For Sharing!!!Wonderful blog & good post.Its really helpful for me, waiting for a more new post. Keep Blogging!
    SEO company in coimbatore
    SEO company
    web design company in coimbatore