Thursday, January 8, 2015

Android app with full control over your Google account

Some time ago after I had defended my diploma thesis on OAuth security my groupmate asked me: "Hey, have you looked into Android OAuth?", and I felt slightly lost since I realized there is yet another OAuth implementation, and I didn't know how it works.

Lately I found some time to resolve this problem. The task seemed challenging at the beginning since Android OAuth is a part of Google Play, which is closed source: this was the first time I had to reverse-engineer to see how the open standard works (namely OAuth). Instead of explaining the whole design myself in this write up, I recommend to read sbktech's blog where he has recently published his full, descriptive, and easy to read explanation of Android OAuth internals. I would just add a few notes about my own findings to the existing sbktech's post:

TL;DR: I was able to find two vulnerabilities in Google Play system apk which allowed me to bypass the Android application permission model: an installed app asking no permissions could get full access to the device owner's Google account (it is sufficient for a new app install or Chrome sync access).

As a first step to understand the weak parts of the OAuth logic I binded to the service manually and made, perhaps, a classic mistake with "NetworkOnMainThreadException", which thankfully brought me the "getToken() -> ... -> network request" callstack in a logcat to explore:

W/GLSUser (  602): GoogleAccountDataService.getToken()
I/GoogleHttpClient(  602): Falling back to old SSLCertificateSocketFactory
I/GoogleHttpClient(  602): Using GMS GoogleHttpClient
W/GLSActivity(  602): [GetToken] - getToken exception!
W/GLSActivity(  602): android.os.NetworkOnMainThreadException
W/GLSActivity(  602): at android.os.StrictMode$AndroidBlockGuardPolicy.onNetwork(
W/GLSActivity(  602): at
W/GLSActivity(  602): at
W/GLSActivity(  602): at
W/GLSActivity(  602): at
W/GLSActivity(  602): at
W/GLSActivity(  602): at
W/GLSActivity(  602): at
W/GLSActivity(  602): at
W/GLSActivity(  602): at
W/GLSActivity(  602): at
W/GLSActivity(  602): at
W/GLSActivity(  602): at
W/GLSActivity(  602): at
W/GLSActivity(  602): at
W/GLSActivity(  602): at
W/GLSActivity(  602): at gaz.a(SourceFile:823)
W/GLSActivity(  602): at gaz.c(SourceFile:692)
W/GLSActivity(  602): at gaz.execute(SourceFile:601)
W/GLSActivity(  602): at xt.execute(SourceFile:365)
W/GLSActivity(  602): at xt.execute(SourceFile:447)
W/GLSActivity(  602): at avc.a(SourceFile:258)
W/GLSActivity(  602): at avd.a(SourceFile:575)
W/GLSActivity(  602): at avd.a(SourceFile:649)
W/GLSActivity(  602): at avd.a(SourceFile:812)
W/GLSActivity(  602): at avi.a(SourceFile:282)
W/GLSActivity(  602): at avh.a(SourceFile:163)
W/GLSActivity(  602): at axm.a(SourceFile:133)
W/GLSActivity(  602): at axf.a(SourceFile:337)
W/GLSActivity(  602): at axf.a(SourceFile:132)
W/GLSActivity(  602): at arx.a(SourceFile:92)
W/GLSActivity(  602): at arh.a(SourceFile:107)
W/GLSActivity(  602): at wj.onTransact(SourceFile:63)
W/GLSActivity(  602): at android.os.Binder.execTransact(
W/GLSActivity(  602): at Method)
W/System.err( 1093): android.os.NetworkOnMainThreadException
W/System.err( 1093): at android.os.Parcel.readException(
W/System.err( 1093): at android.os.Parcel.readException(
W/System.err( 1093): at$myConnection.onServiceConnected(
W/System.err( 1093): at$ServiceDispatcher.doConnected(
W/System.err( 1093): at$ServiceDispatcher$
W/System.err( 1093): at android.os.Handler.handleCallback(
W/System.err( 1093): at android.os.Handler.dispatchMessage(
W/System.err( 1093): at android.os.Looper.loop(
W/System.err( 1093): at
D/ConnectivityService(  389): handleInetConditionHoldEnd: net=0, condition=0, published condition=0
W/System.err( 1093): at java.lang.reflect.Method.invokeNative(Native Method)
W/System.err( 1093): at java.lang.reflect.Method.invoke(
W/System.err( 1093): at$
W/System.err( 1093): at
W/System.err( 1093): at dalvik.system.NativeStart.main(Native Method)

I restored the logic of those three-letter classes from arh to gaz (that's the Google Play part) and felt an extreme sympathy to the avd class because of the two following reasons:

1. URL parameter injection

The below function of the avd class parsed the getToken Bundle extras argument and inserted all _opt_XXX parameters from it inside the HTTP request as XXX, obviously allowing to set has_permission=1 without any user consent:

  public final List a(String paramString1, String paramString2, int paramInt, String paramString3, boolean paramBoolean1, Bundle paramBundle, boolean paramBoolean2, String paramString4, boolean paramBoolean3, boolean paramBoolean4, CaptchaSolution paramCaptchaSolution, PACLConfig paramPACLConfig, FACLConfig paramFACLConfig, String paramString5)
    if (str8.startsWith("_opt_"))
      localaux1.a(str8.replaceFirst("_opt_", ""), paramBundle.getString(str8));


2. Magic scopes "SID" and "LSID"

The GooglePlay also gladly granted me a couple of undocumented scopes, actually giving me back those SID and LSID session cookies in clear:

  public final TokenResponse a(TokenResponse paramTokenResponse, Map paramMap, int paramInt, String paramString1, boolean paramBoolean1, boolean paramBoolean2, String paramString2, PACLConfig paramPACLConfig, FACLConfig paramFACLConfig)
      if (("SID".equals(paramString1)) || ("LSID".equals(paramString1)))
         str1 = (String)paramMap.get(paramString1);


Additionally, I made a few more steps on my way to the PoC:

  • I impersonated the gms app by setting
  • I bypassed the signature verification by copy-pasting the signatures and setting them through _opt_client_sig=<sig> (sorry, no crypto flaws here)
  • I collected signatures for all versions of gms (two in total: 58e1c4133f7441ec3d2c270270a14802da47ba0e and 38918a453d07199354f8b19af05ec6562ced5788), so that my code worked on all Android 4/5 phones
  • I was able to leak the device owner's email through the AccountManager.newChooseAccountIntent for using it in GoogleAuthUtil.getToken (this intent silently returns the user's email if you signed into the only one Google account)

As a result, considering an installed app requiring no permissions, (1) allowed me to just leak all possible oauth2 scopes, while with (2) I was able to take over Google account.


December 2, 2014 — Reported the vulnerability to the Android security, @natashenka confirmed the repro works
January 6, 2015 — Response form Android security saying that the fix was pushed in mid-December, I checked that the repro stopped working on all my phones
January 9, 2015 — Public disclosure

Thanks to @evdokimovds from DSecRG for helping with unpacking tools and to @jduck from droidsec for verifying the code on multiple Android phones.


  1. It's interesting that many of the bloggers your tips helped to clarify a few things for me as well as giving.. very specific nice content. And tell people specific ways to live their lives.Sometimes you just have to yell at people and give them a good shake to get your point across.
    Mobile App Development Company
    Android app Development Company
    ios app development Company
    Mobile App Development Companies
    Mobile App Development Company in india

  2. Hello my dear,

    I see your blog every day ... your blog is Very useful for me and I love so much ...

    You can see

    Chat and meet friends & singles around you and the world for free!

    Visit Now - Dating app

  3. hi welcome to this blog. really you have posted an informative blog. it will be really helpful to many peoples. thank you for sharing this blog.
    selenium training in chennai

  4. This article is so informatic and it really helped me to know more about the Selenium Testing. This selenium article helps the beginners to learn the best training course. So keep updating the content regularly.
    Selenium Training in Chennai | Best Selenium Training institute in Chennai | Selenium Course in Chennai

  5. Finding the time and actual effort to create a superb article like this is great thing. I’ll learn many new stuff right here! Good luck for the next post buddy.
    Mobile Application development Company

  6. great blog Vendorzapp provides Mobile apps for small business, Ecommerce android apps India, iOS ecommerce apps, Ecommerce website Pune, Ready ecommerce website and apps. Android ecommerce apps then visit now Ecommerce android apps India, iOS ecommerce apps, ecommerce website for small business call us +91-9850889625

  7. Hai Thanks for sharing valuable info about Andriod. Now a day’s everyone is depend on andriod . This blog post is really helped a lot. Nice tutorial. Please keep sharing updated tutorials…

  8. Given so much info in it, These type of articles keeps the users interest in the website, and keep on sharing more ... good luck.
    Android Training in velachery | Android Training in chennai | Android Training in chennai with placement

  9. This information is impressive; I am inspired with your post writing style & how continuously you describe this topic. After reading your post, thanks for taking the time to discuss this, I feel happy about it and I love learning more about this topic.Android Training institute in chennai with placement | Best Android Training in velachery

  10. Very Informative! This blog is great source of information which is very useful for me. Thank you very much for sharing this!
    Excellent blog..Thanks for your ideas. android development company Canada

  11. Great post… Thanks for sharing it. You have posted an informative blog to me and averyone. I have something to share with you. Indoor Navigation System Android App

  12. Thank you for your post. This is excellent information. It is amazing and wonderful to visit your site.
    ios app training

  13. The feeling was shared. This page is great. You can refer to this page. It also has similar content.
    APK Downloader

  14. Thanks for the great post on your blog, it really gives me an insight on this topic.

    how to design a mobile app

  15. Nice blog..! I really loved reading through this article... Thanks for sharing such an amazing post with us and keep blogging...
    ios app development course

  16. Thanks for your informative blog!!! Keep on updating your with such awesome information.
    Android Online Training

  17. great blog Vendorzapp provides Mobile apps for small business, Ecommerce android apps India, iOS ecommerce apps, Ecommerce website Pune, Ready ecommerce website and apps.

    Android Training in Chennai