An Android feature designed to allow one-click access to any Google service using credentials stored on the phone has been hacked by a rogue app created by a security researcher, reports PCWorld. The exploit was demonstrated on Saturday at the Defcon security conference in Las Vegas.
The feature is called “weblogin” and works by generating a unique token that can be used to directly authenticate users on Google websites using the accounts they have already configured on their devices.
Weblogin provides a better user experience but can potentially compromise the privacy and security of personal Google accounts, as well as Google Apps accounts used by businesses, Craig Young, a researcher at security firm Tripwire, said during his talk.
The app presents itself as a stock viewing app for Google Finance. When first installed, it asks for permission to access Google accounts stored on the device, and then asks for permission to use the login when connecting to Google Finance. Although the user has to agree to both, this might not seem an inappropriate request when accessing a Google service. Once permission has been granted, the app successfully connects to the service, but also surreptitiously sends the credentials to a server owned by the researcher.
An attacker could then use those credentials to access any of the handset owner’s Google accounts: Gmail, calendar, Google Drive, and Google Apps. Even more worryingly, the same technique could access Google Play to download further malicious apps onto the handset: the rogue app was successfully added to Google Play where it sat for a month (with a warning on installation telling people what it really did) before it was reported and removed.
While Google was informed in February, and has started blocking some of the things the app could do, it does suggest we shouldn’t be too casual in the permissions we give to apps even to access Google services.