A feature that allows Android users to authenticate themselves on Google websites without having to enter their account password can be abused by rogue apps to give attackers access to Google accounts, a security researcher showed Saturday at the Defcon security conference in Las Vegas.
The feature is called “weblogin” and works by generating a unique token that can be used to directly authenticate users on Google websites using the accounts they have already configured on their devices.
In short, Craig Young, a researcher at security firm Tripwire, built an app that can steal weblogin tokens and pass them off to another server. Once there, they can be used in a non-Android browser to log in to users’ Google accounts without the actual passwords.
Gmail, Google Drive, Google Calendar can all be accessed with these weblogin tokens, for regular Gmail users as well as Google Apps customers.
To prove his concept, Craig Young put the app in the Google Play Store, after alerting the company about the issues in February. While the company put some things in place, the application went for up — for free — in the Play Store.
Here’s Constantin again:
The app was designed to masquerade as a stock viewing app for Google Finance and was published on Google Play, with a description that clearly indicated it was malicious and shouldn’t be installed by users.
During installation, the app asks for permission to find accounts on a device, use the accounts on a device and access the network. When run, it then displays another prompt asking for permission to access a URL that starts with “weblogin” and includes finance.google.com.
On this week’s Amplified, Dan Benjamin, Jim Dalrymple and Peter Cohen spoke about this at length. Upon asking his guests why this sort of thing was allowed, the trio suggested that reasons could include that Google’s internal developer resources are simply stretched too thin, or that the company simply doesn’t care about this sort of issue.
While I’m sure Apple’s internal developer resources are much better organized and streamlined than what Google has, Google’s got no shortage of engineering muscle within its ranks.
The second option is far more interesting to me. iOS devices make up the majority of Apple’s profits; that simply isn’t true for Google and Android. Cupertino has shifted resources to more accurately reflect that, while Google’s main business remains web services and ads.
This isn’t going to change for Google anytime soon, I don’t think.
I’d argue Google should shift resources and start really paying attention to Android on a much larger scale, and that the OS would benefit from the attention.
The reality is that Android isn’t a hobby anymore. It’s a major player in the mobile space, and Google needs to take security far more seriously than it does.
A good first step would be reviewing apps as they are submitted to the Play Store.
I know Google won’t ever build the sort of system of rules that Apple uses to police its App Store. I’m not suggesting the company should. Google could still allow crazy-ass apps and utilities on the Store.
Google can allow Android to keep its “open” moniker and offer its users a more secure platform. Android wouldn’t have to lose its personality for the sake of security.
That said, security holes like the one outlined above are simply unacceptable on a platform the size of Android. It’s time for Google to put some walls up around Android and the Play Store.