back to article Hey, you know Android apps can 'access ALL' of your Google account?

The single-click Google account login for Android apps is a little too convenient for hackers, according to Tripwire's Craig Young, who has demonstrated a flaw in the authentication method. The mechanism is called “weblogin”, and basically it allows users to use their Google account credentials as authentication for third- …

COMMENTS

This topic is closed for new posts.
  1. ecofeco Silver badge
    Holmes

    There's that "3rd party" again

    I like that my Android makes it easy-peasy to log in to my Google account just by turning it on, but I NEVER use my Google account to sign on to any websites OTHER than Google.

    Ever.

    That's just stupid.

    For you Facebroke users the same applies. Or any other social gimmicks you use. Never use that account to sign in to anywhere BUT that website.

    And stop downloading every damn flashy app that comes along.

  2. Steve Davies 3 Silver badge
    Coat

    sometimes....

    Apple's Walled garden seems rather attractive (not that it is without it's problems) but as I don't use either it is rather moot.

    coat (not that I need one today) and I'm gone to avoid the plethora of downvotes.

    1. Simon Barker

      Re: sometimes....

      I made the mistake of trusting Apple a few years back, first time I can recall someone stealing something on one of my credit cards but it was a valuable lesson in why it's a bad idea to leave financial details with these companies.

      In other words I wouldn't put too much faith in Apple's walled garden, it was only recently we heard news of Apple having to take down their dev center and we've seen other examples of them failing to match their competitors in terms of infrastructure. That's not to say that I think they're especially good or bad at security merely that you can't truly rely on any company to always be secure.

      1. Anonymous Coward
        Anonymous Coward

        Re: sometimes....

        Who says that it was Apple they hacked? if you have never used your card with anyone other than Apple then you can be guaranteed it was Apple. But if you used it anywhere else then there's no guarantee of how your details have been stored.

        They might be stored, emailed or sent plain text for all you know. This is something that needs to dealt with by the data protection act. It probably already covers your name, address and phone number, but perhaps not credit card numbers?

        1. Simon Barker

          Re: sometimes....

          Of course it was Apple, the problem only occurred with the Apple account and the card itself I think I still use with issue. The surprising thing for me was they didn't seem interested in doing anything about it, they did unlock the account but had me contact my credit card company to sort out the money side of things rather than handle it directly.

          There's other explanations of course, perhaps I was using an insecure password but considering this has only ever happened to me with Apple I'm inclined to suspect the fault lies with them but even if it was my fault in this case that doesn't detract from the other more visible issues I raised does it?

      2. Jamie Jones Silver badge

        Re: sometimes....

        Walled garden?

        This has nothing to do with Android, but with the google websites

    2. Craigness

      Re: sometimes....

      The walled garden didn't help Mat Honan.

  3. Paul 135

    Is there any difference between this and someone copying a cookie from your web browser's cache?

  4. Anonymous Coward
    Anonymous Coward

    Which is why, if I ever buy a paid Android application, I delete my credit card from the Google Wallet as soon as I've done so.

    1. M Gale

      UKash, Paypal, and pre-paid debits cards are your friends.

      Or, you know, Google Play vouchers.

  5. Anonymous Coward
    Anonymous Coward

    two step verification..

    You can then set up passwords on a PER SERVICE basis.,

    it's not rocket science..

    1. Anonymous Coward
      Anonymous Coward

      Re: two step verification..

      It may not be rocket science but it is backward thinking.

      Companies like Google have a legal responsibility to keep your data safe and Google would actually be in breach of the data protection act over this. Comments like yours are counter productive because it takes the responsibility away from the company holding, handling and leaking the data and putting it on the user.

      Two step authentication, limiting account access, etc are not opt-ins those are defaults.

  6. Anonymous Coward
    Anonymous Coward

    Of course, if you're using these Google services you're already putting your personal data in the hands of the largest advertising company on the planet. Their reasons for volunteering to store your data are quite possibly not the same reasons you want to store said data. Important to bear in mind, I feel.

  7. kev51773

    Stupid deliberately misleading headline

    Headline should read ... "Malicious apps can access all of your data" Hardly anything new there, just a slightly different attack vector, still requiring the user to be the kind of drooling imbecile who likely has his full credit card details tattooed on his face.

    1. diodesign (Written by Reg staff) Silver badge

      Re: Stupid deliberately misleading headline

      Hi Sergey!

      C.

  8. toadwarrior
    Trollface

    Got to make life easier for the NSA.

  9. gollux

    But its so darn convenient!

    1. dan1980
      Black Helicopters

      Convenience is the rope they give you to hang yourself with. (Which is likely your point anyway!)

      Foil hat off.

  10. Anonymous Coward
    Anonymous Coward

    I'd trust Apple any day to store my details / data over Google - Google give you all this stuff for free in return for logging your usage, mining your data and using it to push ads etc.

  11. Rich 2 Silver badge

    Google

    I wish someone would produce an Android phone that didn't have all the Google stuff in it.

    I only ever use Google for search and occasional mapping stuff. I simply do not trust Gmail, or GCloud (or whatever they call it) or GSpy. Unfortunately, Android doesn't seem to get this and assumes you're happy to hand over your entire life to Google. No different to Apple, of course, but that doesn't make it right.

    1. Trixr
      Black Helicopters

      Re: Google

      There are plenty of ROMs you can get without GApps installed. If you want to add a new app, you have to do it the hard way, but not having the Google stuff is fairly straightforward if you're happy to flash a ROM.

      Or, get a Chinese No-Name phone that isn't compatible with the "Play" store. Definitely a few of those around as well.

  12. jaminbob

    So if Android is so damn insecure...

    How comes there's been no major breach / scandal / mainstream news story?

    What is it 50% of new smartphones are Android? I've never heard of anyone actually having a problem with it... out of all the people I know with Android.

    Genuine question, every week something new yet its all hypothetical?

  13. Gil Grissum

    REALLY??

    I was just laying in wait for the HTC ONE MAX or Galaxy Note 3 until I saw this. I guess it's back to the safety of another iPhone, with iOS 7 and Activation Lock...

This topic is closed for new posts.

Other stories you might like