How much are we willing to sacrifice or to risk for the sake of convenience? If we’re not careful, we could very well be handing over our digital lives to strangers with one single tap. This is the frightening situation painted by Craig Young from security firm Tripwire in his talk last Saturday at the Defcon security conference in Las Vegas.
The culprit here is a feature in Android called “weblogin”. What it does is generate a unique token that lets Android users log into Google sites and services with the Google account on their device. While there is no question that this makes it very convenient for Android users to get access to their accounts from their device, the problem, according to Young, is that it also makes it very convenient for malicious people to get access to the user’s accounts as well. This puts not only regular users at risk, but even business who use their own Google App domain.
To prove his point, Young created a rogue app and uploaded to it Google Play Store as a Google Finance utility. Once installed, it prompts the user for the usual process of using the weblogin to access Google Finance. If the user consents, the weblogin token is generated and the user is logged into Google Finance. However, the app author, in this case, Young, now also has access to that token and can use it to access the user’s Google account and data, as well as data from any site using the Google Federated Login system, which lets sites forego requiring users to sign up and use their Google accounts instead.
Interestingly, for the month that the rogue app stayed in the Play Store, Bouncer, Google’s automated security service, did not detect and flag the app as malicious, despite Young making it explicit in the app’s description. Young also said that only one of the many antivirus products on Android was able to detect the malware. The app was only taken down when a user reported it to Google.
The situation is not entirely bleak, however. There are many steps that can be taken to increase security, such as doing further research to strengthen security systems like Bouncer, increasing the cost of attacks, and implementing best security practices. But as always, vigilance and due diligence is the first line of defense.