Sbktech

I was looking into how the Google Play library ¸½¼Â¤Ë ÆÀ¤ës OAuth µ­Ç°ÉÊs on ¤ËÂå¤ï¤Ã¤Æ of apps, as the actual nuts and bolts remain undocumented.

Its ¼Â»Ü ¿½¤·¹þ¤à¡¿¿½¤·½Ðs some Íø±×¡¿¶½Ì£ing insights into how Google °·¤¦s ÌäÂ꡿ȯ¹Ô¤¹¤ës that ´¢¤ë up up when using OAuth in an Android app. The »Ä¤ê¡¿µÙ·Æ¡Ê¤¹¤ë¡Ë of this ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë ¿äÄꤹ¤ës you know a bit about Android, OAuth ƱÍÍ¤Ë as how to use the Google Play Services library to ÆÀ¤ë ÀÜ¶á µ­Ç°ÉÊs. Sorry if all this is É餫¤¹¡¿·âÄƤ¹¤ë in the ¾¯¤·¤Îd, but that's where the fun bits are!

To get a disclaimer out of the way. These are just my ´Ñ»¡s after poking at ¤µ¤Þ¤¶¤Þ¤Ê dex ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ës and ÌÖ¾õÁÈ¿¥ traffic and I've undoubtedly ¹ÔÊýÉÔÌÀ¤Ë¤Ê¤ëd many things; but I do hope to show you the Éý¤Î¹­¤¤ ÎسԡʤòÉÁ¤¯¡Ë of how it ºîÉÊ.

There are three points of Íø±×¡¿¶½Ì£.

1. ÈãȽŪ¤Ê code runs only within a Google Ä´°õ¤¹¤ëd app (eg: the com.google.android.gms/.auth.GetToken service.)
2. This service ǧ²Ä¤¹¤ës apps Ãϸµ¤Ç, and ÆÀ¤ës ÀÜ¶á µ­Ç°ÉÊs using a Ãϸµ¤Ç Ãߤ¨¤ë¡¿Å¹d master µ­Ç°ÉÊ. It ¸ú²ÌŪ¤Ë ¼è¤Ã¤ÆÂå¤ï¤ës the ÅÁÅýŪ¤Ê web-based OAuth À§Ç§ flow.
3. Third-party apps are identified by their ½ð̾ and °ì³ç »Ø̾¤¹¤ë, rather than an »ÈÍÑ¡¿Å¬ÍÑ-½ÅÍפÊ/»ÈÍÑ¡¿Å¬ÍÑ-secret.

The green areas run "¿®ÍÑd" code. Your app uses the Google Play Services ¡ÊÊÛ¸î»Î¤Î¡Ë°ÍÍê¿Í library; but the library itself doesn't run ÈãȽŪ¤Ê code. It instead º£¸ås calls to services and activities running within a ʬ¤«¤ì¤Æ Ǥ̿¤¹¤ë¡¿Æ³Æþ¤¹¤ëd app ("Google Play Services".)

Here are some Íø±×¡¿¶½Ì£ing bits of the manifest ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë for com.google.android.gms (the "Google Play services" app) so you get a feel for how it is »Ï¤á¤ë¡¤·è¤á¤ë up.

<manifest
  android:sharedUserId="com.google.uid.³ôd"
  °ì³ç="com.google.android.gms"
  ...>
  <service
    android:»Ø̾¤¹¤ë=".auth.GetToken"
    android:Í¢½Ð¡Ê¤¹¤ë¡Ëd="true"
    android:²áÄø="com.google.²áÄø.gapps"/>

  <activity
    android:»Ø̾¤¹¤ë=".auth.login.LoginActivity"
    android:Í¢½Ð¡Ê¤¹¤ë¡Ëd="true"
    android:²áÄø="com.google.android.gms.ui"
    .../>

As an app writer, you typically call GoogleAuthUtil.getToken() from your »ÈÍÑ¡¿Å¬ÍÑ. The Play Services library first Ω¾Ú¤¹¤ës that the Í׵᤹¤ëd Google apps (com.android.vending and com.google.android.gms) are Ǥ̿¤¹¤ë¡¿Æ³Æþ¤¹¤ëd, and also that they have an µöÍƤǤ­¤ë ¸«²ò¡¿ËÝÌõ¡¿ÈÇ and ½ð̾. The µöÍƤǤ­¤ë ¸«²ò¡¿ËÝÌõ¡¿ÈÇ numbers and ½ð̾ are embedded ľÀÜ¡¿¤Þ¤Ã¤¹¤°¤Ë within the library. Your requested OAuth ÈÏ°Ï is passed to the service, and now we're running inside the ¿®ÍÑd Play Services app.

Things start to get Íø±×¡¿¶½Ì£ing within the get-µ­Ç°ÉÊ service.

This service first retrieves the app °ì³ç »Ø̾¤¹¤ë and ½ð̾ of the ÊóÃη¸. This pair (caller_package_name,caller_signature) is used to identify the ÊóÃη¸. This Áê¸ß¤Î ¿È¸µ³Îǧ¡¤¿Èʬ¾ÚÌÀ/Ω¾Ú by the service and the calling library takes place ¸¢Íø at the ¼ê»Ï¤á; and ¿äÄê¤Ç¤Ï makes it more difficult for either the ÊóÃη¸ or a rogue "Play Service" to spoof their ¿È¸µ to the other.

The service ľÀÜ¡¿¤Þ¤Ã¤¹¤°¤Ë manages app À§Ç§, shows dialogs to the »ÈÍÑ¼Ô as needed, and creates ÀÜ¶á µ­Ç°ÉÊs for requested ÈÏ°Ïs. In other words, it À®¤·¿ë¤²¤ës the app-À§Ç§ that would ¤µ¤â¤Ê¤±¤ì¤Ð typically be done by the web-¾ì½ê¡¿°ÌÃÖ.

This approach does have some advantages. By using a Ãϸµ¤Ç running service in a ¿®ÍÑd Google app, Google can take advantage of some of the °ÂÁ´ features within Android.

For example, by using the °ì³ç ½ð̾ to identify your »ÈÍÑ¡¿Å¬ÍÑ, it ½üµî¤¹¤ës the need to embed »ÈÍÑ¡¿Å¬ÍÑ ids and secrets in your apk (which can often be Ãê½Ð¤¹¤ëd out of a downloaded »ÈÍÑ¡¿Å¬ÍÑ; µö¤¹ing the bad guys to Ä´°õ¤¹¤ë requests as if they ¡Êµ¡¤Î¡Ë¥«¥à from your app.) °ì³ç ½ð̾s are much harder to spoof - you'll need the »äŪ¤Ê Ä´°õ ½ÅÍ×¤Ê which is (hopefully!) never ÌÀ¤é¤«¤Ë¤¹¤ë¡¿Ï³¤é¤¹d; so this is a better way to identify an app.

¤½¤Î¾å¤Î, all the Àܶá À§Ç§ UI and µ­Ç°ÉÊ ¼èÆÀ¡¿Çã¼ý logic is sandboxed inside the play app rather than ¸ºß left to the app-writer. ¿äÄê¤Ç¤Ï, this ¸º¤º¤ës the "attack-surface", and also µö¤¹s bugs to be ±éÀâ¡Ê¤¹¤ë¡Ë¡¿½»½êd quickly by updating this Áª¤Ó½Ð¤¹¡¿ÆÈ¿È app.

You might now be imagining the flip Ì£Êý¤¹¤ë of such a powerful Android service, and you'd be ¸¢Íø. This service has to be °ÂÁ´¤Ê¡¦Êݾڤ¹¤ë and Àµ³Î¤Ë ·ÙÊó the »ÈÍÑ¼Ô during À§Ç§; for once ½àÈ÷¡¿¾ò¹àd, it is ͭǽ¤Ê of creating ÀÜ¶á µ­Ç°ÉÊs on ¤ËÂå¤ï¤Ã¤Æ of any app, and with any ÈÏ°Ï.

The get-µ­Ç°ÉÊ service does all this using what I call a master µ­Ç°ÉÊ that it ÆÀ¤ës from an undocumented authentication endpoint at https://android.¡ÊÊÛ¸î»Î¤Î¡Ë°ÍÍê¿Ís.google.com/auth. Here's how it ºîÉÊ.

When you first Äɲ乤ë an account to the ÁõÃÖ (say during ÁõÃÖ ÂÎÀ©¡¿µ¡¹½) the service ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ës your password, which is additionally encrypted with, I believe, a public ½ÅÍ×¤Ê whose »äŪ¤Ê ÁêÅö¤¹¤ë¤â¤Î is ÍøÍѤǤ­¤ë to the web endpoint.

POST https://android.¡ÊÊÛ¸î»Î¤Î¡Ë°ÍÍê¿Ís.google.com/auth
Parameters
----------
accountType:      HOSTED_OR_GOOGLE
Email:            xxx@gmail.com
has_permission:   1
add_account:      1
EncryptedPasswd:  <some base64 encoding>
service:          ac2dm
source:           android
androidId:        <deviceid>
device_country:   us
operatorCountry:  us
lang:             en
sdk_version:      17

A successful login returns »Ù±ç¤¹¤ë a bunch of »ÈÍÑ¼Ô ¡Ê·Ù»¡¤Ê¤É¤Ø¤Î¡ËÌ©¹ð¡¤¹ðÁʡʾõ¡Ë and µ­Ç°ÉÊs, one per line.

SID=...
LSID=...
Auth=...
services=hist,mail,lh2,talk,oz
Email=...
µ­Ç°ÉÊ=1/zMASTERTOKEN
GooglePlusUpgrade=1
PicasaUser=...
RopText= 
RopRevision=1
firstName=...
lastName=...

¸ø¼°Ê¸½ñ¡¤Ç§¤á¤ë the µ­Ç°ÉÊ field - this is the one master µ­Ç°ÉÊ to »ÙÇÛ¤¹¤ë them all.

The master µ­Ç°ÉÊ is Ãߤ¨¤ë¡¿Å¹d on the ÁõÃÖ using the AccountManager. You should be aware that in most ÁõÃÖ configurations, AccountManager Ãߤ¨¤ë¡¿Å¹s this µ­Ç°ÉÊ in an unencrypted sqlite database (accounts.db - usually somewhere under /data/system.) Êݸî is ¤Þ¤ºÂè°ì¤Ë¡¿ËÜÍè through the basic linux ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë-system ÀÜ¶á »ÙÇۡʤ¹¤ë¡Ë¡¿ÅýÀ©¤¹¤ës - the directories are accessible only to system ²áÄøs.

My understanding of the Android °ÂÁ´ Team's position is that anything else is fundamentally °ÂÁ´ theatre. Encrypting the data or the filesystem is a tricky »ÙÇÛ¤¹¤ë and ²òÅús are often contentious. At any Ψ; it means rooted ÁõÃÖs (or ÁõÃÖs that can be rooted through an OS/driver ¾ÚµòÉÔ½½Ê¬) are at ´í¸± of exposing the master µ­Ç°ÉÊ - so be aware.

Next, a »Ï¤á¤ë¡¤·è¤á¤ë of ³Ë¿´ google services request OAuth µ­Ç°ÉÊs for their ÈÏ°Ïs. This also ÌÀ¤é¤«¤Ë¤¹¤ë¡¿Ï³¤é¤¹s how the get-µ­Ç°ÉÊ service À¸À®¤¹¤ës ÀÜ¶á µ­Ç°ÉÊs using the master µ­Ç°ÉÊ. Here for example, is how it creates a µ­Ç°ÉÊ for one of the ÈÏ°Ïs requested by the market app.

POST https://android.¡ÊÊÛ¸î»Î¤Î¡Ë°ÍÍê¿Ís.google.com/auth

Parameters
----------
accountType:      HOSTED_OR_GOOGLE
Email:            ...
has_permission:   1
µ­Ç°ÉÊ:            1/zMASTERTOKEN
service:          sierra
source:           android
androidId:        <deviceid>
app:              com.android.vending
client_sig:       38918a453d07199354f8b19af05ec6562ced5788
device_country:   us
operatorCountry:  us
lang:             en
sdk_version:      17

and sure enough - it gets »Ù±ç¤¹¤ë:

SID=...
LSID=...
Auth=<auth_token>
issueAdvice=¼«Æ°¼Ö
services=hist,mail,lh2,talk,oz

Indeed, all it takes is to Äɲ乤ë the has_permission=1 ´ú to a request ´Þ¤à¡¿Éõ¤¸¹þ¤á¤ëing the master µ­Ç°ÉÊ, and É餫¤¹¡¿·âÄƤ¹¤ë comes an ÀÜ¶á µ­Ç°ÉÊ for the ´ê˾¡Ê¤¹¤ë¡Ëd ÈÏ°Ï. I also believe this µö²Ä is automatically Äɲ乤ëd if the service notices that the requestor ½ð̾ is the same as the google app ½ð̾; which is in fact the SHA value you see above.

What happens when you request a µ­Ç°ÉÊ from your own app ·Ðͳ¤Ç GoogleUtils.getToken() for the userinfo.profile ÈÏ°Ï?

POST https://android.¡ÊÊÛ¸î»Î¤Î¡Ë°ÍÍê¿Ís.google.com/auth
Headers
-------
ÁõÃÖ:          <deviceid>
app:             <app-°ì³ç-»Ø̾¤¹¤ë>

Parameters
----------
device_country:                us
operatorCountry:               us
lang:                          en_US
sdk_version:                   17
google_play_services_version:  4132532
accountType:                   HOSTED_OR_GOOGLE
Email:                         <email>
source:                        android
androidId:                     <device_id>
app:                           <app-°ì³ç-»Ø̾¤¹¤ë>
client_sig:                    <app-sha-½ð̾>
service:                       oauth2:https://www.googleapis.com/auth/userinfo.profile
µ­Ç°ÉÊ:                         1/zMASTERTOKEN

¸ø¼°Ê¸½ñ¡¤Ç§¤á¤ë the absence of the has_permission=1 ´ú, and that the client_sig is now the ½ð̾ of the calling app.

The ÊÖÅú is:

issueAdvice=Ʊ°Õ
µö²Ä=¸«²ò¡Ê¤ò¤È¤ë¡Ë+basic+¡Ê·Ù»¡¤Ê¤É¤Ø¤Î¡ËÌ©¹ð¡¤¹ðÁʡʾõ¡Ë+about+your+account
ScopeConsentDetails=%0AView+your+»Ø̾¤¹¤ë%2C+public+profile+URL%2C+and+photo%0AView+your+gender%0AView+your+country%2C+la
nguage%2C+and+timezone%0A
ConsentDataBase64=...

The »ÈÍѼÔ-interface is controlled by the issueAdvice ´ú in the ÊÖÅú. Automatically ǧ²Ä¤¹¤ëd apps get the issueAdvice=¼«Æ°¼Ö ´ú and an ÀÜ¶á µ­Ç°ÉÊ. issueAdvice=Ʊ°Õ ¸¶°ø¡Ê¤È¤Ê¤ë¡Ës the service to return an °Õ¿Þ that if ³«»Ï¤¹¤ë¡¤ÂǤÁ¾å¤²¤ëd, shows a suitable Ʊ°Õ dialog. (The Play Services ¡ÊÊÛ¸î»Î¤Î¡Ë°ÍÍê¿Í library bundles this °Õ¿Þ into a UserRecoverableAuthException.)

What happens when you ǧ²Ä¤¹¤ë a Ʊ°Õ dialog? Nothing much - the service ñ¤Ë Äɲ乤ës the has_permission=1 ´ú to a Îà»÷¤Î request and gets »Ù±ç¤¹¤ë an ÀÜ¶á µ­Ç°ÉÊ. It really can create ÀÜ¶á µ­Ç°ÉÊs for any and all ÈÏ°Ïs.

By the way - this also ¼¨¤¹s how the Ω¾Ú¤¹¤ëd app call µ¡³£ÁõÃÖ likely ºîÉÊ. If you ÌÀ¼¨¤¹¤ë a audience:server:client_id ÈÏ°Ï, the µ­Ç°ÉÊ service passes it as usual with the (caller_package,caller_signature) pair to the server. The server checks if this matches the ¡Ê·Ù»¡¤Ê¤É¤Ø¤Î¡ËÌ©¹ð¡¤¹ðÁʡʾõ¡Ë you ʬ¤«¤ì¤Æ ÅÐÏ¿¡Ê¤¹¤ë¡Ëd for that app, and returns a JSON Web µ­Ç°ÉÊ ¼çÄ¥¤¹¤ëing this fact.

¼«Á³¤Ë, all this assumes the basic Android system, ƱÍÍ¤Ë as the "¿®ÍÑd" Play Services app can securely identify the calling °ì³ç; and that nobody other than the ¿®ÍÑd app has Àܶá to the master µ­Ç°ÉÊ.

Given those ²¾Äê¡¿°ú¤­¼õ¤±¤ë¤³¤Ès, it's a nice technique. The Play Services App ´Þ¤à¡¿Éõ¤¸¹þ¤á¤ës an omnipotent "Ãϸµ¤Î-oauth-service"; playing the Ìò³ä of the web-based À§Ç§ flow but with an Android flavor. Third-party apps are identified ľÀÜ¡¿¤Þ¤Ã¤¹¤°¤Ë by their app ½ð̾, ½üµî¤¹¤ëing the need to embed app secrets within the apk ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë.

Most »ÈÍѼÔs need (and should) enter their google password only when setting up their ÁõÃÖ. Apps no longer use the inherently insecure Webview approach to Ͷȯ¤¹¤ë¡¿°ú¤­µ¯¤³¤¹ the À§Ç§ flow; nor do they need to use the ¤®¤³¤Á¤Ê¤¤ and tedious flow ·Ðͳ¤Ç a browser °Õ¿Þ. The app never sees anything other than the ÀÜ¶á µ­Ç°ÉÊ itself. ÈãȽŪ¤Ê code runs only in the Play Services app, so bugs can be ľ¤¹¡¿Çã¼ý¤¹¤ë¡¤È¬É´Ä¹¤ò¤¹¤ëd by just updating one app.

Downsides?

Be aware there's a master µ­Ç°ÉÊ Ãߤ¨¤ë¡¿Å¹d on your Android ÁõÃÖ which has the latent ability to ǧ¤á¤ë Àܶá to services you might not even be Àܶáing from it. If that µ­Ç°ÉÊ is ever exposed, you should assume that all data associated with the account is up for ÆÀ¤ë¡¤¤È¤é¤¨¤ës. Use the Android ÁõÃÖ ·Ð±Ä¼Ô¡¿»ÙÇÛ¿Í to ¸º¤º¤ë the window of ŬÀڤʻþ´ü if your ÁõÃÖ is stolen, or manage this master µ­Ç°ÉÊ from your °ÂÁ´ settings. Or, use a low-value account just for your android ÁõÃÖs; and keep ÈãȽŪ¤Ê ʸ½ñs in a separate account.