pondělí 23. února 2015

Password protection for purchases in Google Play can be bypassed. (And some other issues.) How to defend yourself?

Google Play allows you to buy apps, books and music. Once you enter a payment method, (e.g. payment card or carrier invoice), it is saved, so you can use the same payment method in the next purchase. Google offers password protection for that. It sounds great, but it can be bypassed. We actually don't have an additional security, but an unkept promise, which may have the opposite effect – the user might rely on the security enhancement, which does not work correctly.

There is an extra issue for users with multiple Android devices. The thief of one device can install apps on the other devices of that user. I'll also mention another related issue, but the last one is fixed.

This is just a warning about security issues, not a manual for the abuse.

This article is a translation (with minor modifications) of my recent article. I am sorry for the delay, I hoped to release this article sooner.

Google will not fix it.

Well, there were also some related issues in two-factor authentication, but Google fixed them quickly after they were reported. Google however refused to fix two Google Play related issues I will talk about.

By the way, Google has paid a bug bounty and listed me in the Hall of Fame, but they said they were happy with the current situation.

Where is the merit of the issue?

Google Play allow us to purchase some content using the Google Play application for Android, which is usually password protected. I haven't looked in the details of password verification, but I hope this is designed correctly. However, this is not the only way I can buy an item in Google Play. I can also use the web interface on https://play.google.com/. The web interface does not require the password for buying an item.

Moreover, the attacker does not need the victim to be logged in a Google account in a browser on the stolen device. Once the Google account is present in the device (which very likely due to the connections to the Android ecosystem), we can use the account also in a web browser. We just need a tool, which is often pre-installed in Android devices. I am talking about Google Chrome for Android, which suggest the attack when you are on the Google login page:

Well, it is unclear from the screenshot if there is a real attack possible. For example, Google might consider this login method to be something inferior, so Google would ask for password when buying an application. This is, however, not the case. Google allows you to use this passwordless login for buying apps without knowing the password.

There is one more issue. The attacker can install any application (paid or free) on other devices of the victim. For example, If you have your tablet stolen, the thief might abuse this feature for spying your phone.

How could Google fix it?

I've suggested some countermeasures:

  • Remove the passwordless login feature. This would surely mitigate these attacks, but it costs too much of user convenience and there are some more convenient ways.
  • If user uses the passwordless login, the Google Play webapp would require the user's password for any application installation request. If user logs in with the password, Google would allow installing apps without entering the password again.
  • The password would be required always when the user purchases some item in Google Play.
  • Some combination of the above. My preferred approach is asking for password when user buys an item (regardless the authentication method) and asking for password when installing any application (either paid or free) on a remote device using the passwordless login feature. However, when user uses, say, Firefox for Android, so he can log in only with the password-based authentication, he would allow the attacker to install any free application on other devices of the victim.

How can I defend myself?

First, when you lose an Android device, you should change your Google account password as soon as possible. (I also recommend changing all the passwords of other affected accounts, not just the Google account.) This performs a remote logout on the Android devices.

Screen lock might help, but it can be bypassed in general. In some cases, it might be very easy, e.g. on phone with enough access to recovery. In some cases, it might be hard, but one can disassemble the phone and directly access the flash memory. (Well, this extreme case is hard and might not be worth the cost.) Nevertheless, screen lock is likely to discourage some people.

Remote wipe tools can also help, but they should not be a primary countermeasure for this issue. First, I advise you to change the password regardless of remote wipe tools, because you can never be sure if you have it done in time. Moreover, I am not aware of any secure delete functionality in Android remote wipe tools. Of course, when you change the password, there might be still some other reasons for doing a remote wipe, so I don't suggest remote wipe tools to be useless. They are useful, but you should not rely on them too much…

And of course, the best countermeasure is not having your device lost :)

Issues outside the Google Play

Of course, there are some other parts Google ecosystem affected by passwordless login.

Two-factor authentication

There are some apps (e.g. Android) not supporting the two-factor authentication, so Google allows you to generate an application-specific password for these purposes. In order to generate an application-specific password, you have to re-enter your password, which is good. However, it used to be enough to use the password-less authentication in Android for generating new application-specific password. This could be abused by a thief of an Android device for having an access to the account even after the user changes the password.

Well, Google sends an e-mail when user generates a new application-specific password, but the attacker is very likely to have access to his GMail account, so he can easily delete it.

It is worth noting that this used to be also an issue for Android non-users. An adversary was able to abuse this feature for cloning an application-specific password and use the cloned one even after the old one is revoked. Some social engineering (like choosing a good name for it) might be needed for successful attack.

Fortunately, this issue was fixed quickly after I reported it.

Access to history and some other more protected data

Google tries to protect some data more than others. For example, when you go to https://history.google.com/, Google is likely to require your password even if you are logged in. The passwordless login seems to weaken this extra protection. Google sees this to be just a feature, not a bug. You can see the history data by using Google Search app. So, mobile devices (including tablets) seem to have a different security policy from desktops. It might be confusing, but we should be aware of it.