Play Store vulnerability.

Search This thread
By:
Advanced…
zanderman112

zanderman112

Senior Member
Oct 6, 2010
7,957
1,844
SouthEast USA
www.twitter.com
I recently was thinking about something, I decided to test it out.

On the Play Store app, you can choose to add a pin number, and make this pin be required to make purchases.
This is a good idea, as we don't want anyone charging our credit cards or carrier bills if our device gets lost/stolen.
However, there is a flaw in this. The aforementioned pin number is stored locally on the device, whilst the credit card info is connected to your google account, and obviously your carrier billing options are stored online.

All someone has to do to be able to make purchases on a supposed secure play store is go to Settings>Applications>All>Google Play Store and click clear data. No more pin.

trter10 said:
its also stored in plain text! /data/data/com.android.vending/shared_prefs/finsky.xml
gIJ5.PNG
Click to expand...
Click to collapse


The fix to this would obviously be that google have the pin be connected to your google account, instead of stored locally on the device.

Reported to Google. PLEASE STAR THE ISSUE! Will help it get to the people that can fix the problem!

http://code.google.com/p/android/issues/detail?id=38025&thanks=38025&ts=1349027733
 
Last edited:
  • Like
Reactions: josuearisty, iok1, Zatta and 12 others
wwjoshdew

wwjoshdew

Inactive Recognized Contributor
Dec 30, 2008
1,389
1,400
Seattle
tinyurl.com
Good find man! Definitely opens up my eyes, as my little brother has a phone with my google account on it, because of all the apps I've bought-en, and I enabled the pin feature on it.
 
  • Like
Reactions: zanderman112
J

Jagay

Member
Sep 30, 2012
19
2
Rm. Valcea
What?I haven't made any purchases yet, but my friends come to me on some days and they could buy paid apps.This must be fixed soon.
 
Quinny899

Quinny899

Recognized Developer / Recognized Contributor
Jan 26, 2011
9,427
8,752
26
Salford, Greater Manchester, UK
quinny898.co.uk
I notice this a lot when I update my ROM. Because it doesn't come packaged with gapps (well it wouldn't, it's illegal to do that), the data gets cleared when you reinstall the play store, thus no more pin. As I update daily, I never have the pin for more than one day, which is a major security flaw IMO

Sent from my Galaxy Nexus using Tapatalk 2
 
T

trter10

Senior Member
Jan 25, 2012
674
464
zanderman112 said:
I recently was thinking about something, I decided to test it out.

On the Play Store app, you can choose to add a pin number, and make this pin be required to make purchases.
This is a good idea, as we don't want anyone charging our credit cards or carrier bills if our device gets lost/stolen.
However, there is a flaw in this. The aforementioned pin number is stored locally on the device, whilst the credit card info is connected to your google account, and obviously your carrier billing options are stored online.

All someone has to do to be able to make purchases on a supposed secure play store is go to Settings>Applications>All>Google Play Store and click clear data. No more pin.

The fix to this would obviously be that google have the pin be connected to your google account, instead of stored locally on the device.

Reported to Google:

http://code.google.com/p/android/issues/detail?id=38025&thanks=38025&ts=1349027733
Click to expand...
Click to collapse
its also stored in plain text! /data/data/com.android.vending/shared_prefs/finsky.xml
gIJ5.PNG
 
Last edited:
  • Like
Reactions: zanderman112 and flastnoles11
C

cccy

Senior Member
Apr 9, 2009
126
33
Actually, I believe that function is more of a "Child Lock". The screen lock/wipe is supposedly what prevents stolen phones from being used. In most cases, someone that usually knows your password (Of course, adb enabled phones can have their screen lock disabled). That's usually your kids that use your phone for games, watching videos, etc. That's what the pin is for - blocking them from downloading paid stuff without your knowledge. I suppose Google doesn't think that they would be the ones who will be hacking your phone, and of course, not be the ones who steal your phone.
 
Quinny899

Quinny899

Recognized Developer / Recognized Contributor
Jan 26, 2011
9,427
8,752
26
Salford, Greater Manchester, UK
quinny898.co.uk
We need to get this big, it needs as many people as possible to star it. We really need to get this on the portal and everywhere else

Sent from my ARCHOS 80G9 using Tapatalk 2

---------- Post added at 04:45 PM ---------- Previous post was at 04:35 PM ----------

Tweeted to xda, android, android police, androidauth, retweet this
https://twitter.com/Quinny898/status/253157268806328320
Sent from my ARCHOS 80G9 using Tapatalk 2
 
  • Like
Reactions: zanderman112 and wwjoshdew
You must log in or register to reply here.

Similar threads

IamIrene
[APK] Google Play Store 5..1.11
Replies
175
Views
601K
T
TheDouglas
S
[GUIDE] [HOW-TO] Install Adobe Flash Player on Android 4.1 Jelly Bean/ Android 4.4
Replies
1K
Views
3M
dasdsad1
dasdsad1
Geo1997
[GUIDE] VPN - Access other countries' Play Store & download all the stuff you want
Replies
223
Views
283K
M
Michael Carleone
QYOBZ
[SOLUTION:] Can't Establish a reliable connection to the server/Playstore No Connect
Replies
403
Views
646K
N
naveen3807
CatZephyr
Huawei Honor Holly [Hol-U19] || All-in-One || ROOT, Recovery & Devlopment Discussion
Replies
2K
Views
986K
M
mrozilla

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 15
    zanderman112
    zanderman112
    I recently was thinking about something, I decided to test it out.

    On the Play Store app, you can choose to add a pin number, and make this pin be required to make purchases.
    This is a good idea, as we don't want anyone charging our credit cards or carrier bills if our device gets lost/stolen.
    However, there is a flaw in this. The aforementioned pin number is stored locally on the device, whilst the credit card info is connected to your google account, and obviously your carrier billing options are stored online.

    All someone has to do to be able to make purchases on a supposed secure play store is go to Settings>Applications>All>Google Play Store and click clear data. No more pin.

    trter10 said:
    its also stored in plain text! /data/data/com.android.vending/shared_prefs/finsky.xml
    gIJ5.PNG
    Click to expand...
    Click to collapse


    The fix to this would obviously be that google have the pin be connected to your google account, instead of stored locally on the device.

    Reported to Google. PLEASE STAR THE ISSUE! Will help it get to the people that can fix the problem!

    http://code.google.com/p/android/issues/detail?id=38025&thanks=38025&ts=1349027733
    View
    4
    zanderman112
    zanderman112
    Reported to Google:

    http://code.google.com/p/android/issues/detail?id=38025&thanks=38025&ts=1349027733
    View
    2
    Quinny899
    Quinny899
    We need to get this big, it needs as many people as possible to star it. We really need to get this on the portal and everywhere else

    Sent from my ARCHOS 80G9 using Tapatalk 2

    ---------- Post added at 04:45 PM ---------- Previous post was at 04:35 PM ----------

    Tweeted to xda, android, android police, androidauth, retweet this
    https://twitter.com/Quinny898/status/253157268806328320
    Sent from my ARCHOS 80G9 using Tapatalk 2
    View
    2
    flastnoles11
    flastnoles11
    trter10 said:
    its also stored in plain text! /data/data/com.android.vending/shared_prefs/finsky.xml
    gIJ5.PNG
    Click to expand...
    Click to collapse

    I was just coming to post this same thing... glad somebody else seen this also...
    View
    2
    T
    trter10
    zanderman112 said:
    I recently was thinking about something, I decided to test it out.

    On the Play Store app, you can choose to add a pin number, and make this pin be required to make purchases.
    This is a good idea, as we don't want anyone charging our credit cards or carrier bills if our device gets lost/stolen.
    However, there is a flaw in this. The aforementioned pin number is stored locally on the device, whilst the credit card info is connected to your google account, and obviously your carrier billing options are stored online.

    All someone has to do to be able to make purchases on a supposed secure play store is go to Settings>Applications>All>Google Play Store and click clear data. No more pin.

    The fix to this would obviously be that google have the pin be connected to your google account, instead of stored locally on the device.

    Reported to Google:

    http://code.google.com/p/android/issues/detail?id=38025&thanks=38025&ts=1349027733
    Click to expand...
    Click to collapse
    its also stored in plain text! /data/data/com.android.vending/shared_prefs/finsky.xml
    gIJ5.PNG
    View

New posts