Post Reply

Play Store vulnerability.

OP zanderman112

30th September 2012, 01:27 AM   |  #1  
zanderman112's Avatar
OP Recognized Themer
Flag SouthEast USA
Thanks Meter: 1,839
 
7,913 posts
Join Date:Joined: Oct 2010
Donate to Me
More
I recently was thinking about something, I decided to test it out.

On the Play Store app, you can choose to add a pin number, and make this pin be required to make purchases.
This is a good idea, as we don't want anyone charging our credit cards or carrier bills if our device gets lost/stolen.
However, there is a flaw in this. The aforementioned pin number is stored locally on the device, whilst the credit card info is connected to your google account, and obviously your carrier billing options are stored online.

All someone has to do to be able to make purchases on a supposed secure play store is go to Settings>Applications>All>Google Play Store and click clear data. No more pin.

Quote:
Originally Posted by trter10

its also stored in plain text! /data/data/com.android.vending/shared_prefs/finsky.xml


The fix to this would obviously be that google have the pin be connected to your google account, instead of stored locally on the device.

Reported to Google. PLEASE STAR THE ISSUE! Will help it get to the people that can fix the problem!

http://code.google.com/p/android/iss...&ts=1349027733
Last edited by zanderman112; 2nd October 2012 at 06:04 PM.
The Following 16 Users Say Thank You to zanderman112 For This Useful Post: [ View ]
30th September 2012, 02:25 AM   |  #2  
wwjoshdew's Avatar
Recognized Contributor
KCMO
Thanks Meter: 1,390
 
1,367 posts
Join Date:Joined: Dec 2008
More
Good find man! Definitely opens up my eyes, as my little brother has a phone with my google account on it, because of all the apps I've bought-en, and I enabled the pin feature on it.
The Following User Says Thank You to wwjoshdew For This Useful Post: [ View ]
30th September 2012, 03:12 AM   |  #3  
flastnoles11's Avatar
Senior Member
Flag columbia
Thanks Meter: 4,681
 
8,364 posts
Join Date:Joined: Nov 2011
More
Wow... way to drop the ball on that one google!!!
The Following User Says Thank You to flastnoles11 For This Useful Post: [ View ]
30th September 2012, 04:42 AM   |  #4  
zanderman112's Avatar
OP Recognized Themer
Flag SouthEast USA
Thanks Meter: 1,839
 
7,913 posts
Join Date:Joined: Oct 2010
Donate to Me
More
Yeah. Not sure they've ever thought of it or not.

Posted by Mr. Z's HP Touchpad.
30th September 2012, 08:45 AM   |  #5  
Junior Member
Flag Rm. Valcea
Thanks Meter: 2
 
19 posts
Join Date:Joined: Sep 2012
More
What?I haven't made any purchases yet, but my friends come to me on some days and they could buy paid apps.This must be fixed soon.
30th September 2012, 09:19 AM   |  #6  
Quinny899's Avatar
Recognized Contributor
Flag Bolton le Sands, Near Lancaster, UK
Thanks Meter: 3,937
 
6,304 posts
Join Date:Joined: Jan 2011
Donate to Me
More
I notice this a lot when I update my ROM. Because it doesn't come packaged with gapps (well it wouldn't, it's illegal to do that), the data gets cleared when you reinstall the play store, thus no more pin. As I update daily, I never have the pin for more than one day, which is a major security flaw IMO

Sent from my Galaxy Nexus using Tapatalk 2
30th September 2012, 10:26 AM   |  #7  
koningjim's Avatar
Senior Member
Flag #
Thanks Meter: 29
 
175 posts
Join Date:Joined: Aug 2012
More
Indeed Maybe Google needs to be informed of this!

!DH eriseD ym morf dneS
30th September 2012, 01:37 PM   |  #8  
wwjoshdew's Avatar
Recognized Contributor
KCMO
Thanks Meter: 1,390
 
1,367 posts
Join Date:Joined: Dec 2008
More
You should DEFINITELY post that issue on the Google Support page!
Kinda like this one, http://code.google.com/p/android/issues/detail?id=27431
30th September 2012, 06:57 PM   |  #9  
zanderman112's Avatar
OP Recognized Themer
Flag SouthEast USA
Thanks Meter: 1,839
 
7,913 posts
Join Date:Joined: Oct 2010
Donate to Me
More
Reported to Google:

http://code.google.com/p/android/iss...&ts=1349027733
The Following 4 Users Say Thank You to zanderman112 For This Useful Post: [ View ]
2nd October 2012, 01:07 AM   |  #10  
A5J4DX's Avatar
Senior Member
Thanks Meter: 111
 
625 posts
Join Date:Joined: Dec 2010
Donate to Me
More
wow how dumb of google

Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


Top Threads in Android General by ThreadRank