Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,733,198 Members 40,601 Now Online
XDA Developers Android and Mobile Development Forum

Play Store vulnerability.

Tip us?
 
zanderman112
Old
(Last edited by zanderman112; 2nd October 2012 at 06:04 PM.)
#1  
zanderman112's Avatar
Recognized Themer - OP
Thanks Meter 1839
Posts: 7,913
Join Date: Oct 2010
Location: SouthEast USA

 
DONATE TO ME
Default Play Store vulnerability.

I recently was thinking about something, I decided to test it out.

On the Play Store app, you can choose to add a pin number, and make this pin be required to make purchases.
This is a good idea, as we don't want anyone charging our credit cards or carrier bills if our device gets lost/stolen.
However, there is a flaw in this. The aforementioned pin number is stored locally on the device, whilst the credit card info is connected to your google account, and obviously your carrier billing options are stored online.

All someone has to do to be able to make purchases on a supposed secure play store is go to Settings>Applications>All>Google Play Store and click clear data. No more pin.

Quote:
Originally Posted by trter10 View Post
its also stored in plain text! /data/data/com.android.vending/shared_prefs/finsky.xml

The fix to this would obviously be that google have the pin be connected to your google account, instead of stored locally on the device.

Reported to Google. PLEASE STAR THE ISSUE! Will help it get to the people that can fix the problem!

http://code.google.com/p/android/iss...&ts=1349027733

^^^^^^^^^^^^^^^^^^^^^^^^^^Click banner for my Twitter^^^^^^^^^^^^^^^^^^^^^^^^^^^^
<---- I now have a PayPal donate link right over there <----
If you don't wan't to straight up donate via PayPal, these Amazon.com virtual giftcards are always appreciated

My Devices:
 
Sprint Galaxy S3 on Stock Deodexed MB1+Multi-View mod
OUYA 1st Gen on Stock Rooted JZ054L-Ouya
HP Touchpad on patched up webOS 3.0.5 & CyanogenMod 10.1
Samsung Epic 4G on CyanogenMod 10.1 Nightlies
The Following 16 Users Say Thank You to zanderman112 For This Useful Post: [ Click to Expand ]
 
wwjoshdew
Old
#2  
wwjoshdew's Avatar
Recognized Contributor
Thanks Meter 1385
Posts: 1,365
Join Date: Dec 2008
Location: KCMO
Good find man! Definitely opens up my eyes, as my little brother has a phone with my google account on it, because of all the apps I've bought-en, and I enabled the pin feature on it.
http://www.youtube.com/user/wwjoshdew

Below are links to some of the devices I've done videos on,
Behold... The Sprint HTC One: http://goo.gl/3Q6nP
Transformer Prime TF201: http://goo.gl/GtxzA
Galaxy Note II L900: http://goo.gl/06zdk
Galaxy S III L710: http://goo.gl/0X5KW
Galaxy Nexus: http://goo.gl/rxUgv
EVO 4G LTE: http://goo.gl/VaoeU
EVO 3D: http://goo.gl/rmdoA
The Following User Says Thank You to wwjoshdew For This Useful Post: [ Click to Expand ]
 
flastnoles11
Old
#3  
flastnoles11's Avatar
Senior Member
Thanks Meter 4537
Posts: 8,332
Join Date: Nov 2011
Location: columbia
Wow... way to drop the ball on that one google!!!

New to the SprintGS3??? Click the link below to get started!!!


The Following User Says Thank You to flastnoles11 For This Useful Post: [ Click to Expand ]
 
zanderman112
Old
#4  
zanderman112's Avatar
Recognized Themer - OP
Thanks Meter 1839
Posts: 7,913
Join Date: Oct 2010
Location: SouthEast USA

 
DONATE TO ME
Yeah. Not sure they've ever thought of it or not.

Posted by Mr. Z's HP Touchpad.

^^^^^^^^^^^^^^^^^^^^^^^^^^Click banner for my Twitter^^^^^^^^^^^^^^^^^^^^^^^^^^^^
<---- I now have a PayPal donate link right over there <----
If you don't wan't to straight up donate via PayPal, these Amazon.com virtual giftcards are always appreciated

My Devices:
 
Sprint Galaxy S3 on Stock Deodexed MB1+Multi-View mod
OUYA 1st Gen on Stock Rooted JZ054L-Ouya
HP Touchpad on patched up webOS 3.0.5 & CyanogenMod 10.1
Samsung Epic 4G on CyanogenMod 10.1 Nightlies
 
Jagay
Old
#5  
Junior Member
Thanks Meter 2
Posts: 19
Join Date: Sep 2012
Location: Rm. Valcea
What?I haven't made any purchases yet, but my friends come to me on some days and they could buy paid apps.This must be fixed soon.
 
Quinny899
Old
#6  
Quinny899's Avatar
Recognized Contributor
Thanks Meter 3829
Posts: 6,219
Join Date: Jan 2011
Location: Bolton le Sands, Near Lancaster, UK

 
DONATE TO ME
I notice this a lot when I update my ROM. Because it doesn't come packaged with gapps (well it wouldn't, it's illegal to do that), the data gets cleared when you reinstall the play store, thus no more pin. As I update daily, I never have the pin for more than one day, which is a major security flaw IMO

Sent from my Galaxy Nexus using Tapatalk 2

 
Devices:
Nexus 5
Galaxy Nexus
Nexus 7 FHD
Archos 80 G9
LG GT540
 
koningjim
Old
#7  
koningjim's Avatar
Senior Member
Thanks Meter 29
Posts: 175
Join Date: Aug 2012
Location: #
Indeed Maybe Google needs to be informed of this!

!DH eriseD ym morf dneS
------------------------------------- My phone is a sweet HTC Desire HD ------------------------------------
------------------------------ And it's running Android 4.0.4 and Sense 4.1 -----------------------------

------------------------------------------- You are reading this right now ---------------------------------------
-----------------------------------Don't forget to press thanks if I helped you------------------------------
 
wwjoshdew
Old
#8  
wwjoshdew's Avatar
Recognized Contributor
Thanks Meter 1385
Posts: 1,365
Join Date: Dec 2008
Location: KCMO
You should DEFINITELY post that issue on the Google Support page!
Kinda like this one, http://code.google.com/p/android/issues/detail?id=27431
http://www.youtube.com/user/wwjoshdew

Below are links to some of the devices I've done videos on,
Behold... The Sprint HTC One: http://goo.gl/3Q6nP
Transformer Prime TF201: http://goo.gl/GtxzA
Galaxy Note II L900: http://goo.gl/06zdk
Galaxy S III L710: http://goo.gl/0X5KW
Galaxy Nexus: http://goo.gl/rxUgv
EVO 4G LTE: http://goo.gl/VaoeU
EVO 3D: http://goo.gl/rmdoA
 
zanderman112
Old
#9  
zanderman112's Avatar
Recognized Themer - OP
Thanks Meter 1839
Posts: 7,913
Join Date: Oct 2010
Location: SouthEast USA

 
DONATE TO ME
Reported to Google:

http://code.google.com/p/android/iss...&ts=1349027733

^^^^^^^^^^^^^^^^^^^^^^^^^^Click banner for my Twitter^^^^^^^^^^^^^^^^^^^^^^^^^^^^
<---- I now have a PayPal donate link right over there <----
If you don't wan't to straight up donate via PayPal, these Amazon.com virtual giftcards are always appreciated

My Devices:
 
Sprint Galaxy S3 on Stock Deodexed MB1+Multi-View mod
OUYA 1st Gen on Stock Rooted JZ054L-Ouya
HP Touchpad on patched up webOS 3.0.5 & CyanogenMod 10.1
Samsung Epic 4G on CyanogenMod 10.1 Nightlies
The Following 4 Users Say Thank You to zanderman112 For This Useful Post: [ Click to Expand ]
 
A5J4DX
Old
#10  
A5J4DX's Avatar
Senior Member
Thanks Meter 111
Posts: 625
Join Date: Dec 2010

 
DONATE TO ME
wow how dumb of google

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes