Play Store vulnerability.

Search This thread

zanderman112

Senior Member
Oct 6, 2010
7,958
1,844
SouthEast USA
www.twitter.com
I recently was thinking about something, I decided to test it out.

On the Play Store app, you can choose to add a pin number, and make this pin be required to make purchases.
This is a good idea, as we don't want anyone charging our credit cards or carrier bills if our device gets lost/stolen.
However, there is a flaw in this. The aforementioned pin number is stored locally on the device, whilst the credit card info is connected to your google account, and obviously your carrier billing options are stored online.

All someone has to do to be able to make purchases on a supposed secure play store is go to Settings>Applications>All>Google Play Store and click clear data. No more pin.

its also stored in plain text! /data/data/com.android.vending/shared_prefs/finsky.xml
gIJ5.PNG


The fix to this would obviously be that google have the pin be connected to your google account, instead of stored locally on the device.

Reported to Google. PLEASE STAR THE ISSUE! Will help it get to the people that can fix the problem!

http://code.google.com/p/android/issues/detail?id=38025&thanks=38025&ts=1349027733
 
Last edited:

Quinny899

Recognized Developer / Recognized Contributor
Jan 26, 2011
8,489
7,724
23
Salford, Greater Manchester, UK
quinny898.co.uk
I notice this a lot when I update my ROM. Because it doesn't come packaged with gapps (well it wouldn't, it's illegal to do that), the data gets cleared when you reinstall the play store, thus no more pin. As I update daily, I never have the pin for more than one day, which is a major security flaw IMO

Sent from my Galaxy Nexus using Tapatalk 2
 

trter10

Senior Member
Jan 25, 2012
674
464
I recently was thinking about something, I decided to test it out.

On the Play Store app, you can choose to add a pin number, and make this pin be required to make purchases.
This is a good idea, as we don't want anyone charging our credit cards or carrier bills if our device gets lost/stolen.
However, there is a flaw in this. The aforementioned pin number is stored locally on the device, whilst the credit card info is connected to your google account, and obviously your carrier billing options are stored online.

All someone has to do to be able to make purchases on a supposed secure play store is go to Settings>Applications>All>Google Play Store and click clear data. No more pin.

The fix to this would obviously be that google have the pin be connected to your google account, instead of stored locally on the device.

Reported to Google:

http://code.google.com/p/android/issues/detail?id=38025&thanks=38025&ts=1349027733
its also stored in plain text! /data/data/com.android.vending/shared_prefs/finsky.xml
gIJ5.PNG
 
Last edited:

cccy

Senior Member
Apr 9, 2009
126
33
Actually, I believe that function is more of a "Child Lock". The screen lock/wipe is supposedly what prevents stolen phones from being used. In most cases, someone that usually knows your password (Of course, adb enabled phones can have their screen lock disabled). That's usually your kids that use your phone for games, watching videos, etc. That's what the pin is for - blocking them from downloading paid stuff without your knowledge. I suppose Google doesn't think that they would be the ones who will be hacking your phone, and of course, not be the ones who steal your phone.
 

Quinny899

Recognized Developer / Recognized Contributor
Jan 26, 2011
8,489
7,724
23
Salford, Greater Manchester, UK
quinny898.co.uk
We need to get this big, it needs as many people as possible to star it. We really need to get this on the portal and everywhere else

Sent from my ARCHOS 80G9 using Tapatalk 2

---------- Post added at 04:45 PM ---------- Previous post was at 04:35 PM ----------

Tweeted to xda, android, android police, androidauth, retweet this
https://twitter.com/Quinny898/status/253157268806328320
Sent from my ARCHOS 80G9 using Tapatalk 2
 

Top Liked Posts

  • There are no posts matching your filters.
  • 15
    I recently was thinking about something, I decided to test it out.

    On the Play Store app, you can choose to add a pin number, and make this pin be required to make purchases.
    This is a good idea, as we don't want anyone charging our credit cards or carrier bills if our device gets lost/stolen.
    However, there is a flaw in this. The aforementioned pin number is stored locally on the device, whilst the credit card info is connected to your google account, and obviously your carrier billing options are stored online.

    All someone has to do to be able to make purchases on a supposed secure play store is go to Settings>Applications>All>Google Play Store and click clear data. No more pin.

    its also stored in plain text! /data/data/com.android.vending/shared_prefs/finsky.xml
    gIJ5.PNG


    The fix to this would obviously be that google have the pin be connected to your google account, instead of stored locally on the device.

    Reported to Google. PLEASE STAR THE ISSUE! Will help it get to the people that can fix the problem!

    http://code.google.com/p/android/issues/detail?id=38025&thanks=38025&ts=1349027733
    2
    We need to get this big, it needs as many people as possible to star it. We really need to get this on the portal and everywhere else

    Sent from my ARCHOS 80G9 using Tapatalk 2

    ---------- Post added at 04:45 PM ---------- Previous post was at 04:35 PM ----------

    Tweeted to xda, android, android police, androidauth, retweet this
    https://twitter.com/Quinny898/status/253157268806328320
    Sent from my ARCHOS 80G9 using Tapatalk 2
    2
    its also stored in plain text! /data/data/com.android.vending/shared_prefs/finsky.xml
    gIJ5.PNG

    I was just coming to post this same thing... glad somebody else seen this also...
    2
    I recently was thinking about something, I decided to test it out.

    On the Play Store app, you can choose to add a pin number, and make this pin be required to make purchases.
    This is a good idea, as we don't want anyone charging our credit cards or carrier bills if our device gets lost/stolen.
    However, there is a flaw in this. The aforementioned pin number is stored locally on the device, whilst the credit card info is connected to your google account, and obviously your carrier billing options are stored online.

    All someone has to do to be able to make purchases on a supposed secure play store is go to Settings>Applications>All>Google Play Store and click clear data. No more pin.

    The fix to this would obviously be that google have the pin be connected to your google account, instead of stored locally on the device.

    Reported to Google:

    http://code.google.com/p/android/issues/detail?id=38025&thanks=38025&ts=1349027733
    its also stored in plain text! /data/data/com.android.vending/shared_prefs/finsky.xml
    gIJ5.PNG
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone