android - safe to d/l an app that can be an account athenticator?

memyselfi
memyselfi used Ask the Experts™
on
I'd like to download an android social app from Play.
It lists the ability to act as an account authenticator, including obtaining passwords of my other accounts.

Is it possible that it would pass on passwords to other apps/websites?
I assume it is technically possible.

If so, what is stopping it from doing so and would it be possible to detect that it had done so?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
The app probably can't get your other passwords.

From the documentation of the getPassword method ...
This method requires the caller to hold the permission AUTHENTICATE_ACCOUNTS and to have the same UID as the account's authenticator. Remember UID is the app ID to the DVM so one app can't get the authentication password of another app.

I *assume* it can get some kind of MD5 hash of your passwords to do auto-logins, but not the passwords themselves.

As for detection, you would need to monitor all WiFi and 3G traffic to check what the app was broadcasting, not trivial.

Cheers,
   Chris

Author

Commented:
@tampnic - thx for comment. Sorry for delay. Didn't notice notification.

FYI the app in question is Twitter for Android. It states that it will act as an account authenticator, getting & setting passwords, and manage the accounts list, use the authentication credentials of an account.

Sounds like it will be aware of all account/password used by my phone with possible exception of my google mail accounts
Unless you have rooted your phone and the app is running as root it will not be able to read your other passwords.

The app is using Android's central Account Manager to maintain its login credentials. That means it registers itself in the Account Manager database and might retrieve *authentication tokens* for other apps and attempt to start them logged on your behalf. It can't read the passwords, only acquire authentication tokens of other apps registered in the Account Manager. I believe an app needs to be registered with the Account Manager to appear in the "Settings->accounts and synch" menu as well.

Cheers,
   Chris

Author

Commented:
thanks for clarification. I admit I am suspicious of social apps hoovering up info whenever they can

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial