How secure is GoogleAuthUtils.getToken () if the application is decompiled

Question

How secure is GoogleAuthUtils.getToken () if the application is decompiled

I am currently creating an Android application that is requesting data from my internal server. Of course, I want to know if the request received on my server really comes from my application or if someone just sends HTTP requests from another server, etc. I am reading Tim Bray articles on this topic, but you want to know how secure this approach is. The article mentions that an embedded device could compromise security, but I was thinking of the following scenario:

An attacker accepts my application, completely decompiles it, and detects that I am using GoogleAuthUtils
He / she changes his application to crack it and deploy it on his device (using the same package name, etc.).

I know that a fake application signature will be different (because the malicious person does not have my private key) and that it cannot be downloaded from the Play Store (because two applications with the same package names cannot be published there).

If the device is not rooted: does this fake application get the same (or any) result from GoogleAuthUtils.getToken()as my real application?

What are the possible changes that the hacker could apply to the response to the root device (I could also ask: which response fields are signed by Google so that I can determine if they are overloaded)?

+4

android google-play-services android-security

svenpanko Mar 16 '16 at 13:00

1

StefanHeimberg · Answer 1 · 2016-03-16T13:08:48+0000

... , getToken - ...

oauth- Google , .

, getToken ,

PS: ... ...

edit2: . , :

03-17 18:08:05.195 3315-3498/org.example.myapp E/GoogleOAuthTask: Error getting token
com.google.android.gms.auth.UserRecoverableAuthException: NeedPermission
    at com.google.android.gms.auth.GoogleAuthUtil$1.zzam(Unknown Source)
    at com.google.android.gms.auth.GoogleAuthUtil$1.zzan(Unknown Source)
    at com.google.android.gms.auth.GoogleAuthUtil.zza(Unknown Source)
    at com.google.android.gms.auth.GoogleAuthUtil.zza(Unknown Source)
    at com.google.android.gms.auth.GoogleAuthUtil.getToken(Unknown Source)
    at com.google.android.gms.auth.GoogleAuthUtil.getToken(Unknown Source)
    at com.google.android.gms.auth.GoogleAuthUtil.getToken(Unknown Source)
    at org.example.myapp.shared.security.authentication.google.GoogleOAuthTask.doInBackground(GoogleOAuthTask.java:39)
    at org.example.myapp.shared.security.authentication.google.GoogleOAuthTask.doInBackground(GoogleOAuthTask.java:20)
    at android.os.AsyncTask$2.call(AsyncTask.java:288)
    at java.util.concurrent.FutureTask.run(FutureTask.java:237)
    at android.os.AsyncTask$SerialExecutor$1.run(AsyncTask.java:231)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1112)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:587)
    at java.lang.Thread.run(Thread.java:841)

- , :

try {
    token = GoogleAuthUtil.getToken(context, emails[0], "oauth2:profile email");
    GoogleAuthUtil.clearToken(context, token);
} catch (final UserRecoverableAuthException e) {
    final Intent intent = e.getIntent();
    context.startActivityForResult(intent, MyApplicationRequestCodes.SECURITY_OAUTH_PERMISSION);
} catch (final GoogleAuthException e) {
    Log.e(LOG_TAG, "Error getting token", e);
} catch (final IOException e) {
    Log.e(LOG_TAG, "Error getting token", e);
}

, , :

@Override
public void onActivityResult(int requestCode, int resultCode, Intent data) {
    Log.d(LOG_TAG, "returning from an activity. (requestCode=" + requestCode + ", resultCode=" + resultCode + ", data=" + data.toString() + ")");

    if(requestCode == SECURITY_OAUTH_PERMISSION && resultCode == RESULT_OK) {
        login();
    }

    if(requestCode == SECURITY_OAUTH_PERMISSION && resultCode == RESULT_CANCELED) {
        authenticationHandler.onUserCanceled(new AuthenticationError(
                AuthenticationErrorEnum.USER_ERROR,
                "User closed permission dialog."
        ));
    }

login() , VALID, API, google. firebase.

firebase (the):

AuthData{uid='google:123412341234333', provider='google', token='***', expires='1458340206', auth='{uid=google: 123412341234333, provider=google}', providerData='{id=987234987032972034097234, accessToken=I_REMOVED_THE_TOKEN_STRING, displayName=Stefan Heimberg, email=kontakt@stefanheimberg.ch, cachedUserProfile={id= 987234987032972034097234, email=kontakt@stefanheimberg.ch, verified_email=true, name=Stefan Heimberg, given_name=Stefan, family_name=Heimberg, picture=https://lh4.googleusercontent.com/--XEA5G7LkjI/AAAAAAAAAAI/AAAAAAAAAAs/dpvdzBNpd6U/photo.jpg, locale=de}, profileImageURL=https://lh4.googleusercontent.com/--XEA5G7LkjI/AAAAAAAAAAI/AAAAAAAAAAs/dpvdzBNpd6U/photo.jpg}'}

, , , , Google.

, , com.google.android.gms.auth.UserRecoverableAuthException .

How secure is GoogleAuthUtils.getToken () if the application is decompiled

More articles: