Our recent posts covered NFC too the secure element every bit supported inwards recent Android versions, including community ones. In this two-part serial nosotros will take a completely unlike direction: managing online user accounts and accessing Web services. We volition briefly hash out how Android manages user credentials too and so exhibit how to work cached authentication details to log inwards to most Google sites without requiring additional user input. Most of the functionality nosotros shall hash out is hardly novel -- it has been available at to the lowest degree since Android 2.0. But spell at that topographic point is ample documentation on how to work it, at that topographic point doesn't run into to live a 'bigger picture' overview of how the pieces are tied together. This somewhat detailed investigation was prompted past times trying to develop an app for a widely used Google service that unfortunately doesn't take keep an official API too struggling to uncovering a way to login to it using cached Google credentials. More on this inwards the second part, let's offset run into how Android manages accounts for online services.
Google provides a multitude of online services (not all of which move for long), too consequently a bunch of different methods to authenticate to those. Android's Google Login Service, nonetheless doesn't telephone band those world authentication API's directly, but via a dedicated online service, which lives at
All of the higher upward is hardly surprising: when you lot are dealing amongst online services it is exclusively natural to take keep every bit much every bit possible of the authentication logic on the server side, both for ease of maintenance too to move on it secure. Still, to boot start it you lot demand to shop some kind of credentials on the device, especially when you lot back upward background syncing for practically everything too you lot cannot hold off people to move inwards them manually. On-device credential management is ane of the services GLS provides, so let's run into how it is implemented. As mentioned above, GLS plugs into the organisation concern human relationship framework, so cached credentials, tokens too associated extra information are stored inwards the system's
Let's expression into the cached credential strings a chip more. The encrypted password is 133 bytes long, too thence it is a fair bet that it is encrypted amongst the 1024-bit (128 bytes) RSA world key mentioned above, amongst some extra information appended. Adding multiple accounts that work the same password produces unlike password strings (which is a proficient thing), but the offset few bytes are ever the same, fifty-fifty on unlike devices. It turns out those position the encryption key too are derived past times hashing its raw value too taking the leading bytes of the resulting hash. At to the lowest degree from our express sample of Android devices, it would seem that the RSA world key used is constant both across Android versions too accounts. We tin safely assume that its soul counterpart lives on the server side too is used to decrypt sent passwords earlier performing the actual authentication. The padding used is OAEP (with SHA1 too MGF1), which produces random-looking messages too is currently considered secure (at to the lowest degree when used inwards combination amongst RSA) against most advanced cryptanalysis techniques. It also has quite a chip of overhead, which inwards practise way that the GLS encryption scheme tin encrypt at most 86 bytes of data. The outlined encryption scheme is non just military-grade too at that topographic point is the number of millions of devices most likely using the same key, but recovering the original password should live sufficiently difficult to discourage most attackers. However, let's non forget that nosotros also take keep a somewhat friendlier SHA1 hash available. It turns out it tin live easily reproduced past times 'salting' the Google concern human relationship password amongst the concern human relationship call (typically GMail address) too doing a unmarried circular of SHA1. This is considerably easier to hit too it wouldn't live too difficult to precompute a bunch of hashes based on commonly used or potential passwords if you lot knew the target concern human relationship name.
Fortunately, newer version of Android (4.0 too later) no longer shop this hash on the device. Instead of the encrypted password+SHA1 hash combination they shop an opaque 'master token' (most likely some cast of OAuth token) inwards the password column too commutation it for authentication tokens for unlike Google services. It is non clear whether this token ever expires or if it is updated automatically. You can, however, revoke it manually past times going to the second part for details).
Android concern human relationship management
Android 2.0 (API Level 5, largely non-existent, because it was rapidly succeeded past times 2.0.1, Level 6), introduced the concept of centralized concern human relationship management amongst a world API. The key slice inwards the API is the
The
As nosotros mentioned above, concern human relationship management is coordinated past times the
AccountManager degree which, quote: 'provides access to a centralized registry of the user's online accounts. The user enters credentials (user call too password) ane time per account, granting applications access to online resources amongst "one-click" approval.' You should definitely read the total documentation of the class, which is quite extensive, for to a greater extent than details. Another major characteristic of the degree is that it lets you lot larn an authentication token for supported accounts, allowing 3rd political party applications to authenticate to online services without needing to grip the actual user password (more on this later). It also has a whole of five methods that allow you lot to larn an authentication token, all but ane amongst at to the lowest degree four parameters, so finding the ane you lot demand mightiness bring some time, amongst yet some to a greater extent than to larn the parameters right. It mightiness live a proficient thought to start amongst the synchronous blockingGetAuthToken() too piece of work your way from at that topographic point ane time you lot take keep a basic working flow. On some older Android versions, the AccountManager would also monitor your SIM carte du jour too wipe cached credentials if you lot swapped cards, but fortunately this 'feature' has been removed inwards Android 2.3.4.The
AccountManager, every bit most Android organisation API's, is simply a facade for the AccountManagerService which does the actual work. The service doesn't render an implementation for whatsoever particular cast of authentication though. It exclusively acts every bit a coordinator for a number of pluggable authenticator modules for unlike account types (Google, Twitter, Exchange, etc.). The best component subdivision is that whatsoever application tin register an authentication module past times implementing an account authenticator too related classes, if needed. Android Training has a tutorial on the dependent area that covers the implementation details, so nosotros volition non hash out them here. Registering a novel concern human relationship type amongst the organisation lets you lot bring payoff of a number of Android infrastructure services:- centralized credential storage inwards a organisation database
- ability to number tokens to 3rd political party apps
- ability to bring payoff of Android's automatic background synchronization
/data/system/accounts.db or /data/system/user/0/accounts.db on Jelly Bean too after for the offset organisation user), that is exclusively accessible to organisation applications, credentials are inwards no way encrypted -- that is left to the authentication module to implement every bit necessary. If you lot take keep a rooted device (or work the emulator) listing the contents of the accounts tabular array mightiness live quite instructive: some of your passwords, especially for the stock Email application, volition exhibit upward inwards clear text. While the AccountManger has a getPassword() method, it tin exclusively live used past times apps amongst the same UID every bit the account's authenticator, i.e., exclusively past times classes inwards the same app (unless you lot are using sharedUserId, which is non recommended for non-system apps). If you lot desire to allow 3rd political party applications to authenticate using your custom accounts, you lot take keep to number some kind of authentication token, accessible via ane of the many getAuthToken() methods. Once your concern human relationship is registered amongst Android, if you lot implement an additional sync adapter, you lot tin register to take keep it called at a specified interval too hit background syncing for you lot app (one- or two-way), without needing to care scheduling yourself. This is a real powerful characteristic that you lot larn practically for free, too likely merits its ain post. As nosotros at nowadays take keep a basic agreement of authentication modules, let's run into how they are used past times the system. As nosotros mentioned above, concern human relationship management is coordinated past times the
AccountManagerService. It is a fairly complex slice of code (about 2500 lines inwards JB), most of the complexity stemming from the fact that it needs to communicate amongst services too apps that bridge multiple processes too threads inside each process, too needs to bring attention of synchronization too delivering results to the correct thread. If nosotros abstract out the boilerplate code, what it does on a higher aeroplane is truly fairly straightforward:- on startup it queries the
PackageManagerto uncovering out all registered authenticators, too stores references to them inwards a map, keyed past times concern human relationship type - when you lot add together an concern human relationship of a particular type, it saves its type, username too password to the
accountstable - if you lot get, laid or reset the password for an account, it accesses or updates the
accountstabular array accordingly - if you lot larn or laid user information for the account, it is fetched from or saves to the
extrastable - when you lot asking a token for a particular account, things move a chip to a greater extent than interesting:
- if a token amongst the specified type has never been issued before, it shows a confirmation activeness asking (see screenshot below) the user to approve access for the requesting application. If they accept, the UID of the requesting app too the token type are saved to the
grantstable. - if a grant already exits, it checks the
authtokentabular array for tokens matching the request. If a valid ane exists, it is returned. - if a matching token is non found, it finds the authenticator for the specified concern human relationship type inwards the map too calls its
getAuthToken()method to asking a token. This commonly involves the authenticator fetching the username too password from theaccountstabular array (via thegetPassword()method) too calling its respective online service to larn a fresh token. When ane is returned, it gets cached inwards theauthtokenstabular array too and so returned to the requesting app (usually asynchronously via a callback). - if you lot invalidate a token, it gets deleted from the
authtokenstable
Now that nosotros know how Android's concern human relationship management organisation works, let's run into how it is implemented for the most widely used concern human relationship type.
Google concern human relationship management
AccountManager, too a bunch of Google apps start getting tokens for the services they represent. Of course, all of this industrial plant amongst the assist of an authentication provider for Google accounts. Since it plugs inwards the criterion concern human relationship management framework, it industrial plant past times registering an authenticator implementation too using it involves the sequence outlined above. However, it is also a petty chip special. Three principal things move far different:- it is non component subdivision of whatsoever particular app you lot tin install, but is bundled amongst the system
- a lot of the actual functionality is implemented on the server side
- it does non shop passwords inwards plainly text on the device
Google provides a multitude of online services (not all of which move for long), too consequently a bunch of different methods to authenticate to those. Android's Google Login Service, nonetheless doesn't telephone band those world authentication API's directly, but via a dedicated online service, which lives at
android.clients.google.com. It has endpoints both for authentication too potency token issuing, every bit good every bit information feed (mail, calendar, etc.) synchronization, too more. As nosotros shall see, the supported methods of authentication are somewhat unlike from those available via other world Google authentication API's. Additionally, it supports a few 'special' token types that greatly simplify some complex authentication flows.All of the higher upward is hardly surprising: when you lot are dealing amongst online services it is exclusively natural to take keep every bit much every bit possible of the authentication logic on the server side, both for ease of maintenance too to move on it secure. Still, to boot start it you lot demand to shop some kind of credentials on the device, especially when you lot back upward background syncing for practically everything too you lot cannot hold off people to move inwards them manually. On-device credential management is ane of the services GLS provides, so let's run into how it is implemented. As mentioned above, GLS plugs into the organisation concern human relationship framework, so cached credentials, tokens too associated extra information are stored inwards the system's
accounts.db database, simply every bit for other concern human relationship types. Inspecting it reveals that Google accounts take keep a bunch of Base64-encoded strings associated amongst them. One of the user information entries (in the extras table) is helpfully labeled sha1hash (but does non be on all Android versions) too the password (in the accounts table) is a long string that takes unlike formats on unlike Android versions. Additionally, the GSF database has a google_login_public_key entry, which when decoded suspiciously resembles a 1024-bit RSA world key. Some to a greater extent than experimentation reveals that credential management industrial plant differently on pre-ICS too post-ICS devices. On pre-ICS devices, GLS stores an encrypted version of your password too posts it to the server side endpoints both when authenticating for the offset fourth dimension (when you lot add together the account) too when it needs to take keep a token for a particular service issued. On post-ICS devices, it exclusively posts the encrypted password the offset time, too gets a 'master token' inwards exchange, which is too so stored on the device (in the password column of the accounts database). Each subsequent token asking uses that master copy token instead of a password.Let's expression into the cached credential strings a chip more. The encrypted password is 133 bytes long, too thence it is a fair bet that it is encrypted amongst the 1024-bit (128 bytes) RSA world key mentioned above, amongst some extra information appended. Adding multiple accounts that work the same password produces unlike password strings (which is a proficient thing), but the offset few bytes are ever the same, fifty-fifty on unlike devices. It turns out those position the encryption key too are derived past times hashing its raw value too taking the leading bytes of the resulting hash. At to the lowest degree from our express sample of Android devices, it would seem that the RSA world key used is constant both across Android versions too accounts. We tin safely assume that its soul counterpart lives on the server side too is used to decrypt sent passwords earlier performing the actual authentication. The padding used is OAEP (with SHA1 too MGF1), which produces random-looking messages too is currently considered secure (at to the lowest degree when used inwards combination amongst RSA) against most advanced cryptanalysis techniques. It also has quite a chip of overhead, which inwards practise way that the GLS encryption scheme tin encrypt at most 86 bytes of data. The outlined encryption scheme is non just military-grade too at that topographic point is the number of millions of devices most likely using the same key, but recovering the original password should live sufficiently difficult to discourage most attackers. However, let's non forget that nosotros also take keep a somewhat friendlier SHA1 hash available. It turns out it tin live easily reproduced past times 'salting' the Google concern human relationship password amongst the concern human relationship call (typically GMail address) too doing a unmarried circular of SHA1. This is considerably easier to hit too it wouldn't live too difficult to precompute a bunch of hashes based on commonly used or potential passwords if you lot knew the target concern human relationship name.
Fortunately, newer version of Android (4.0 too later) no longer shop this hash on the device. Instead of the encrypted password+SHA1 hash combination they shop an opaque 'master token' (most likely some cast of OAuth token) inwards the password column too commutation it for authentication tokens for unlike Google services. It is non clear whether this token ever expires or if it is updated automatically. You can, however, revoke it manually past times going to the second part for details).
Google Play Services
Google Play Services (we'll abbreviate it to GPS, although the actual bundle is
com.google.android.gms, estimate where the 'M' came from) was announced at this year's Google I/O every bit an slowly to work platform that offers integration amongst Google products for third-party Android apps. It was truly rolled out exclusively a calendar month ago, so it's likely non real widely used yet. Currently it provides back upward for OAuth 2.0 potency to Google API's 'with a proficient user sense too security', every bit good some Google+ plus integration (sign-in too +1 button). Getting OAuth 2.0 tokens via the criterion AccountManager interface has been supported for quite some fourth dimension (though back upward was considered 'experimental') past times using the special 'oauth2:scope' token type syntax. However, it didn't piece of work reliably across unlike Android builds, which take keep unlike GLS versions bundled too this results inwards slightly unlike behaviour. Additionally, the permission grant dialog shown when requesting a token was non specially user friendly, because it showed the raw OAuth 2.0 range inwards some cases, which likely way petty to most users (see screenshot inwards the offset section). While some human-readable aliases for for sure scopes where introduced (e.g., 'Manage your taks' for 'oauth2:https://www.googleapis.com/auth/tasks'), that solution was neither ideal, nor universally available. GPS solves this past times making token issuing a two-step procedure (newer GLS versions also work this process):- the offset asking is much similar before: it includes the concern human relationship name, master copy token (or encrypted password pre-ICS) too requested service, inwards the
'oauth2:scope'format. GPS adds 2 novel parameters: requesting app bundle call too app signing certificate SHA1 hash (more on this later). The reply includes some human readable details close the requested range too requesting application, which GPS shows inwards a permission grant dialog similar the ane shown below. - if the users grants the permission, this determination is recorded inwards the
extrastabular array inwards a proprietary format which includes the requesting app's bundle name, signing certificate hash, OAuth 2.0 range too grant fourth dimension (note that it is non using thegrantstable). GPS too so resends the potency asking setting thehas_permissionparameter to 1. On success this results inwards an OAuth 2.0 token too its move engagement inwards the response. Those are cached inwards theauthtokenstabular array inwards a similar format.
To live able to truly work a Google API, you lot demand to register your app's bundle call too signing key inwards Google's API console. The registration lets services validating the token question Google what app the token was issued for, too thence position the calling app. This has ane subtle, but of import side-effect: you lot don't take keep to embed an API key inwards your app too ship it amongst every request. Of course, for a 3rd political party published app you lot tin easily uncovering out both the bundle call too the signing certificate so it is non specially difficult to larn a token issued inwards the call of another app (not possible via the official API, of course). We tin assume that at that topographic point are some additional checks on the server side that forestall this, but theoretically, if you lot used such a token you lot could, for example, exhaust a third-party app's API asking quota past times issuing a bunch of requests over a curt catamenia of time.
The actual GPS implementation seems to reuse much of the original Google Login Service authentication logic, including the password encryption method, which is silent used on pre-ICS devices (the protocol is, after all, by too large the same too it needs to live able to work pre-existing accounts). On top of that it adds improve OAuth 2.0 support, a version-specific concern human relationship alternative dialog too some prettier too to a greater extent than user friendly permission grant UIs. The GPS app has the Google apps shared UID, so it tin straight interact amongst other proprietary Google services, including GLS too GSF. This allows it, amid other things, to straight larn too write Google concern human relationship credentials too tokens to the accounts database. As tin live expected, GPS runs inwards a remote service that the customer library you lot link into your app accesses. The major selling betoken against the legacy
AccountManager API is that spell its underlying authenticator modules (GLS too GSF) are component subdivision of the system, too every bit such cannot live updated without an OTA, GPS is an user-installable app that tin live easily updated via Google Play. Indeed, it is advertised every bit auto-updating (much similar the Google Play Store client), so app developers presumably won't take keep to rely on users to update it if they desire to work newer features (unless GPS is disabled altogether, of course). This update machinery is to render 'agility inwards rolling out novel platform capabilities', but considering how much fourth dimension the initial roll-out took, it is to live seen how agile the whole affair volition plow out to be. Another affair to sentry out for is characteristic bloat: too OAuth 2.0 support, GPS currently includes G+ too AdMob related features, too spell both are indeed Google-provided services, they are totally unrelated. Hopefully, GPS won't plow into a 'everything Google plus the kitchen sink' type of library, delaying releases fifty-fifty more. With all that said, if your app uses OAuth 2.0 tokens to authenticate to Google API's, which is currently the preferred method (ClientLogin, OAuth 1.0 too AuthSub take keep been officially deprecated), definitely consider using GPS over 'raw' AccountManager access.Summary
Android provides a centralized registry of user online accounts via the
AccountManager class. It lets you lot both larn tokens for existing accounts without having to grip the actual credentials too register your ain concern human relationship type, if needed. Registering an concern human relationship type gives you lot access to powerful organisation features, such every bit authentication token caching too automatic background synchronization. 'Google experience' devices come upward amongst built-in back upward for Google accounts, which lets 3rd political party apps access Google online services without needing to straight asking authentication information from the user. The latest add-on to this infrastructure is the lately released Google Play Services app too companion customer library, which aim to move far slowly to work OAuth 2.0 from 3rd political party applications. We've at nowadays presented an overview of how the concern human relationship management organisation works, too the side past times side measurement is to exhibit how to truly work it to access a existent online service. That volition live the topic of the second article inwards the series.
Tag :
android security
0 Komentar untuk "Droidcedas : Android Online Work Concern Human Relationship Management"