During his recent presentation at Def Con in Las Vegas, he demonstrated that a security flaw in Android's single sign-on (SSO) feature can result in attackers compromising users' Google Apps account and through it even the organization that employs them.
The SSO feature allows users to authenticate into third-party apps by using their Google account credentials without actually revealing them. The system generates a "weblogin" token (in form of a cookie) that stands in for them, and allows attackers who can get their hands on it to bypass Google Apps' password request.
The "weblogin" token can be acquired in a number of ways: via a malicious app, a root exploit, physical access to a device that is already logged in using tokens, or via memory extraction tools used by forensics experts.
"Companies using Google for the cloud need to make sure that their IT admins who need to have admin access to the Google Apps control panel do so but not necessarily from their [Android] phones. If they do, then they need to enter a password," Young warned.
If an attacker manages to acquire the token in question, he or she can do a lot of damage via the the Google Apps control panel: disable 2-step verification or reset the password, download files, create and modify privileges / roles, create mailing lists, and so on.
To prove that all this is possible he created a proof-of-concept Android app ("Stock View") that can get the token and send it to his remote server, as well as access the user's Google account, and he made it available for sale on Google Play (it has since been removed).
In order to discourage users from downloading it, he hiked up the price to $150 and used a description that indicates that it's spyware. His intention was to prove that it will take Google quite some time to flag the app as suspicious (even though it didn't actually contain a root exploit) and to remove it from the Store.
It's interesting to note that when Young submitted the app on Google Play, he received no data that indicated that Google Bouncer checked the app, and that the app was ultimately live on Google Play for a month. He also says that Android Verify now detects it as spyware, but fails to spot it at such if the app is renamed.
Several of the Android AV apps have failed to detect anything suspicious about the app, and only one privacy app noted that the app has account access.
According to information he shared with Dark Reading, Google has been notified of how the flaw can be misused and has already addressed some things, but have yet to block access to the Google Apps control panel.
Young notes that personal Google accounts can also be targeted with this type of attack, allowing the hackers full access to the user's GMail, Google Drive, Calendar, and so on.
He has the following advice for users who want to protect themselves: never use an admin account on Android, be very skeptical of token requests, stick with ‘trusted’ app stores and vendors, and run antivirus apps to detect root exploits.
If, by any chance, the intruder has already managed to get access, they can kick him out by resetting passwords and invalidating all sign-in cookies, the check for mail forwarding rules, recovery email address and domain admins he or she might have added to the account.
For more details about Young's research, a demo of the attack and source code for the PoC app, go here.