What can an app do with the "USE ACCOUNTS ON THE DEVICE" permission?

17
2014-04
  • kilaka

    Can such an app freely read my emails/calendar/message/docs/etc.?

    The "USE ACCOUNTS ON THE DEVICE" permission is also known for developers as android.permission.USE_CREDENTIALS.

    Example of such apps: WhatsApp, MightyText.

  • Answers
  • Dan Hulme

    Android has a centralized system for managing credentials for online services (such as your Google account). One component is called the AccountManager. Some apps can "act as an account authenticator". This means that they understand how to log into a particular online service, and can log in to that service for the AccountManager. Other apps want to use that login information to identify you or perform actions on your behalf, without you having to enter your password every time.

    Example: logging into Google

    Your phone has a built-in app that "acts as an account authenticator" for your Google account. It knows how to log into Google, and it has the email and password you entered when you set up the phone. There's also a YouTube app, which wants to log in to show your favourite videos, and to let you comment, but without having to enter your email and password again.

    This YouTube app talks to the AccountManager and asks if it has any credentials for a Google account. Asking this question requires the "find accounts on the device" permission. The AccountManager has a list of authenticators installed on the phone, which it consults to answer this question. If it does have any credentials, the app will then ask for what's known as an authtoken for the Google account. This request requires the "use accounts on the device" permission.

    The AccountManager then asks you if you want the requesting app (YouTube) to be able to use the requested account (Google account). This might be in a dialog that appears over the app, or in a notification. Alternatively, the app can choose to do nothing if you haven't already answered yes to this question: it might want to ask later at a more convenient time. This step ensures that an app with the "use accounts on the device" permission can't immediately use every account without asking.

    If you say yes, the AccountManager forwards the request to the authenticator (the built-in Google app). What happens next is up to the authenticator and the particular service you're logging into. You might need to log in if you haven't previously done that, and logging in might require a username and password, a photo, an SMS, or something else entirely. Whatever the authenticator does, it can either fail, or give an authtoken back to the requesting app.

    Further checks

    The authenticator and the online service can also control what actions the requesting app can perform. For example, when you connect an app to your Google account, Google lists permissions the app needs (such as "upload videos" for YouTube). Thus, the app can only do the actions listed. However, some services might not have anything like that; for such a service, once you've allowed the app to use your credentials, it can take any action in your name.

    Once the requesting app has obtained the authtoken, it can continue to use it to perform actions in your name without any further interaction from you. That is, once you've agreed that Dan's Twitter Client can post to your Twitter feed, it might run in the background and post further tweets without you knowing. You should only grant the app access to your credentials if you trust it not to do that.

    Summary

    An app with the "use accounts on the device" permission can, once installed, ask you to access an online service (such as Google, Facebook, or Twitter) in your name. You can choose to let it access the service or not. If you do let it access the service, what actions it can take on your behalf might be limited by the service (it's up to the service), and the service might let you revoke that permission later (usually through a list of "connected apps" on the service's website).

  • kilaka

    I found this example in Android API of what can be done using that permission.

    From my understanding as a developer, this means access to EVERYTHING.

    Once a user has an account's token, he can access any services accounts offers: Facebook's stream, Google's emails - EVERYTHING.

  • Stephen Schrauger

    The app will not access any services account. Some apps need this permission because they need to open a new account from their app.


  • Related Question

    Better description of permissions
  • liori

    Is there a list of permissions with more detailed descriptions available? The standard ones doesn't feel good, and I don't trust developers who write that they need permission X only to do Y--if their app requires permission X, this app will be able to do anything permitted by X, not only Y.

    For example READ_PHONE_STATE is described as "Allows read only access to phone state" -- but what is included in that phone state? Is it only connected/disconnected? Or maybe it includes phone number I am actually talking to?


  • Related Answers
  • Matthew Read

    I can't find a good complete list, but you can always search for the permission on developer.android.com. In the case of READ_PHONE_STATE, it does look like the phone number can be read.

  • Lie Ryan

    This blog post tries to explain permission: http://techpp.com/2010/07/30/android-apps-permissions-secure-private-data/

    If you really need to know the specifics of each permissions, you can download and grep Android's source code (it's open source, after all). I think that's the best we can do for now.