Revoke permissions to access Google Accounts

Showing 1-13 of 13 messages
Revoke permissions to access Google Accounts Kookamonga 1/18/12 2:41 PM
Sorry to resurrect an old thread, but there was never an answer to how
a *USER* would be able to revoke access he/she had granted to an app:

http://groups.google.com/group/android-developers/browse_thread/thread/80e559d0317b71c8/38ecbc20429fdc76?lnk=gst&q=revoke+permissions+to+access+google+auth+tokens#38ecbc20429fdc76

(I wasn't able to reply in that thread; this is why I've started a new
thread.)

Thanks for your help.
Re: [android-developers] Revoke permissions to access Google Accounts Kristopher Micinski 1/18/12 2:55 PM
The short answer is:  On stock android, as it stands today, this is impossible.

Apps are written with the idea that the user will accept all the
permissions for an app, permissions are not configuration options, or
dynamically revokable.

There are a few active research projects that target this direction,
however I'm guessing that this is not what you are interested in :-).
If it is you can feel free to email me and I will point you to them,
but this isn't how apps are written today, as it stands.

kris

> --
> You received this message because you are subscribed to the Google
> Groups "Android Developers" group.
> To post to this group, send email to android-d...@googlegroups.com
> To unsubscribe from this group, send email to
> android-developers+unsubscribe@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/android-developers?hl=en

Re: [android-developers] Revoke permissions to access Google Accounts TreKing 1/18/12 4:42 PM
On Wed, Jan 18, 2012 at 4:41 PM, Kookamonga <sit...@yahoo.ca> wrote:
how a *USER* would be able to revoke access he/she had granted to an app

Clear the app's data? Uninstall the app?

-------------------------------------------------------------------------------------------------
TreKing - Chicago transit tracking app for Android-powered devices

Re: [android-developers] Revoke permissions to access Google Accounts Nikolay Elenkov 1/18/12 5:18 PM
On Thu, Jan 19, 2012 at 9:42 AM, TreKing <treki...@gmail.com> wrote:
> On Wed, Jan 18, 2012 at 4:41 PM, Kookamonga <sit...@yahoo.ca> wrote:
>>
>> how a *USER* would be able to revoke access he/she had granted to an app
>
>
> Clear the app's data? Uninstall the app?

Those are stored in a system DB, so clearing won't work. Uninstalling
should though. IIRC, three is a broadcast receiver that deletes permissions
when the relevant package is uninstalled.

Re: [android-developers] Revoke permissions to access Google Accounts Nikolay Elenkov 1/18/12 5:19 PM
On Thu, Jan 19, 2012 at 7:55 AM, Kristopher Micinski
<krismi...@gmail.com> wrote:

> There are a few active research projects that target this direction,
> however I'm guessing that this is not what you are interested in :-).

Could you please share those links?

Re: [android-developers] Revoke permissions to access Google Accounts Kristopher Micinski 1/18/12 6:56 PM
One of them is from my end, this is binary rewriting to retrofit apps
with enhanced security policies..

http://www.cs.umd.edu/~jfoster/papers/acplib.pdf

another notable project is CRePE droid, which takes the platform based approach

http://crepedroid.org/crepedroid.html

Though as I said, these are very much research projects at the moment.

kris

> --
> You received this message because you are subscribed to the Google
> Groups "Android Developers" group.
> To post to this group, send email to android-d...@googlegroups.com
> To unsubscribe from this group, send email to
> android-developers+unsubscribe@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/android-developers?hl=en

Re: Revoke permissions to access Google Accounts Kookamonga 1/18/12 7:40 PM
Kris:

re: your initial reply, I believe we're talking about different
permissions. It sounds like you're referring to the permissions that a
user must accept when first installing the app. I'm not talking about
those. I'm talking about permission the user has to accept that allows
the app access to the user's Google Account (see screenshots in the
thread I've linked to). In Android terms, this would be as a result of
a call to AccountManager's getAuthToken(...) method.

TreKing:

Uninstalling the app is hardly a solution! First, I'm not even sure if
it will work (because I don't think this permission to access one's
Google Account is stored on the phone), but even if it did, it seems
kind of heavy handed to have to re-install the app if you've
accidentally granted certain permissions...

I was hoping there was some way to do it online through one's Google
Account settings. This is already mentioned in the thread linked to in
my initial post, but this is how one would revoke access to Chrome-To-
Phone, for example...

Oh well, still no satisfactory answer. (To tell you the truth, I don't
understand the "broadcast receiver" answer... )

On Jan 18, 9:56 pm, Kristopher Micinski <krismicin...@gmail.com>
wrote:
> One of them is from my end, this is binary rewriting to retrofit apps
> with enhanced security policies..
>
> http://www.cs.umd.edu/~jfoster/papers/acplib.pdf
>
> another notable project is CRePE droid, which takes the platform based approach
>
> http://crepedroid.org/crepedroid.html
>
> Though as I said, these are very much research projects at the moment.
>
> kris
>
> On Wed, Jan 18, 2012 at 8:19 PM, Nikolay Elenkov
>
>
>
>
>
>
>
> <nikolay.elen...@gmail.com> wrote:
> > On Thu, Jan 19, 2012 at 7:55 AM, Kristopher Micinski
Re: [android-developers] Revoke permissions to access Google Accounts Nikolay Elenkov 1/18/12 7:45 PM
On Thu, Jan 19, 2012 at 11:56 AM, Kristopher Micinski
<krismi...@gmail.com> wrote:
> One of them is from my end, this is binary rewriting to retrofit apps
> with enhanced security policies..
>
> http://www.cs.umd.edu/~jfoster/papers/acplib.pdf
>
> another notable project is CRePE droid, which takes the platform based approach
>
> http://crepedroid.org/crepedroid.html
>

Thanks. This is interesting stuff.

Re: [android-developers] Re: Revoke permissions to access Google Accounts Kristopher Micinski 1/18/12 7:48 PM
Kookamonga,

I'm sorry about that!  I read that after considering your email, sorry
I didn't see it sooner, I've responded to variants of that question a
few times over the past month, so this is why I was thinking
incorrectly in that mode :-).

To your question, I believe the answer is much the same, however I
will try digging to see if I can find anything else as I haven't
investigated that area for a while, and feel bad about misinterpreting
you :-P..

kris

Re: [android-developers] Re: Revoke permissions to access Google Accounts Nikolay Elenkov 1/18/12 8:04 PM
On Thu, Jan 19, 2012 at 12:40 PM, Kookamonga <sit...@yahoo.ca> wrote:

>
> Oh well, still no satisfactory answer. (To tell you the truth, I don't
> understand the "broadcast receiver" answer... )

You only get what you pay for :) There's two sides of the OAuth token
story: server side and Android (AccountManager) side. You can revoke
access you've granted to apps here, it's not just for Chrome-to-phone,
and just for Android apps, but Web, etc. as well:

https://www.google.com/accounts/IssuedAuthSubTokens

On Android, when you call AccountManager.getAuthToken() you will be
presented with a screen saying something like 'Application foo wants to
access your Google Reader auth tokens'. If you click 'Allow', AccountManager
will insert a line in its database with the UID of your app, thus granting
you access to those tokens. Next time you call getAuthToken(), there
will be no confirmation screen, since you already have the necessary
permission. For example, this line  means that the app with UID 10062
has access to Google Reader tokens from account 1 (your primary
Google account)

.schema grants
CREATE TABLE grants (  accounts_id INTEGER NOT NULL, auth_token_type STRING NOT
NULL,  uid INTEGER NOT NULL,  UNIQUE (accounts_id,auth_token_type,uid));

1|reader|10062

There is currently now way to revoke that permission
(i.e., delete the line from the DB using a public API).
However (*I think*), if you uninstall the app, the AccountManager
will be notified and delete your app from the grants DB,
effectively revoking access.

Re: [android-developers] Re: Revoke permissions to access Google Accounts TreKing 1/18/12 8:15 PM
On Wed, Jan 18, 2012 at 9:40 PM, Kookamonga <sit...@yahoo.ca> wrote:
Uninstalling the app is hardly a solution!

Sure it is! It solves the problem you posed! That's a solution, kinda by definition!
 
First, I'm not even sure if it will work (because I don't think this permission to access one's Google Account is stored on the phone),

 I just tried with the AppBrain app. It does work.

but even if it did, it seems kind of heavy handed to have to re-install the app if you've accidentally granted certain permissions...

Perhaps, but it works. I would assume if you didn't trust an app to the point that you wanted to revoke the permissions granted to it, you would want to uninstall it anyway.
Re: Revoke permissions to access Google Accounts Kookamonga 1/18/12 9:07 PM
Nikolay:

Thanks for the explanation. While I was aware about the server/client
sides to AuthToken, I didn't know the specifics of how it worked on
the Android side... Very informative! Much appreciated. Also, I was
aware of that Google website, but it didn't have the app that I
granted permission listed... which is why I posed the question in the
first place. Even my Google Accounts dashboard (which lists, for
example, Chrome-To-Phone), does NOT list this other app.

TreKing:

:-) Looks like uninstalling is in fact the only solution, given what
Nikolay says about the way the grants DB works. So thank you as well
for first suggesting it.

Kris:

No apologies needed at all; I appreciate you spending the time to
respond in the first place.

Thanks everyone, looks like we can close the books on this question.

On Jan 18, 11:15 pm, TreKing <treking...@gmail.com> wrote:
> On Wed, Jan 18, 2012 at 9:40 PM, Kookamonga <site...@yahoo.ca> wrote:
> > Uninstalling the app is hardly a solution!
>
> Sure it is! It solves the problem you posed! That's a solution, kinda by
> definition!
>
> > First, I'm not even sure if it will work (because I don't think this
> > permission to access one's Google Account is stored on the phone),
>
>  I just tried with the AppBrain app. It does work.
>
> but even if it did, it seems kind of heavy handed to have to re-install the
>
> > app if you've accidentally granted certain permissions...
>
> Perhaps, but it works. I would assume if you didn't trust an app to the
> point that you wanted to revoke the permissions granted to it, you would
> want to uninstall it anyway.
>
> --------------------------------------------------------------------------- ----------------------
> TreKing <http://sites.google.com/site/rezmobileapps/treking> - Chicago
Re: [android-developers] Re: Revoke permissions to access Google Accounts Nikolay Elenkov 1/18/12 9:29 PM
On Thu, Jan 19, 2012 at 2:07 PM, Kookamonga <sit...@yahoo.ca> wrote:
> Nikolay:
>
> Thanks for the explanation. While I was aware about the server/client
> sides to AuthToken, I didn't know the specifics of how it worked on
> the Android side... Very informative! Much appreciated. Also, I was
> aware of that Google website, but it didn't have the app that I
> granted permission listed...

It's most probably using ClientLogin to get an access token.
Those cannot be revoked, they can only expire. In that case,
it's only stored (cached) on Android.