[android-developers] Re: revoke permissions to access google auth tokens
I have same question, is there any update on this topic? It has also been asked on SO and there is just a workaround for it: http://stackoverflow.com/questions/5805657/revoke-account-permission-for-an-app -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
[android-developers] Re: revoke permissions to access google auth tokens
To summarize, I still don't have the answer to the original question except that it is probably not possible yet. Original question (User perspective): Once a user (not a developer) clicks† around and grants an android app, access to google auth tokens, how could he/she revoke it? † Clicks: User clicks on an activity that android system throws when third party apps (utilizing android.permission.USE_CREDENTIALS) try accessing google auth tokens Sample screenshots: http://www.appbrain.com/info/fastweb2.png http://chiarg.com/?p=429 Happy to hear workarounds that can possibly revoke this for all third party android apps that were granted access once (say revoke through settings manage apps all google services or partner or some such clear data) but without disrupting other google services (gmail, gtalk, android market, ...) on the device. Or perhaps do it through the central web based accounts dashboard (which for now doesn't display info about android apps) http://www.google.com/url?sa=Dq=https://www.google.com/accounts/IssuedAuthSubTokens I could possibly post this on android-platform group as well. On Jun 17, 5:02 pm, RS rajeshs...@gmail.com wrote: Thanks Nikolay. Very useful pointers. Thank goodness it isn't global (UID). Though am using this permission as a developer the question is from a user point of view who wishes to revoke access, so I'd rather not call this directly or through reflection. Wish the system had a settings screen for this instead. Something the user could trust irrespective of the apps installed. I do see a couple of bugs requests where people would like to deny access to specific security permissions to an app (eg: network, camera, call status, ...) on the whole. This auth token stuff though, falls in a different sub-category and might be quicker to solve. Hope a google employee could comment on any future updates to the account management flow that they might have. Thanks, RS On Jun 17, 4:28 pm, Nikolay Elenkov nikolay.elen...@gmail.com wrote: On Fri, Jun 17, 2011 at 11:21 PM, RS rajeshs...@gmail.com wrote: Simplifying the question: Am looking for answers from developers (or google engineers) who have used accountManager.getAuthToken() and have come across such a screen for their own apps: http://www.appbrain.com/info/fastweb2.png or http://chiarg.com/?p=429 Once the user clicks 'allow', how could they undo this action for that particular android app+account? It seems that there is no public API to do this. AccountMangerService has a revokeAppPermission() method which is both hidden (with @hide) and not accessible via public APIs. You could probably call it using reflection, but that is usually not recommended. BTW, access to tokens is granted by UID, so it's not global for all applications. Check out /data/system/accounts.db for more details if you have a rooted device. HTH -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
[android-developers] Re: revoke permissions to access google auth tokens
Well, I came here only after realizing how bad I was at it in this particular case. Should the accounts administration help revoke access even for android devices/apps? The list there doesn't show android apps allowed access to the google account. https://www.google.com/accounts/IssuedAuthSubTokens Nor does google apps dashboard help. Help me revoke access to an android app already granted access to a google account either through the device or google accounts through any browser. Thanks RS On Jun 16, 5:01 pm, Nikolay Elenkov nikolay.elen...@gmail.com wrote: On Fri, Jun 17, 2011 at 12:47 AM, RS rajeshs...@gmail.com wrote: community seemingly has no idea on this ... could anybody from google perhaps answer Use your Google powers to google it. Hint: it's not done on the phone. -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
Re: [android-developers] Re: revoke permissions to access google auth tokens
On Fri, Jun 17, 2011 at 8:07 PM, RS rajeshs...@gmail.com wrote: Well, I came here only after realizing how bad I was at it in this particular case. You should probably says so and say what you tried so far, instead of just 'oh you guys obviously have no clue'. Might not be the best strategy to gen an answer. Should the accounts administration help revoke access even for android devices/apps? The list there doesn't show android apps allowed access to the google account. https://www.google.com/accounts/IssuedAuthSubTokens Nor does google apps dashboard help. Help me revoke access to an android app already granted access to a google account either through the device or google accounts through any browser. Which particular app? At least for me, Chrome to Phone shows in the IssuedAuthSubTokens page. If the app is using ClientLogin, it won't show up there though. I don't think there is an UI for manging granted tokens in Android, but if you are doing this in code, you might want to look at AccountManager. -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
[android-developers] Re: revoke permissions to access google auth tokens
Sorry if that reply instigated these comments. Am glad you still had patience to respond. Chrome to phone is probably showing up there having a server side component. As explained in the fist post, am looking for ways to revoke google account access granted to android apps on the phone. Nope, account manager doesn't help users. Once an app has gained the cookie/token through the account manager, it is pretty much out of the way. While I found revoking is possible for google app engine based apps, am still hunting for the right answer w.r.t android apps. And including this thread, there is no relevant answer on the Internet. And am hoping that is incorrect and that it would be possible for an user to clear access granted for individual android apps to a particular google account. But cold somebody confirm this to be true or false: Since the same auth token as the android system's is shared with third party apps, there is no way to distinguish requests from arbitrary apps using this token. Hence revoking on per app basis is ruled out. The app has access to all google stuff till the android system's token remains valid on the server. Okay that is acceptable but in any case, how to revoke access granted to an android app (account by account)? On first attempt by an app, the android system throws its own activity asking user to allow or deny an app from accessing tokens of a particular google account. Don't tokens expire? Second time on, the android system doesn't invoke user interaction to grant access. The app simply gets a copy of the (new) token. Clearing out access to all android apps allowed access to tokens is an acceptable workaround. But for which google's android apps should I clear data/cache on android? Please clarify. AccountManager document doesn't answer this. AOSP on source.android.com doesn't have relevant code to clear tokens etc. Thanks for your time, RS On Jun 17, 12:35 pm, Nikolay Elenkov nikolay.elen...@gmail.com wrote: On Fri, Jun 17, 2011 at 8:07 PM, RS rajeshs...@gmail.com wrote: Well, I came here only after realizing how bad I was at it in this particular case. You should probably says so and say what you tried so far, instead of just 'oh you guys obviously have no clue'. Might not be the best strategy to gen an answer. Should the accounts administration help revoke access even for android devices/apps? The list there doesn't show android apps allowed access to the google account. https://www.google.com/accounts/IssuedAuthSubTokens Nor does google apps dashboard help. Help me revoke access to an android app already granted access to a google account either through the device or google accounts through any browser. Which particular app? At least for me, Chrome to Phone shows in the IssuedAuthSubTokens page. If the app is using ClientLogin, it won't show up there though. I don't think there is an UI for manging granted tokens in Android, but if you are doing this in code, you might want to look at AccountManager. -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
[android-developers] Re: revoke permissions to access google auth tokens
Simplifying the question: Am looking for answers from developers (or google engineers) who have used accountManager.getAuthToken() and have come across such a screen for their own apps: http://www.appbrain.com/info/fastweb2.png or http://chiarg.com/?p=429 Once the user clicks 'allow', how could they undo this action for that particular android app+account? Regards, RS On Jun 17, 2:59 pm, RS rajeshs...@gmail.com wrote: Sorry if that reply instigated these comments. Am glad you still had patience to respond. Chrome to phone is probably showing up there having a server side component. As explained in the fist post, am looking for ways to revoke google account access granted to android apps on the phone. Nope, account manager doesn't help users. Once an app has gained the cookie/token through the account manager, it is pretty much out of the way. While I found revoking is possible for google app engine based apps, am still hunting for the right answer w.r.t android apps. And including this thread, there is no relevant answer on the Internet. And am hoping that is incorrect and that it would be possible for an user to clear access granted for individual android apps to a particular google account. But cold somebody confirm this to be true or false: Since the same auth token as the android system's is shared with third party apps, there is no way to distinguish requests from arbitrary apps using this token. Hence revoking on per app basis is ruled out. The app has access to all google stuff till the android system's token remains valid on the server. Okay that is acceptable but in any case, how to revoke access granted to an android app (account by account)? On first attempt by an app, the android system throws its own activity asking user to allow or deny an app from accessing tokens of a particular google account. Don't tokens expire? Second time on, the android system doesn't invoke user interaction to grant access. The app simply gets a copy of the (new) token. Clearing out access to all android apps allowed access to tokens is an acceptable workaround. But for which google's android apps should I clear data/cache on android? Please clarify. AccountManager document doesn't answer this. AOSP on source.android.com doesn't have relevant code to clear tokens etc. Thanks for your time, RS On Jun 17, 12:35 pm, Nikolay Elenkov nikolay.elen...@gmail.com wrote: On Fri, Jun 17, 2011 at 8:07 PM, RS rajeshs...@gmail.com wrote: Well, I came here only after realizing how bad I was at it in this particular case. You should probably says so and say what you tried so far, instead of just 'oh you guys obviously have no clue'. Might not be the best strategy to gen an answer. Should the accounts administration help revoke access even for android devices/apps? The list there doesn't show android apps allowed access to the google account. https://www.google.com/accounts/IssuedAuthSubTokens Nor does google apps dashboard help. Help me revoke access to an android app already granted access to a google account either through the device or google accounts through any browser. Which particular app? At least for me, Chrome to Phone shows in the IssuedAuthSubTokens page. If the app is using ClientLogin, it won't show up there though. I don't think there is an UI for manging granted tokens in Android, but if you are doing this in code, you might want to look at AccountManager. -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
Re: [android-developers] Re: revoke permissions to access google auth tokens
On Fri, Jun 17, 2011 at 11:21 PM, RS rajeshs...@gmail.com wrote: Simplifying the question: Am looking for answers from developers (or google engineers) who have used accountManager.getAuthToken() and have come across such a screen for their own apps: http://www.appbrain.com/info/fastweb2.png or http://chiarg.com/?p=429 Once the user clicks 'allow', how could they undo this action for that particular android app+account? It seems that there is no public API to do this. AccountMangerService has a revokeAppPermission() method which is both hidden (with @hide) and not accessible via public APIs. You could probably call it using reflection, but that is usually not recommended. BTW, access to tokens is granted by UID, so it's not global for all applications. Check out /data/system/accounts.db for more details if you have a rooted device. HTH -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
[android-developers] Re: revoke permissions to access google auth tokens
Thanks Nikolay. Very useful pointers. Thank goodness it isn't global (UID). Though am using this permission as a developer the question is from a user point of view who wishes to revoke access, so I'd rather not call this directly or through reflection. Wish the system had a settings screen for this instead. Something the user could trust irrespective of the apps installed. I do see a couple of bugs requests where people would like to deny access to specific security permissions to an app (eg: network, camera, call status, ...) on the whole. This auth token stuff though, falls in a different sub-category and might be quicker to solve. Hope a google employee could comment on any future updates to the account management flow that they might have. Thanks, RS On Jun 17, 4:28 pm, Nikolay Elenkov nikolay.elen...@gmail.com wrote: On Fri, Jun 17, 2011 at 11:21 PM, RS rajeshs...@gmail.com wrote: Simplifying the question: Am looking for answers from developers (or google engineers) who have used accountManager.getAuthToken() and have come across such a screen for their own apps: http://www.appbrain.com/info/fastweb2.png or http://chiarg.com/?p=429 Once the user clicks 'allow', how could they undo this action for that particular android app+account? It seems that there is no public API to do this. AccountMangerService has a revokeAppPermission() method which is both hidden (with @hide) and not accessible via public APIs. You could probably call it using reflection, but that is usually not recommended. BTW, access to tokens is granted by UID, so it's not global for all applications. Check out /data/system/accounts.db for more details if you have a rooted device. HTH -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
[android-developers] Re: revoke permissions to access google auth tokens
community seemingly has no idea on this ... could anybody from google perhaps answer hellooo.. On Jun 15, 10:48 am, RS rajeshs...@gmail.com wrote: Once an app is allowed to access an account's auth token, how can a user revoke? android.permission.USE_CREDENTIALS Also once an app has been denied, where to go and allow? eg: Chrome-to-phone won't ask again on its own once denied even across uninstall, reboot, reinstalls. Just force closes. That might be bad implementation but still there must be a central control to allow/deny/ revoke/change access to auth tokens on per app basis. Which app's clear data/cache is safe to go for a clean start without affecting stock apps? Thanks RS -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
Re: [android-developers] Re: revoke permissions to access google auth tokens
On Fri, Jun 17, 2011 at 12:47 AM, RS rajeshs...@gmail.com wrote: community seemingly has no idea on this ... could anybody from google perhaps answer Use your Google powers to google it. Hint: it's not done on the phone. -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en