FAQ

[android-developers] Revoke permissions to access Google Accounts

Kookamonga
Jan 18, 2012 at 10:41 pm
Sorry to resurrect an old thread, but there was never an answer to how
a *USER* would be able to revoke access he/she had granted to an app:

http://groups.google.com/group/android-developers/browse_thread/thread/80e559d0317b71c8/38ecbc20429fdc76?lnk=gst&q=revoke+permissions+to+access+google+auth+tokens#38ecbc20429fdc76

(I wasn't able to reply in that thread; this is why I've started a new
thread.)

Thanks for your help.

--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-developers@googlegroups.com
To unsubscribe from this group, send email to
android-developers+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
reply

Search Discussions

12 responses

  • Kristopher Micinski at Jan 18, 2012 at 10:55 pm
    The short answer is: On stock android, as it stands today, this is impossible.

    Apps are written with the idea that the user will accept all the
    permissions for an app, permissions are not configuration options, or
    dynamically revokable.

    There are a few active research projects that target this direction,
    however I'm guessing that this is not what you are interested in :-).
    If it is you can feel free to email me and I will point you to them,
    but this isn't how apps are written today, as it stands.

    kris
    On Wed, Jan 18, 2012 at 5:41 PM, Kookamonga wrote:
    Sorry to resurrect an old thread, but there was never an answer to how
    a *USER* would be able to revoke access he/she had granted to an app:

    http://groups.google.com/group/android-developers/browse_thread/thread/80e559d0317b71c8/38ecbc20429fdc76?lnk=gst&q=revoke+permissions+to+access+google+auth+tokens#38ecbc20429fdc76

    (I wasn't able to reply in that thread; this is why I've started a new
    thread.)

    Thanks for your help.

    --
    You received this message because you are subscribed to the Google
    Groups "Android Developers" group.
    To post to this group, send email to android-developers@googlegroups.com
    To unsubscribe from this group, send email to
    android-developers+unsubscribe@googlegroups.com
    For more options, visit this group at
    http://groups.google.com/group/android-developers?hl=en
    --
    You received this message because you are subscribed to the Google
    Groups "Android Developers" group.
    To post to this group, send email to android-developers@googlegroups.com
    To unsubscribe from this group, send email to
    android-developers+unsubscribe@googlegroups.com
    For more options, visit this group at
    http://groups.google.com/group/android-developers?hl=en
  • Nikolay Elenkov at Jan 19, 2012 at 1:19 am

    On Thu, Jan 19, 2012 at 7:55 AM, Kristopher Micinski wrote:

    There are a few active research projects that target this direction,
    however I'm guessing that this is not what you are interested in :-).
    Could you please share those links?

    --
    You received this message because you are subscribed to the Google
    Groups "Android Developers" group.
    To post to this group, send email to android-developers@googlegroups.com
    To unsubscribe from this group, send email to
    android-developers+unsubscribe@googlegroups.com
    For more options, visit this group at
    http://groups.google.com/group/android-developers?hl=en
  • Kristopher Micinski at Jan 19, 2012 at 2:57 am
    One of them is from my end, this is binary rewriting to retrofit apps
    with enhanced security policies..

    http://www.cs.umd.edu/~jfoster/papers/acplib.pdf

    another notable project is CRePE droid, which takes the platform based approach

    http://crepedroid.org/crepedroid.html

    Though as I said, these are very much research projects at the moment.

    kris

    On Wed, Jan 18, 2012 at 8:19 PM, Nikolay Elenkov
    wrote:
    On Thu, Jan 19, 2012 at 7:55 AM, Kristopher Micinski
    wrote:
    There are a few active research projects that target this direction,
    however I'm guessing that this is not what you are interested in :-).
    Could you please share those links?

    --
    You received this message because you are subscribed to the Google
    Groups "Android Developers" group.
    To post to this group, send email to android-developers@googlegroups.com
    To unsubscribe from this group, send email to
    android-developers+unsubscribe@googlegroups.com
    For more options, visit this group at
    http://groups.google.com/group/android-developers?hl=en
    --
    You received this message because you are subscribed to the Google
    Groups "Android Developers" group.
    To post to this group, send email to android-developers@googlegroups.com
    To unsubscribe from this group, send email to
    android-developers+unsubscribe@googlegroups.com
    For more options, visit this group at
    http://groups.google.com/group/android-developers?hl=en
  • Kookamonga at Jan 19, 2012 at 3:41 am
    Kris:

    re: your initial reply, I believe we're talking about different
    permissions. It sounds like you're referring to the permissions that a
    user must accept when first installing the app. I'm not talking about
    those. I'm talking about permission the user has to accept that allows
    the app access to the user's Google Account (see screenshots in the
    thread I've linked to). In Android terms, this would be as a result of
    a call to AccountManager's getAuthToken(...) method.

    TreKing:

    Uninstalling the app is hardly a solution! First, I'm not even sure if
    it will work (because I don't think this permission to access one's
    Google Account is stored on the phone), but even if it did, it seems
    kind of heavy handed to have to re-install the app if you've
    accidentally granted certain permissions...

    I was hoping there was some way to do it online through one's Google
    Account settings. This is already mentioned in the thread linked to in
    my initial post, but this is how one would revoke access to Chrome-To-
    Phone, for example...

    Oh well, still no satisfactory answer. (To tell you the truth, I don't
    understand the "broadcast receiver" answer... )
    On Jan 18, 9:56 pm, Kristopher Micinski wrote:
    One of them is from my end, this is binary rewriting to retrofit apps
    with enhanced security policies..

    http://www.cs.umd.edu/~jfoster/papers/acplib.pdf

    another notable project is CRePE droid, which takes the platform based approach

    http://crepedroid.org/crepedroid.html

    Though as I said, these are very much research projects at the moment.

    kris

    On Wed, Jan 18, 2012 at 8:19 PM, Nikolay Elenkov







    wrote:
    On Thu, Jan 19, 2012 at 7:55 AM, Kristopher Micinski
    wrote:
    There are a few active research projects that target this direction,
    however I'm guessing that this is not what you are interested in :-).
    Could you please share those links?
    --
    You received this message because you are subscribed to the Google
    Groups "Android Developers" group.
    To post to this group, send email to android-developers@googlegroups.com
    To unsubscribe from this group, send email to
    android-developers+unsubscribe@googlegroups.com
    For more options, visit this group at
    http://groups.google.com/group/android-developers?hl=en
    --
    You received this message because you are subscribed to the Google
    Groups "Android Developers" group.
    To post to this group, send email to android-developers@googlegroups.com
    To unsubscribe from this group, send email to
    android-developers+unsubscribe@googlegroups.com
    For more options, visit this group at
    http://groups.google.com/group/android-developers?hl=en
  • Kristopher Micinski at Jan 19, 2012 at 3:49 am
    Kookamonga,

    I'm sorry about that! I read that after considering your email, sorry
    I didn't see it sooner, I've responded to variants of that question a
    few times over the past month, so this is why I was thinking
    incorrectly in that mode :-).

    To your question, I believe the answer is much the same, however I
    will try digging to see if I can find anything else as I haven't
    investigated that area for a while, and feel bad about misinterpreting
    you :-P..

    kris
    On Wed, Jan 18, 2012 at 10:40 PM, Kookamonga wrote:
    Kris:

    re: your initial reply, I believe we're talking about different
    permissions. It sounds like you're referring to the permissions that a
    user must accept when first installing the app. I'm not talking about
    those. I'm talking about permission the user has to accept that allows
    the app access to the user's Google Account (see screenshots in the
    thread I've linked to). In Android terms, this would be as a result of
    a call to AccountManager's getAuthToken(...) method.

    TreKing:

    Uninstalling the app is hardly a solution! First, I'm not even sure if
    it will work (because I don't think this permission to access one's
    Google Account is stored on the phone), but even if it did, it seems
    kind of heavy handed to have to re-install the app if you've
    accidentally granted certain permissions...

    I was hoping there was some way to do it online through one's Google
    Account settings. This is already mentioned in the thread linked to in
    my initial post, but this is how one would revoke access to Chrome-To-
    Phone, for example...

    Oh well, still no satisfactory answer. (To tell you the truth, I don't
    understand the "broadcast receiver" answer... )
    On Jan 18, 9:56 pm, Kristopher Micinski wrote:
    One of them is from my end, this is binary rewriting to retrofit apps
    with enhanced security policies..

    http://www.cs.umd.edu/~jfoster/papers/acplib.pdf

    another notable project is CRePE droid, which takes the platform based approach

    http://crepedroid.org/crepedroid.html

    Though as I said, these are very much research projects at the moment.

    kris

    On Wed, Jan 18, 2012 at 8:19 PM, Nikolay Elenkov







    wrote:
    On Thu, Jan 19, 2012 at 7:55 AM, Kristopher Micinski
    wrote:
    There are a few active research projects that target this direction,
    however I'm guessing that this is not what you are interested in :-).
    Could you please share those links?
    --
    You received this message because you are subscribed to the Google
    Groups "Android Developers" group.
    To post to this group, send email to android-developers@googlegroups.com
    To unsubscribe from this group, send email to
    android-developers+unsubscribe@googlegroups.com
    For more options, visit this group at
    http://groups.google.com/group/android-developers?hl=en
    --
    You received this message because you are subscribed to the Google
    Groups "Android Developers" group.
    To post to this group, send email to android-developers@googlegroups.com
    To unsubscribe from this group, send email to
    android-developers+unsubscribe@googlegroups.com
    For more options, visit this group at
    http://groups.google.com/group/android-developers?hl=en
    --
    You received this message because you are subscribed to the Google
    Groups "Android Developers" group.
    To post to this group, send email to android-developers@googlegroups.com
    To unsubscribe from this group, send email to
    android-developers+unsubscribe@googlegroups.com
    For more options, visit this group at
    http://groups.google.com/group/android-developers?hl=en
  • Nikolay Elenkov at Jan 19, 2012 at 4:04 am

    On Thu, Jan 19, 2012 at 12:40 PM, Kookamonga wrote:
    Oh well, still no satisfactory answer. (To tell you the truth, I don't
    understand the "broadcast receiver" answer... )
    You only get what you pay for :) There's two sides of the OAuth token
    story: server side and Android (AccountManager) side. You can revoke
    access you've granted to apps here, it's not just for Chrome-to-phone,
    and just for Android apps, but Web, etc. as well:

    https://www.google.com/accounts/IssuedAuthSubTokens

    On Android, when you call AccountManager.getAuthToken() you will be
    presented with a screen saying something like 'Application foo wants to
    access your Google Reader auth tokens'. If you click 'Allow', AccountManager
    will insert a line in its database with the UID of your app, thus granting
    you access to those tokens. Next time you call getAuthToken(), there
    will be no confirmation screen, since you already have the necessary
    permission. For example, this line means that the app with UID 10062
    has access to Google Reader tokens from account 1 (your primary
    Google account)

    .schema grants
    CREATE TABLE grants ( accounts_id INTEGER NOT NULL, auth_token_type STRING NOT
    NULL, uid INTEGER NOT NULL, UNIQUE (accounts_id,auth_token_type,uid));

    1|reader|10062

    There is currently now way to revoke that permission
    (i.e., delete the line from the DB using a public API).
    However (*I think*), if you uninstall the app, the AccountManager
    will be notified and delete your app from the grants DB,
    effectively revoking access.

    --
    You received this message because you are subscribed to the Google
    Groups "Android Developers" group.
    To post to this group, send email to android-developers@googlegroups.com
    To unsubscribe from this group, send email to
    android-developers+unsubscribe@googlegroups.com
    For more options, visit this group at
    http://groups.google.com/group/android-developers?hl=en
  • TreKing at Jan 19, 2012 at 4:16 am

    On Wed, Jan 18, 2012 at 9:40 PM, Kookamonga wrote:

    Uninstalling the app is hardly a solution!
    Sure it is! It solves the problem you posed! That's a solution, kinda by
    definition!

    First, I'm not even sure if it will work (because I don't think this
    permission to access one's Google Account is stored on the phone),
    I just tried with the AppBrain app. It does work.

    but even if it did, it seems kind of heavy handed to have to re-install the
    app if you've accidentally granted certain permissions...
    Perhaps, but it works. I would assume if you didn't trust an app to the
    point that you wanted to revoke the permissions granted to it, you would
    want to uninstall it anyway.

    -------------------------------------------------------------------------------------------------
    TreKing <http://sites.google.com/site/rezmobileapps/treking> - Chicago
    transit tracking app for Android-powered devices

    --
    You received this message because you are subscribed to the Google
    Groups "Android Developers" group.
    To post to this group, send email to android-developers@googlegroups.com
    To unsubscribe from this group, send email to
    android-developers+unsubscribe@googlegroups.com
    For more options, visit this group at
    http://groups.google.com/group/android-developers?hl=en
  • Kookamonga at Jan 19, 2012 at 5:08 am
    Nikolay:

    Thanks for the explanation. While I was aware about the server/client
    sides to AuthToken, I didn't know the specifics of how it worked on
    the Android side... Very informative! Much appreciated. Also, I was
    aware of that Google website, but it didn't have the app that I
    granted permission listed... which is why I posed the question in the
    first place. Even my Google Accounts dashboard (which lists, for
    example, Chrome-To-Phone), does NOT list this other app.

    TreKing:

    :-) Looks like uninstalling is in fact the only solution, given what
    Nikolay says about the way the grants DB works. So thank you as well
    for first suggesting it.

    Kris:

    No apologies needed at all; I appreciate you spending the time to
    respond in the first place.

    Thanks everyone, looks like we can close the books on this question.
    On Jan 18, 11:15 pm, TreKing wrote:
    On Wed, Jan 18, 2012 at 9:40 PM, Kookamonga wrote:
    Uninstalling the app is hardly a solution!
    Sure it is! It solves the problem you posed! That's a solution, kinda by
    definition!
    First, I'm not even sure if it will work (because I don't think this
    permission to access one's Google Account is stored on the phone),
    I just tried with the AppBrain app. It does work.

    but even if it did, it seems kind of heavy handed to have to re-install the
    app if you've accidentally granted certain permissions...
    Perhaps, but it works. I would assume if you didn't trust an app to the
    point that you wanted to revoke the permissions granted to it, you would
    want to uninstall it anyway.

    --------------------------------------------------------------------------- ----------------------
    TreKing <http://sites.google.com/site/rezmobileapps/treking> - Chicago
    transit tracking app for Android-powered devices
    --
    You received this message because you are subscribed to the Google
    Groups "Android Developers" group.
    To post to this group, send email to android-developers@googlegroups.com
    To unsubscribe from this group, send email to
    android-developers+unsubscribe@googlegroups.com
    For more options, visit this group at
    http://groups.google.com/group/android-developers?hl=en
  • Nikolay Elenkov at Jan 19, 2012 at 5:30 am

    On Thu, Jan 19, 2012 at 2:07 PM, Kookamonga wrote:
    Nikolay:

    Thanks for the explanation. While I was aware about the server/client
    sides to AuthToken, I didn't know the specifics of how it worked on
    the Android side... Very informative! Much appreciated. Also, I was
    aware of that Google website, but it didn't have the app that I
    granted permission listed...
    It's most probably using ClientLogin to get an access token.
    Those cannot be revoked, they can only expire. In that case,
    it's only stored (cached) on Android.

    --
    You received this message because you are subscribed to the Google
    Groups "Android Developers" group.
    To post to this group, send email to android-developers@googlegroups.com
    To unsubscribe from this group, send email to
    android-developers+unsubscribe@googlegroups.com
    For more options, visit this group at
    http://groups.google.com/group/android-developers?hl=en
  • Nikolay Elenkov at Jan 19, 2012 at 3:46 am

    On Thu, Jan 19, 2012 at 11:56 AM, Kristopher Micinski wrote:
    One of them is from my end, this is binary rewriting to retrofit apps
    with enhanced security policies..

    http://www.cs.umd.edu/~jfoster/papers/acplib.pdf

    another notable project is CRePE droid, which takes the platform based approach

    http://crepedroid.org/crepedroid.html
    Thanks. This is interesting stuff.

    --
    You received this message because you are subscribed to the Google
    Groups "Android Developers" group.
    To post to this group, send email to android-developers@googlegroups.com
    To unsubscribe from this group, send email to
    android-developers+unsubscribe@googlegroups.com
    For more options, visit this group at
    http://groups.google.com/group/android-developers?hl=en
  • TreKing at Jan 19, 2012 at 12:43 am

    On Wed, Jan 18, 2012 at 4:41 PM, Kookamonga wrote:

    how a *USER* would be able to revoke access he/she had granted to an app
    Clear the app's data? Uninstall the app?

    -------------------------------------------------------------------------------------------------
    TreKing <http://sites.google.com/site/rezmobileapps/treking> - Chicago
    transit tracking app for Android-powered devices

    --
    You received this message because you are subscribed to the Google
    Groups "Android Developers" group.
    To post to this group, send email to android-developers@googlegroups.com
    To unsubscribe from this group, send email to
    android-developers+unsubscribe@googlegroups.com
    For more options, visit this group at
    http://groups.google.com/group/android-developers?hl=en
  • Nikolay Elenkov at Jan 19, 2012 at 1:18 am

    On Thu, Jan 19, 2012 at 9:42 AM, TreKing wrote:
    On Wed, Jan 18, 2012 at 4:41 PM, Kookamonga wrote:

    how a *USER* would be able to revoke access he/she had granted to an app

    Clear the app's data? Uninstall the app?
    Those are stored in a system DB, so clearing won't work. Uninstalling
    should though. IIRC, three is a broadcast receiver that deletes permissions
    when the relevant package is uninstalled.

    --
    You received this message because you are subscribed to the Google
    Groups "Android Developers" group.
    To post to this group, send email to android-developers@googlegroups.com
    To unsubscribe from this group, send email to
    android-developers+unsubscribe@googlegroups.com
    For more options, visit this group at
    http://groups.google.com/group/android-developers?hl=en

Related Discussions

Discussion Navigation
viewthread | post