Potentially critical android security bug

While testing another bug on Android, I wiped my app data for the Monzo app. I was expecting this to return me to a “clean slate” state and be prompted for my email address again to get a new auth token.
This didn’t happen however, and the app opened as normal, connected to my account.

This suggests some pretty worrying things to me:

  1. The app is not persisting the auth token in the standard place (i.e. cache or app data)
  2. The app doesn’t need to persist the token and uses some sort of device id instead once authorised
  3. The app isn’t sending any sort of guid or entropy based key when asking for authorisation

1 is pretty self explanatory and just plain wrong if true, as wiping the app data should get rid of all settings/customisations done to an app.
2 and 3 are related, but if the app doesn’t need to store the token, the device id should be salted, or otherwise made unique per “installation”, and the salt be stored in app data. When the app data is deleted, the next time the app starts a new salt is created and the device id sent is therefore different.

This starts to become a problem if you start adding features like pin protection to the app, where you could just bypass it by wiping the app data (and thus the stored pin). The pin would be gone, but that app is still authorised to talk to the API.

I’ve just replicated the experiment and got exactly the same results.

Try the same with the Twitter, Reddit, OneDrive or any Google apps on Android.

What you are describing clears app data but does not clear account information held by the system (listed in Settings -> Accounts on 5.1.1 at least).

When you clear app data, all local data is indeed being wiped (as evidenced by the app starting on a dark blue screen and taking significant time to reload all historical feed entries and icons) but on a fresh launch, the Monzo app is querying the Android system to ask if it has any saved account tokens for the Monzo service. Android returns these after a quick verification that the Monzo app is properly signed and authorised to access the Monzo account and the app automatically logs in.

If you were to remote wipe, create a new user or otherwise clear accounts on the device, you would be prompted to log in again from a truly clean state.


that is my understanding also

Hmm, have you read the prompt that appears when you click “Clear data”?

Delete app data?
All of this app’s data will be deleted permanently. This includes all files, settings, accounts, databases, etc.

I have more apps on my phone that will require me to authenticate again than not (and yes, they also create accounts in the accounts database) after wiping app data.

Google apps are a special case as every app uses the same account.

Edit: Notwithstanding this doesn’t affect the PIN related issues, unless the PIN can be stored in the account database.

I did, it is true for some apps on my Android device such as Plex but highly misleading for others such as those I listed above.

In all the supported apps I have been able to test in the last hour, they have all either automatically logged in or provided me with two tap login via. a sheet to select an account.

Google apps are only a special case in that they do things to the letter and with some customisation on top (provided by Google Play Services) of the same APIs everybody else has. Any Google signed app has access to Google accounts same as any Twitter signed app has automatic access to any Twitter apps. Apps from other companies may request access through separate APIs such as Google Sign-In for Android.

This does not cover apps such as Netflix that use Google Smart Lock.

As for PINs, the PIN for sending money is stored and checked server side. Not sure how the Monzo Android team plan to implement it for app locking so your point is valid there.

This was my main worry, I’m less bothered about the account authorisation if that is semi-expected behaviour (even though I admit I have never seen it before).

The Monzo Android app currently stores user data in Android’s Account Manager. This means that when you clear the application data, it won’t sign you out or delete your account. It will only delete your cached transactions, etc. This doesn’t affect security and many other Android app like Facebook, Twitter, etc also use the Account Manager.

You can manage your Monzo account from your device settings. Go to Settings > Accounts, and from there you can add a new Monzo account or delete your Monzo account. When you delete your Monzo account, it will log you out and clear all your user data.

1 Like