Android - What can an app do with the "USE ACCOUNTS ON THE DEVICE" permission?

Android has a centralized system for managing credentials for online services (such as your Google account). One component is called the AccountManager. Some apps can "act as an account authenticator". This means that they understand how to log into a particular online service, and can log in to that service for the AccountManager. Other apps want to use that login information to identify you or perform actions on your behalf, without you having to enter your password every time.

Example: logging into Google

Your phone has a built-in app that "acts as an account authenticator" for your Google account. It knows how to log into Google, and it has the email and password you entered when you set up the phone. There's also a YouTube app, which wants to log in to show your favourite videos, and to let you comment, but without having to enter your email and password again.

This YouTube app talks to the AccountManager and asks if it has any credentials for a Google account. Asking this question requires the "find accounts on the device" permission. The AccountManager has a list of authenticators installed on the phone, which it consults to answer this question. If it does have any credentials, the app will then ask for what's known as an authtoken for the Google account. This request requires the "use accounts on the device" permission.

The AccountManager then asks you if you want the requesting app (YouTube) to be able to use the requested account (Google account). This might be in a dialog that appears over the app, or in a notification. Alternatively, the app can choose to do nothing if you haven't already answered yes to this question: it might want to ask later at a more convenient time. This step ensures that an app with the "use accounts on the device" permission can't immediately use every account without asking.

If you say yes, the AccountManager forwards the request to the authenticator (the built-in Google app). What happens next is up to the authenticator and the particular service you're logging into. You might need to log in if you haven't previously done that, and logging in might require a username and password, a photo, an SMS, or something else entirely. Whatever the authenticator does, it can either fail, or give an authtoken back to the requesting app.

Further checks

The authenticator and the online service can also control what actions the requesting app can perform. For example, when you connect an app to your Google account, Google lists permissions the app needs (such as "upload videos" for YouTube). Thus, the app can only do the actions listed. However, some services might not have anything like that; for such a service, once you've allowed the app to use your credentials, it can take any action in your name.

Once the requesting app has obtained the authtoken, it can continue to use it to perform actions in your name without any further interaction from you. That is, once you've agreed that Dan's Twitter Client can post to your Twitter feed, it might run in the background and post further tweets without you knowing. You should only grant the app access to your credentials if you trust it not to do that.

Summary

An app with the "use accounts on the device" permission can, once installed, ask you to access an online service (such as Google, Facebook, or Twitter) in your name. You can choose to let it access the service or not. If you do let it access the service, what actions it can take on your behalf might be limited by the service (it's up to the service), and the service might let you revoke that permission later (usually through a list of "connected apps" on the service's website).

Tags:

Permissions