36

I have an Android client getting an authentication token from Google Play Services, by using GoogleAuthUtil.getToken(Context context, Account account, String scope).

This is then sent to a backend (Go) server, which checks that the token was signed by one of the Google signing certificates from https://www.googleapis.com/oauth2/v1/cert. To do this, it needs to look up the certificate assigned to the "kid" in the token header.

99% of the time, this works just fine, but I have regular situations where the "kid" given does not correspond to any published Google certificates, and so I can't auth the token.

Edit:

I've added extensive logging on the server to try and track this down, and there are some relationships worth noting:

  1. Any given invalid kid is only used for a single user. I often see multiple requests over several days from the same user with a given invalid kid, but only ever from that user.
  2. A user giving an invalid kid never uses a valid kid for any request, or any other kid for a request, even if they are days apart. Afaik Google cycles their certificates every 24 hours or so.
  3. Many users are using older client versions. Most users upgrade within a day or two of a new version being released, but the majority of users with invalid certificate keys use versions that are a few weeks old.
  4. The requests come from an even spread around the globe in line with our user base.
  5. The requests come from a spread of times, in line with our user base.
  6. The requests come from a range of devices, manufacturers, and models.

My current thoughts are that it's probably from users who have downloaded the APK from a site other than Google Play, but I have no way of verifying this right now.

Edit: There is an issue tracker for this, but it seems that it has been marked as a low priority. If anyone has this issue, please let it be know on the tracker. https://issuetracker.google.com/issues/37734997

JohnGB
  • 1,906
  • 2
  • 20
  • 31
  • You may want to check how your code is saving the ID to the server. You can also check this document - [Authenticate with a backend server](https://developers.google.com/identity/sign-in/android/backend-auth), this helps you from sending the tokenID to the server to verifying integrity. Hope this helps. – Mr.Rebot Apr 26 '17 at 16:12
  • @Mr.Rebot If it were a mistake on the client, it should affect the entire token, but all I see is a well formed token with a "kid" that doesn't match up with any published Google signing certificate keys. – JohnGB Apr 27 '17 at 09:37
  • There are many Android phones (especially in countries in East Asia) have no Play Store or Google Play Services. Is there a chance that those users are not being given proper authentication tokens? This supports your idea that these users did not download the APK from the Play Store. – Doron Yakovlev Golani May 15 '17 at 14:27
  • You can authenticate the token by using it for something purposeful. Does your app do something illegal? – danny117 May 16 '17 at 21:53
  • 1
    @danny117 I'm afraid that I don't follow your meaning. The vast majority of the time the token sent to us is valid. In less than 1% of cases, we get a token that has been signed by a certificate which is not on Google's list of signing certificates, and hence invalid. Our app is on Google Play, so it's definitely legal, and even if that weren't the case, it wouldn't affect the certificate used by Google Play Services to sign the token. – JohnGB May 18 '17 at 00:07
  • @DoronYakovlev-Golani Our app first checks that a compatible version of Google Play Services is present, and then requests the token from Google Play Services. If there is no Google Play Services present, the app shows an error and doesn't try to make the request. So not having Google Play Services shouldn't affect this unless there is a spoofed version of Google Play Services on those devices. – JohnGB May 19 '17 at 10:18
  • at least with Firebase, "ID token revocation" is possible. – Martin Zeitler Mar 02 '18 at 14:54
  • 2 makes me think someone has reverse engineered your app and deployed it on another store. – Karan Harsh Wardhan Jan 19 '19 at 06:52

1 Answers1

2

A bit late, but for anyone experiencing the same, I would suggest to check the Installer of your app.

Using PackageManager.getInstallerPackageName()

getInstallerPackageName (String packageName) Retrieve the package name of the application that installed a package. This identifies which market the package came from

If the value is "com.android.vending" then the app was installed from the Play Store otherwise handle the other vendors.

Community
  • 1
  • 1
113408
  • 3,364
  • 6
  • 27
  • 54