Thursday, March 8, 2012

Bypass Google Play PIN code for purchases




Today I was following a guide to get my Android Market to upgrade to Google Play, a rebranding of all the Android Market services. I noticed that this bug is strikingly similar to the Google Wallet bug that allowed people to access the prepaid cards on the phones that used Google Wallet.
The specific bug lies with the 'Use PIN for purchases' as shown below:
Settings are locked until you enter the PIN
This PIN prevents you from being able to just buy anything you want. It is much simpler than Apple's Apple ID login, where they prompt for your password even more than Windows Vista initially did with UAC.

Dangit! Stymied again!

This pin code is stored on the device itself and not through Google Wallet (checkout). This is where the bug lies;
Say your phone is stolen. You don't have a lock on the device so anyone can use it. I know many people who have phones like this.
If you use a pin code to protect your google purchases from say, your kids, the easiest way to bypass is to just clear the market/play store settings through the settings manager. Which, unless you use an app like Data Defender, is really easy to do:
One Click?
Now, if we restart the Market/Play Store app, and go to settings once again...



Nothing prompts you to sign in with your Google Account (your default one), so your credit card details are still available to the market app, and I'm free to purchase whatever I want now without needing a PIN. When the owner changes their Google password, sure, it'll not let you buy until you sign in again, but we can't expect everyone to change their password within 3 minutes of losing their phone. While I don't suspect this happens a lot, I'm sure somebody's kids want to get those fancy suits in RoboTek or buy a fake Temple Run game. Or you could just have someone who doesn't like you run up an impressive bill, just like the 90's!

Great success!

Google should probably tie it to their end, instead of the phone end. Everything is moving to the cloud anyway right?