Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Android M 6.0 - SecurityException Trying to remove accounts

I have an app that uses Android AccountManager (package name: com.mycompany.accounts), that adds accounts to the device and provides a login screen. I have another app (com.mycomp.actualapp), that uses the first app to add/remove accounts.

I can successfully add and remove accounts on Pre Marshmallow devices, using the following permissions in the manifest:

<uses-permission android:name="android.permission.GET_ACCOUNTS"/>
<uses-permission android:name="android.permission.MANAGE_ACCOUNTS"/>
<uses-permission android:name="android.permission.USE_CREDENTIALS"/>

When compiling with sdk 22 and targetting sdk 22, these permissions should be automatically granted. The following code:

      accountManager.removeAccount(getAccount(), activity, new AccountManagerCallback<Bundle>() {
        @Override
        public void run(AccountManagerFuture<Bundle> accountManagerFuture) {
            try {
                Bundle bundle = accountManagerFuture.getResult();
                boolean success = bundle.getBoolean(AccountManager.KEY_BOOLEAN_RESULT);
                if (success) {
                    Toast.makeText(activity, activity.getString(R.string.successfully_loggedout), Toast.LENGTH_LONG).show();
                    afterLogoutSuccess(activity);

                } else {
                    Toast.makeText(activity.getApplicationContext(), activity.getString(R.string.failed_to_logout), Toast.LENGTH_LONG).show();
                }
                onLogoutListener.onLogoutFinished(success);
                return;
            } catch (OperationCanceledException e) {
                Log.e(TAG,"Operation cancelled exception:", e);
            } catch (IOException e) {
                Log.e(TAG, "IOException:", e);
            } catch (AuthenticatorException e) {
                Log.e(TAG, "AuthenticatorException:", e);
            }
            onLogoutListener.onLogoutFinished(false);

        }
    }, null);

Fails with the following exception:

 java.lang.SecurityException: uid 10057 cannot remove accounts of type: com.mycompany.accounts
        at android.os.Parcel.readException(Parcel.java:1599)
        at android.os.Parcel.readException(Parcel.java:1552)
        at android.accounts.IAccountManager$Stub$Proxy.removeAccount(IAccountManager.java:897)
        at android.accounts.AccountManager$7.doWork(AccountManager.java:900)
        at android.accounts.AccountManager$AmsTask.start(AccountManager.java:1888)
        at android.accounts.AccountManager.removeAccount(AccountManager.java:897)
        at com.mycomp.actualapp.utils.LoginHelper$4.doInBackground(LoginHelper.java:282)
        at com.mycomp.actualapputils.LoginHelper$4.doInBackground(LoginHelper.java:242)
        at android.os.AsyncTask$2.call(AsyncTask.java:295)
        at java.util.concurrent.FutureTask.run(FutureTask.java:237)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1113)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:588)
        at java.lang.Thread.run(Thread.java:818)

The strange thing, is that this code runs fine on Pre Marshmallow devices without any issues.

On a side note, I noticed that compiling with sdk 22 and targeting 22: Going to "Settings > Apps > My app(com.mycomp.actualapp) > Permissions" I see only two permissions, "Phone" "Storage".

I noticed that compiling with sdk 23 and targeting 23: I see three permissions, "Phone", "Storage" and "Contacts".

I have tried the following:

  • Switching to compile with sdk 23 - grant all permissions in app settings, try remove account again. Still fails with the same exception.

  • Compile with 22 and add the following permissions to the manifest. Make sure all permissions are granted. Still fails with the same exception:

    <uses-permission android:name="android.permission.AUTHENTICATE_ACCOUNTS"/>
    <uses-permission android:name="android.permission.READ_CONTACTS"/>
    <uses-permission android:name="android.permission.WRITE_CONTACTS"/>

I am able to get the users account username and token without additional permission granting, but the removing of accounts doesn't work. I would really appreciate any help!

like image 599
riggaroo Avatar asked Sep 28 '15 06:09

riggaroo


1 Answers

I know this is late to answer but I thought I would share my findings in case anyone else is in the same situation.

I upgraded my build to build with 23 instead of 22 as I couldn't solve it on 22. Then I explicitly asking for the permission at runtime to GET_ACCOUNTS before trying to do anything with them. https://developer.android.com/training/permissions/requesting.html https://developer.android.com/reference/android/Manifest.permission.html#GET_ACCOUNTS

Further information for compiling with 23: You don't need to ask permission if the app shares the signature of the authenticator that manages an account. In this case, my signatures didn't match so I did need to request it. If you create an account within your app to be used within your app, you do not need to request permission at runtime.

like image 59
riggaroo Avatar answered Nov 15 '22 17:11

riggaroo