Caused by java.lang.SecurityException: uid ... cannot explicitly add accounts of type: ... Android P and Android 10

Question

Recently I see an increase of error reported from Firebase Crashlytic on the following

Caused by java.lang.SecurityException: uid 10172 cannot explicitly add accounts of type: com.mypackage.account
       at android.os.Parcel.createException(Parcel.java:2087)
       at android.os.Parcel.readException(Parcel.java:2055)
       at android.os.Parcel.readException(Parcel.java:2003)
       at android.accounts.IAccountManager$Stub$Proxy.addAccountExplicitly(IAccountManager.java:1660)
       at android.accounts.AccountManager.addAccountExplicitly(AccountManager.java:889)

It got triggered from

accountManager.addAccountExplicitly(defaultAccount, null, null)

Based on the Firebase Crashlytic report, it happens only on Android 9 and 10 and across Samsung, Realme and OPPO devices

On my end, I try to replicate on Android P and Android 10 devices, and the code got triggered without issue.

I have search through StackOverflow, such as

Android app crashes on addAccountExplicitly(account, password, null);, Android SecurityException: uid xxxxx cannot explicitly add accounts, https://stackoverflow.com/a/58591203/3286489, https://stackoverflow.com/a/37348909/3286489, https://stackoverflow.com/a/16972048/3286489, and Android Adding Account with AccountManager.

They are for replicable issues, hence it's not of use for me.

I check also found like

https://github.com/signalapp/Signal-Android/issues/9311 (Android 10) https://github.com/signalapp/Signal-Android/issues/9296 (Android 9 - Pie?) https://github.com/signalapp/Signal-Android/issues/9349 (Another Android 10, on One Plus)

Either starting from Android P, there's more security update that we need to change our code or the Android P and 10 have some bug related to this issue? Anyone has encountered this issue lately?

Answer 1

I'll bet you are calling addAccountExplicitly in the wrong place.

According to Google docs for AccountManager.addAccountExplicitly:

Adds an account directly to the AccountManager. Normally used by sign-up wizards associated with authenticators, not directly by applications.

and

This method requires the caller to have a signature match with the authenticator that owns the specified account.

When your app calls AccountManager.addAccount, you are asking the authenticator along with its associated activities to add an entry to the accounts on the device. The AccountManager invokes the authenticator to handle this request. Once the authenticator/activity has authenticated the user, it will then call addAccountExplictly to complete the task it was requested. Makes sense.

Keep in mind here that the activity calling the AccountManager and the authenticator/activity are in separate processes.

Take a look at the verbage again: "Normally used ... not directly by applications".

It sounds like Google allows some leeway about whether app components other that the authenticator can call addAccountExplicitly and says that as long as there's a signature match, the component can call the method.

What I think Samsung has done with recent releases to tighten security is to apply the signature only to the process with the authenticator component and not to the process with the application activities.

The reason for my conclusion is that our app is calling addAccountExplicitly both in the authenticator activity and in a non-authenticator activity (i.e. "LoginActivity") depending on the app startup flow; we are receiving crash reports like yours only from the non-authenticator activity. I've since reworked the app to only call addAccountExplicitly from the authenticator activity.

Your application should always ask AccountManager to use your authenticator to add accounts using addAccount and defer to the authenticator to call addAccountExplicitly.

For further info, see my answer to a general question about AccountManager: https://stackoverflow.com/a/37348909/4504191

P.S. Because of my incomplete knowledge of things like services, binding, IPC in Android, use of process boundaries, etc. I'm probably not explaining the signature matching accurately. Feel free to edit or suggest edits in the comments. Every day I learn something new about this technology.