Get all your news in one place.
100’s of premium titles.
One app.
Start reading
Android Central
Android Central
Technology
Jay Bonggolto

A glaring Android TV security flaw might put your Gmail at risk

YouTube and Netflix apps on Android TV screen.

Update (April 27, 11:00 am ET): Google provided more context on the fix that it's rolling out.

What you need to know

  • A loophole in Android TV could allow unauthorized access to Gmail and other linked services if someone gains physical access to the device.
  • Through an Android TV box, individuals can potentially hack into the Google account of the last user, compromising Gmail and Google Drive.
  • Initially, Google implied the behavior was expected, but later acknowledged the security flaw and claimed to have fixed it on newer Google TV devices.

A security loophole in Android TV could allow anyone to snoop on your Gmail and other linked services if they get their hands on your device, according to 404 Media.

As per a video posted on YouTube by Cameron Gray earlier this year, if someone gets their hands on an Android TV box, they can pretty much hack into the Google account of whoever last logged in, including their Gmail and Google Drive (via Mishaal Rahman).

If Google Chrome spots a Google account on the device it's installed on, it automatically signs you in to any Google services you visit. Now, since Android TV is basically Android in essence, it treats the owner's Google account sign-in like it's permanent, so they automatically get logged in to approved apps from the Play Store.

Even though Google doesn't officially let you install Chrome on Android TV, you can still sideload it to sneak it on there. And once it's on, you've got access to Gmail, Drive, and all the other services, as demonstrated by the video.

In the video, Gray installs a third-party web browser called "TV Bro" that you can grab from the Play Store for Android TV. He uses it to dig up an APK for Chrome from some online archive and installs it without any trouble. But the app doesn't play nice with TV remotes, so you will need a keyboard and mouse.

Once Chrome is up and running, it's as easy as pie to hop over to Gmail's website and you're in—no password needed, no PIN, or biometrics required to prove you're the TV's owner.

Based on what Gray found, Android TV's weak security makes it a prime target for peeking into signed-in email accounts. If you're only using Android TV at home, you're probably in the clear. But if you're logging into Android TV from some device outside your crib, that's when you're asking for trouble.

Google's initial stance suggested that's how this is supposed to work, which technically is true. But it's still a big security goof. Recently, Google said it fixed the problem on newer Google TV devices.

The search giant told 404 Media that most of its Google TV devices with the latest software updates no longer allow this shady behavior to happen anymore. But for the rest of the devices, Google is working on pushing out a fix soon.

Android Central reached out to Google for clarification on how exactly it plans to resolve the issue, and we'll update this article once we hear back.

Update

In a statement to 9to5Google, the company clarified that from now on, when you sideload Chrome on Google TV and Android TV, it won't automatically use the login token for your Google account when you're trying to access Gmail or Google Drive on the device.

Additionally, the fix is coming through an app update, so even older devices will get the patch.

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.