5

Is it possible/ permissible in Android SDK to get UserId and password of installed application (if it has a login)? I need installed application info like Application name, package name, installed date and was wondering if getting login name and password is feasible and allowed by Android.

This question helps to get the required username but this is application-specific. What I want is a generalised solution like if the installed application has a login (username and password) for example Facebook or Gmail or twitter, only then it should return the values.

The same I want to use in iPhone application. Please suggest your perspective on iOS too. I want to clearly mention that I am not sure if this is allowed in Android and iOS.

Also, can AccountManager help me in Android?

halfer
  • 19,824
  • 17
  • 99
  • 186
Nitish
  • 13,845
  • 28
  • 135
  • 263
  • 10
    Maybe I don't understand what you're asking but I don't see how do you expect an app to blindly provide its own login credential to a third party app. – user Nov 19 '13 at 09:50
  • 4
    Supposing that it were in fact possible for an app to easily get the credentials used by another app, this would be an egregious security hole. It would then be trivial to write a Trojan that, once installed on a user's device, would harvest all credentials from other "interesting" apps (think banking, e-mail, etc.) and send them back to a centralized server. The malicious app author could then trivially log into those user accounts. Now, clearly you'd have a hard time getting this theoretical app past Apple's review process, but on Android it's another story. – Brian Rogers Nov 24 '13 at 00:03
  • 1
    Let me know if you are able to get username/password of other apps, i might have to update my apps to restrict this then. :) – Aditya Nov 26 '13 at 08:56

3 Answers3

10

Usernames and passwords

iOS

It is somewhat unclear, but I assume that you are talking about getting OTHER installed apps' login information since I don't see why you would need a generalized way of getting your own app's information.

As for the iOS part, this is not doable. Most apps stores passwords in the keychain (like Apple suggests), and there is no way to share a keychain access group with other apps (except if the apps share the same Bundle seed ID, but that is not the case here). The Apple Keychain Services Concepts clearly states that

The iOS gives an application access to only its own keychain items. The keychain access controls discussed in this section do not apply to iOS.

Android

I strongly doubt there is a way on Android, but I will leave that for a more experienced Android developer to answer.

EDIT: Since you have not received any other answers I will go ahead and say what I think regarding the Android part as well. Generally speaking, Android does not provide a way of storing credentials the same way as iOS does it. Instead, there are multiple ways of doing it. On their Security Tips site, they state that where possible, username and password should not be stored on the device. Gmail, for example, does not (perhaps unreliable source). If you do store them on there, it also says that

By default, files that you create on internal storage are accessible only to your app.

App detection

When it comes to detecting apps there are two ways to go about it (this is for iOS):

  • Checking if a specific URL scheme is supported by the device (and thus the app is installed). This can be done with canOpenUrl:
  • Comparing the device's currently running processes to known app executable names. This is done with sysctl(). This is a neat way of doing it: UIDevice Category For Processes

For Android, check out this example: How to Get List of Installed Apps in Android.

Conclusion

By design, there is no way to get usernames and passwords in either iOS or Android. There are ways of getting a list of most apps installed on an iPhone. This should also be possible on Android, I provided a link that describes one way of doing it.

Community
  • 1
  • 1
Daniel Larsson
  • 6,278
  • 5
  • 44
  • 82
  • Yes Daniel, I am talking about other installed applications. Thanks for sharing the info. I have seen one framework, [iHasApp](http://www.ihasapp.com) which provides installed application info and it has few applications on appStore as well. I was trying to run it on simulator, but I realised it runs only on device. Do you know such other frameworks which can be of help here and which I can test on simulator ;) – Nitish Nov 17 '13 at 14:08
  • I looked at the link in the comment, that is an open source framework anyone can use. Does it just use the tow techniques you mention? I can't imagine anything else it could do... – David H Nov 19 '13 at 12:20
  • Not sure what your question is, David. The link that I provided shows a way of getting the running processes on an iOS device, which is a part of the solution to the question Nitish asked in the comment above. – Daniel Larsson Nov 19 '13 at 12:36
  • 1
    "By default, files that you create on internal storage are accessible only to your app." given enough privileges, aka firmware signing or being a system app, the app could use some shady methods to access other apps data; e.g remounting the /system folder with different permissions. – Neron T Nov 26 '13 at 07:27
4

You may want to consider OAuth as the vehicle to ultimately accomplish what you are trying to do. All three examples you mention support this:

https://developers.facebook.com/docs/reference/dialogs/oauth/

https://dev.twitter.com/docs/auth/oauth/faq

https://developers.google.com/accounts/docs/OAuth2

Sam Nunnally
  • 2,291
  • 2
  • 19
  • 30
3

Technically speaking, in Android, you cannot find the credentials used for an application until they are stored in some shared location (which leaves a big security hole, so is not done!).

You can find Information like, package name, application name, installation time etc.. using PackageManager. Please refer below code snippet.

    PackageManager pm = getPackageManager();
    List<ApplicationInfo> packages = pm
            .getInstalledApplications(PackageManager.GET_META_DATA);

    for (ApplicationInfo packageInfo : packages) {
        // returns the package name
         packageInfo.packageName;
         // returns the application name
        pm.getApplicationLabel(packageInfo).toString();
        // returns the last installation time
        pm.getPackageInfo(packageInfo.packageName, 0).firstInstallTime;

    }
Kaps
  • 2,345
  • 2
  • 26
  • 37