According to Craig Young, Android Apps can access all of your Google accounts with 1 click. Google uses a token system which is generated when a user logs in to a app with a google account, Craig Young found out that if he then gets this token and paste it into a web session it will allow him to access all of the Google accounts that particular account is currently signed up to (Gmail, Google drive, Google Wallet, Youtube, Adsense etc.).
This flaw was demonstrated at Def Con 21 where Young developed a app that would display Stock from Google finance, to access the app you had to use your login credentials, which of he then used a token to show the audience how he obtained the login credentials.
This is not the first big Android security flaw that we’ve seen, several weeks back a “unremovable” trojan was found on Google’s mobile OS.
No official statement has been made by Google, as of now we don’t know when this security flaw will be fixed.
Source: TheRegister
