Home/ Questions/Q 8916655
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-15T05:17:43+00:00

I’m developing a client-server application and want to offer single sign on for the

  • 0

I’m developing a client-server application and want to offer single sign on for the user where they can sign in with Google. I’m planning to do this by getting an access token on the phone using the AccountManager and then sending this token to the server to verify the token and log in the user.

When I call the method getAuthToken in the AccountManager a dialog is shown where the user has to allow this, however Chrome on Android allows you to log in and synchronize your browser data with your Google account without this dialog being shown. So Chrome seems to be able to get hold of an access token without any dialog being shown to the user and it would be very nice if I could do the same with my app.

When looking at the source code for Android and the implementation of getAuthToken it seems like access is granted automatically if the application is a preinstalled application or if the applications UID is the same as the UID of the authenticator (of the Google account).

Neither my app nor Chrome is preinstalled so that check is false in both cases. My app can of course not share the UID with the Google account authenticator and I assume that there is a possibility that Chrome could share the UID with the authenticator since Google created both of them. If that’s the case then it would explain why Chrome doesn’t show any dialog.

Is there some other way of not having this dialog being shown to the user when requesting an access token that I might be missing?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    No, it’s not possible

    After reading the Android source code a bit more carefully I see that the method hasAuthenticatorUid() returns true not only if the UID is the same, but also if the application is signed with the same signature as authenticator is signed with.

    To verify that this is the case with Chrome I have used the android-apktool on the Chrome apk file to be able to take a look at the manifest.xml for Chrome. There I could see that Chrome doesn’t use a shared UID with the authenticator.

    After that I re-signed the Chrome apk with my own debug key and installed that apk on my phone. When I did this and tried to log in to Chrome I got several “Permission request” dialogs.

    Because of this it’s obvious that Chrome and the authenticator is signed with the same key and that’s how Chrome can get permissions automatically that other third party apps can not get.

    So it is not possible for a third party app to get hold of a token for a Google account without showing a dialog to the user asking for permission and it is after all a really good thing. I wouldn’t want any random app on my phone to be able to get access tokens to my account without my knowledge.

    • 0