TL;DR
- Android TV stores Google account login without any security measures, which can be ordinarily abused with browser apps to log into Google services.
- Google mentions that it has fixed the loophole on newer devices running the latest Google TV and is fixing it for other older devices.
If you own a smart TV or a smart TV stick at home, there’s a good chance it runs Android TV or Google TV (which is still Android TV under the hood with a content recommendation layer on top). If it does, you shouldn’t be leaving people unsupervised around the TV, as a rather glaring Android TV loophole allows anyone to view all your Google account data and even compromise your account if you’ve signed into Android TV.
YouTuber Cameron Gray spotted this loophole earlier in the year, and 404 Media brought it back to the limelight with their report. According to these findings, Android TV’s lack of security protection makes it the perfect device to snoop into any signed-in email addresses. You do need physical access to the TV, and a mouse and keyboard would make the process easier, but it’s still quite possible for a bad actor to take undue advantage of this loophole to compromise Google accounts present on the TV.
Essentially, when you sign into an Android TV with your Google account, it stores the login to let you sign into other apps on the TV. This is standard Android behavior that we see on phones, but phones have security measures like PIN and biometric unlock, while TVs have none. That login access on Android TV ordinarily remains limited to the apps you can install from the Google Play Store on Android TV, and the TV Play Store does not display several apps like Gmail, Google Chrome, other browsers, and more.
However, if you can sideload Chrome onto Android TV (which is quite easy if you know what you are doing), you can navigate to web versions of Gmail or any other Google services via Chrome and automatically sign in. No password is needed to sign in, and no PIN or biometrics are required to confirm your identity as the TV’s owner. Once signed in, you can read emails and even move forward with resetting and taking over the signed-in account.
Google initially mentioned that this is expected behavior, which is accurate. However, that does not take away from the fact that it is a security oversight. More recently, though, Google has changed its position, mentioning that it has “fixed” the issue on newer Google TV devices and is in the process of fixing it on the rest.
Here’s the statement that Google provided to 404 Media:
We are constantly working to improve our protections to help keep Google TV and Android TV OS users safe. We are aware of this potential scenario where bad actors who have obtained physical access to a TV device can manually override the default settings to sideload Google apps normally restricted on a TV and access Google services on the signed-in account. Most Google TV devices running the latest versions of software already do not allow this depicted behavior. We are in the process of rolling out a fix to the rest of devices. As a best security practice, we always advise users to update their devices to the latest software.
We’ve reached out to Google to learn more about the fix for this security loophole.
Considering the gravity of this loophole’s risks, we recommend not signing into any important Google accounts on Android TV devices. I’ve always used a dummy TV account for my smart TVs since it helps keep my recommendation feeds and viewing history clean and separate from my family. Now, there’s even more reason to use dummy accounts. And if you sign into your Google account on shared TV devices outside of your home, like in hotels and Airbnb, that was already a bad idea to begin with, so you should stop doing that immediately anyway.
