Android TV devices are getting an update to resolve a privacy issue related to Gmail. Basically, those with physical access to your Android TV could have control of your Gmail account. This leads to more risks, such as requesting password changes on other services.
Android TV is not a different OS from the Android that we know on phones and tablets. Rather, it is Android with a “launcher” that adapts the UI to TV screens for more comfortable navigation. However, the core is still Android. You can find it either preinstalled on certain TVs or on TV sticks/boxes. Regarding the latter, devices like Chromecast with Google TV or NVIDIA Shield TV are among the most popular.
Android TV doesn’t offer all Android locking methods
Android TV maintains behaviors and possibilities inherited from the version for phones. First, it allows you to install APKs outside of the Play Store. Additionally, once you log in with your Google account, all Google apps will have access to that login. That is, once you access your Android TV with your Google account, all the company’s apps or services only need to be installed to have access to all your content. It will not require you to enter the email and password for each app again.
This behavior is normal and convenient for mobile devices. After all, you carry it with you always, and they have multiple locking methods available. On the other hand, Android TV devices are usually in the same place. In addition, they do not offer all the locking systems available on smartphones.
The most similar thing you will find on Android TV is the “restricted profile” option. This allows you to block access to certain specific apps after a PIN. But, as Google indicates on its support page, it only works on “third-party apps that don’t use Google sign-in”. So you won’t be able to block access to either Google apps or third-party apps that use your Google credentials.
This is how attackers could access your Gmail account from your Android TV
Now, you should have an idea of the security problem. The potential attacker needs to have physical access to your Android TV device. If you logged in with your Google account on that Android TV, the attacker will have access to the data of all your Google apps. That includes Gmail, which is pretty dangerous. With access to Gmail, the attacker can request password changes from other services. Only those where you have set up a 2FA system will be safe.
Android TV makes installing APKs outside of the Play Store a little more complicated than Android phones. However, it is still a not-so-difficult process. Simply unlock the developer options, and you can enable it from there.
The installation of external APKs is necessary for the attacker as Gmail does not have an app for Android TV. Since there are web browsers for Android TV, the attacker could simply download the Gmail APK from some website.
After downloading and installing it, the attacker will be able to directly access your emails without needing credentials. Since it is not adapted to Android TV, the Gmail app will need a keyboard and mouse to navigate through it. However, that will be the only obstacle they will face.
The fix is already rolling out
In a statement to 404 Media, a Google spokesperson said “Most Google TV devices running the latest versions of software already do not allow this depicted behavior. We are in the process of rolling out a fix to the rest of the devices.” For your part, you can manually check that your device is updated to the latest software available. Also, common sense is your best ally to avoid unsafe practices, such as logging in with your Google account on third-party Android TV devices.
PSA: Do not sign into your personal Google Account on any Android TV device you don't own! https://t.co/l0FScUVT4M
— Mishaal Rahman (@MishaalRahman) April 25, 2024