



A loophole in the Android TV OS left a backdoor open that allowed users to access things like TV owners' Gmail inboxes, but Google has published a fix and the company has now revealed what the fix is. I checked to see if it was there.

The Android TV OS, like Android on your phone, signs you into your Google Account at the system level. This allows certain apps, such as Google Chrome, to sign in to that Google account without requiring a password. This is by design and is usually not a problem since smartphones and tablets usually have a PIN, password, or biometric that protects the apps on the device.

However, this does not apply to Android TV or Google TV.

First noted earlier this year, then reported this week that a malicious attacker could theoretically sideload Google Chrome onto an Android TV OS device and use it to access the TV owner's Google Account. It was emphasized that there is. This is less of a security exploit and more of a loophole that isn't too difficult to pull off if you know how to access the APK and sideload the app.

Google previously confirmed in a statement to 404 Media that a fix to resolve the issue would be rolled out to Google TV and Android TV, but did not provide details on what the fix would be.

Most Google TV devices running the latest versions of the software no longer allow this behavior. We are currently rolling out the fix to the remaining devices.

In an interview with 9to5Google, the company provided a little more context.

Now, on Google TV and Android TV, sideloading Google Chrome will no longer automatically use your Google Account login token when accessing Gmail or Google Drive on your device.

Therefore, while it may not prevent all access to your account through an unlocked TV, it should be very effective in preventing access to your account's most sensitive data.

Google added (after publishing this post) that the update will be rolled out through an app update, so the changes will also apply to older devices.

