iOS auto-signing me into Google!

Discussion in 'iOS 12' started by MacBH928, May 8, 2019.

  1. MacBH928 macrumors 68040

    MacBH928

    Joined:
    May 17, 2008
    #1
    I do not understand how this happens. I downloaded YouTube app on my iPad and I don't have 1 Google app on it. I launched the application and it auto-logged me in!! I don't understand how this works because my account has 2FA on it.

    I do not use Keychain Access and I do not sync it over iCloud, and I am not signed in via Safari. I searched my keychain on my Mac and there is nothing Google in it. I checked my "Password&Accounts" and it has nothing other than iCloud, I also have autofill disabled. Where and how is it storing my username/password for Google?

    Note: I am logged in via the app on my iPhone which uses the same iCloud account, but I thought the two would act as separate devices.

    Edit: I just tried Gmail and it too knew who I was!
     
  2. liftedpsd2010 macrumors regular

    Joined:
    Sep 13, 2017
    #2
    What’s your email and password I’ll try it out on my phone. Jk lol

    It’s gotta be something you’ve inputed prior.
     
  3. MacBH928 thread starter macrumors 68040

    MacBH928

    Joined:
    May 17, 2008
    #3
    ok fine, but where is it stored?! Not in the keychain and I don't have an app where I am logged in prior. The irony is that I have multiple Google accounts and it knew to log me in via the one I use for YouTube!
     
  4. chrfr macrumors 604

    Joined:
    Jul 11, 2009
    #4
    Apps from the same developer can share keychain data in iOS. https://evgenii.com/blog/sharing-keychain-in-ios/
     
  5. gwang73 macrumors 6502a

    gwang73

    Joined:
    Jun 14, 2009
    Location:
    San Francisco Area
    #5
    This. Microsoft does the same and the login is shared among MS apps. Log into 1 MS app and you don't need to log into other MS apps.
     
  6. NoBoMac macrumors 68020

    Joined:
    Jul 1, 2014
    #6
    If you have signed into something that uses Google authentication via Safari (or any app that asks for Google ID), once authorized, a Safari cookie gets set with OAuth key authenticating you going forward. Any service using Google for authentication will see the cookie as the Google ID prompt is really just an embedded Safari session showing the Google page.
     
  7. jtara macrumors 68000

    Joined:
    Mar 23, 2009
    #7
  8. MacBH928 thread starter macrumors 68040

    MacBH928

    Joined:
    May 17, 2008
    #8
    Well, how do I stop it? I don't want apps randomly logging in and out on all my devices. I understand on OSX you can go into keychain and edit it, but how do you do it on iOS?
     
  9. gwang73 macrumors 6502a

    gwang73

    Joined:
    Jun 14, 2009
    Location:
    San Francisco Area
    #9
    I'm pretty sure you can't because it's linked at the app level.
     
  10. NoBoMac, May 10, 2019
    Last edited: May 10, 2019

    NoBoMac macrumors 68020

    Joined:
    Jul 1, 2014
    #10
    ADD: What might also be happening is that if using OAuth (which guessing is happening as Google is a big proponent/developer of it), the access tokens (NOT user id or password) are saved to Keychain. Sign in to one thing (like Gmail via Mail app), token saved.

    BUT, it's not the iCloud Keychain where it is saved, but a "hidden" chunk of Keychain, where any Google app can access. To quote Apple's developer docs:

    So, will not show in saved passwords in Settings.

    But as others mentioned, no settings. Guessing would need to sign out of anything signed into Google to wipe, including deleting Gmail account from Mail (edit: or change Google password and then never sign into anything Google, as that will invalidate all tokens).

    ADD2: go to page 20 in following, gets deep into how Keychain is used in iOS and how it's protected (read: unless have resources of 3-letter gov organization, good luck).

    https://www.apple.com/business/site/docs/iOS_Security_Guide.pdf
     
  11. jtara macrumors 68000

    Joined:
    Mar 23, 2009
    #11
  12. MacBH928 thread starter macrumors 68040

    MacBH928

    Joined:
    May 17, 2008
    #12
    well, if I authorized it I should have the ability to revoke it too. I like the older method where you can save your credentials in the settings for Facebook and Twitter, not this invisible way.

    Anyhow, I dug deep in the YouTube menus and found an option to remove the account info from the device. Problem solved.

    Apple should not store anything hidden within the system, I should be able to log in and out whenever I want and see it and edit it. No auto save, auto log in ,hidden in the OS without the ability to remove it.
     
  13. posguy99 macrumors 6502a

    Joined:
    Nov 3, 2004
    #13
    Pointing out, *again*, that the YouTube app is not created, produced, maintained, or supported by Apple, and what it does, you need to take up with Google.
     

Share This Page

12 May 8, 2019