Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

iOS auto-signing me into Google!

MacBH928

MacBH928

macrumors G3
Original poster
May 17, 2008
8,910
4,021
I do not understand how this happens. I downloaded YouTube app on my iPad and I don't have 1 Google app on it. I launched the application and it auto-logged me in!! I don't understand how this works because my account has 2FA on it.

I do not use Keychain Access and I do not sync it over iCloud, and I am not signed in via Safari. I searched my keychain on my Mac and there is nothing Google in it. I checked my "Password&Accounts" and it has nothing other than iCloud, I also have autofill disabled. Where and how is it storing my username/password for Google?

Note: I am logged in via the app on my iPhone which uses the same iCloud account, but I thought the two would act as separate devices.

Edit: I just tried Gmail and it too knew who I was!
 
What’s your email and password I’ll try it out on my phone. Jk lol

It’s gotta be something you’ve inputed prior.
 
liftedpsd2010 said:
What’s your email and password I’ll try it out on my phone. Jk lol

It’s gotta be something you’ve inputed prior.
Click to expand...

ok fine, but where is it stored?! Not in the keychain and I don't have an app where I am logged in prior. The irony is that I have multiple Google accounts and it knew to log me in via the one I use for YouTube!
 
If you have signed into something that uses Google authentication via Safari (or any app that asks for Google ID), once authorized, a Safari cookie gets set with OAuth key authenticating you going forward. Any service using Google for authentication will see the cookie as the Google ID prompt is really just an embedded Safari session showing the Google page.
 
MacBH928 said:
Well, how do I stop it? I don't want apps randomly logging in and out on all my devices. I understand on OSX you can go into keychain and edit it, but how do you do it on iOS?
Click to expand...

I'm pretty sure you can't because it's linked at the app level.
 
ADD: What might also be happening is that if using OAuth (which guessing is happening as Google is a big proponent/developer of it), the access tokens (NOT user id or password) are saved to Keychain. Sign in to one thing (like Gmail via Mail app), token saved.

BUT, it's not the iCloud Keychain where it is saved, but a "hidden" chunk of Keychain, where any Google app can access. To quote Apple's developer docs:

In iOS, apps have access to a single keychain (which logically encompasses the iCloud keychain). This keychain is automatically unlocked when the user unlocks the device and then locked when the device is locked. An app can access only its own keychain items, or those shared with a group to which the app belongs.
Click to expand...

So, will not show in saved passwords in Settings.

But as others mentioned, no settings. Guessing would need to sign out of anything signed into Google to wipe, including deleting Gmail account from Mail (edit: or change Google password and then never sign into anything Google, as that will invalidate all tokens).

ADD2: go to page 20 in following, gets deep into how Keychain is used in iOS and how it's protected (read: unless have resources of 3-letter gov organization, good luck).

https://www.apple.com/business/site/docs/iOS_Security_Guide.pdf
 
Last edited:
NoBoMac said:
ADD: What might also be happening is that if using OAuth (which guessing is happening as Google is a big proponent/developer of it), the access tokens (NOT user id or password) are saved to Keychain. Sign in to one thing (like Gmail via Mail app), token saved.

BUT, it's not the iCloud Keychain where it is saved, but a "hidden" chunk of Keychain, where any Google app can access. To quote Apple's developer docs:



So, will not show in saved passwords in Settings.

But as others mentioned, no settings. Guessing would need to sign out of anything signed into Google to wipe, including deleting Gmail account from Mail (edit: or change Google password and then never sign into anything Google, as that will invalidate all tokens).

ADD2: go to page 20 in following, gets deep into how Keychain is used in iOS and how it's protected (read: unless have resources of 3-letter gov organization, good luck).

https://www.apple.com/business/site/docs/iOS_Security_Guide.pdf
Click to expand...

jtara said:
Websites can't access the keychain. (Only the USER can... YOU can save passwords in the keychain from the browser, but the website itself can't...) They are using Universal Links Shared Web Credentials.

https://developer.apple.com/ios/universal-links/

https://developer.apple.com/documentation/security/shared_web_credentials

You must have approved this at some point. It requires user approval.
Click to expand...

well, if I authorized it I should have the ability to revoke it too. I like the older method where you can save your credentials in the settings for Facebook and Twitter, not this invisible way.

Anyhow, I dug deep in the YouTube menus and found an option to remove the account info from the device. Problem solved.

Apple should not store anything hidden within the system, I should be able to log in and out whenever I want and see it and edit it. No auto save, auto log in ,hidden in the OS without the ability to remove it.
 
MacBH928 said:
Anyhow, I dug deep in the YouTube menus and found an option to remove the account info from the device. Problem solved.

Apple should not store anything hidden within the system, I should be able to log in and out whenever I want and see it and edit it. No auto save, auto log in ,hidden in the OS without the ability to remove it.
Click to expand...

Pointing out, *again*, that the YouTube app is not created, produced, maintained, or supported by Apple, and what it does, you need to take up with Google.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back