*Poof* your GMail has been disabled

Read in the voice of Gandalf, quoting the engravings of the ring to Frodo:

One Google Account for everything Google

So it is written on their sign-up page. And an alluring promise it is. The song of praise for the convenience it brings, is sung near and far by the flock.

Why am I writing this? Well, I’m occasionally in need of a fresh burner account, when working on the Raccoon apk downloader. And also occasionally, Google asks for a telephone number when you try to sign up for a new Google Account. Major nuisance! Clear your cookies, reset your router, there is no way to bypass phone verification, save waiting a couple of days.  The thing just hits randomly and stays for a while. My guess is that big G just counts the number of accounts created on a single IP address and if that count exceeds a certain threshold,  the whole subnet is required to jump through the extra hoop. That certainly keeps spammers from creating accounts in bulk, but also costs them new users who can’t or don’t want to leave a phone number. Hence, the requirement is lifted again after a certain amount of time.

Curious observation: phone shops often have some Android devices on display and the clerks usually don’t bother with setting up an account on them. Ironically, you are not bother with a phone verification there. Probably because all the device manufacturers would be pretty pissed at Google if customers returned their purchase in droves because signing up is difficult (think “tablets” here).

Idea: Instead of signing up via webbrowser, let’s “just” mimic an Android device and create accounts with it (not that I don’t have some experience there). However, that’s easier said then done. You wouldn’t believe the amount of sensitive information, your phone already ships to Google upon setup, if I told you. Well, I’m telling you anyway. Among others:

  • Your Android ID (a 16 characters hexstring, randomly chosen by your device when it first powers up).
  • SDK version (what Android version you are running).
  • Device and operator country
  • Language settings
  • All of the data you enter, of course (first name, last name,…)
  • A dozen obscure state flags, half of them about accepting various terms of services.

Get something wrong there and you’ll find that your fresh burner account actually burns within minutes! And that’s a very interesting thing indeed. I had some that were instantly disabled. Others were disabled just after I logged and got coerced into providing recovery information. Some survived long enough to actually display the account settings page and a few kept working. This kinda suggests, that Google accounts are under constant scrutiny. If you manage to get in, it doesn’t mean, that you’ll stay in. Do something stupid and Google’s ever smiling “welcome” face turns into a stern visage, telling you:

  • You did something stupid (heavens beware telling you what it was)
  • You agreed to the terms of service and therefore acknowledged that Google is not required to give you service and may terminate your account any time for any reason.
  • You can appeal through some webform and a (highly trained) intern will look at your case, roll a dice and maybe reinstate your account (or not).

The one thing that will not happen is you actually being able to talk to someone for the purpose of appealing and being told what not to do in the future.

Of course, some people might argue here: “Well, don’t register throw away accounts, duh!”, to which I would reply “yeah, did you actually read the part about doing something stupid and it’s consequences?”, which finally brings me to the point of today’s blogpost: given that you have no guarantees that your account will stay active for as long as you’d like to keep it, do you really think, it’s a good idea to put all of your eggs into one basket?

Imagine you have carelessly stepped into the Google ecosystem and used every of their service to the fullest. One day, you do something stupid (like catching a virus which keenly uses your mail account as a spam relay or moving money around in Wallet in a way that looks like laundering). And then everything stops working. You can no longer access your emails, buy apps, assets are frozen, and so on. All of this entirely legal because it is in the contract you accepted when signing up. Still think, throw away accounts are such a bad idea?

Posted in Security