Catch-22: When Raccoon suddenly stops working…

Back in the v3 days, I used to have this idiot discussion about handling passwords every other week. Some weisenheimer would notice that Raccoon only prompts for a password during setup. Then, dug through the config file, just to find the password stored there in plain text. Five minutes later, an angry email would hit my inbox, explaining to me that passwords are sensitive information and therefore must be encrypted before storing them on disk.

“Eh, why? Do you feel a need to run malware on your PC? Did it occur to you that Raccoon needs the unencrypted password in order to authenticate to Play and that if one process (Raccoon) can decrypt the password file, then every other process, running in the same user context (the malware you are so fond of installing), will be able to do so as well?”

With Raccoon v4, I finally caved. Not worth having that discussion over and over again. Communication with Google Play is stateless anyway and sessions work exactly like on the web: you log in with your credentials once, then get an auth cookie which you have to present in every subsequent request. So instead of saving the password, Raccoon v4 now only persists the cookie.

As far as security goes, this is not a big improvement. Anyone who gets hold of the cookie is you, so you still can’t safely run malware on your computer (but you shouldn’t do that anyway – there really is no benefit to it at all). But hey, out of sight, out of mind, right? At least I don’t get these emails anymore, do I? Well, kinda. I now get worse.

The downside of the new method is that the auth cookie may get invalidated for a variety of (not always obvious) reasons. When that happens, Raccoon will be unable to communicate with Play (you simply get no search results and can’t download anything). For your Android phone, that’s no problem, by the way. It stores both, the cookie and your password. When the cookie gets invalidated, the device will simply re-authenticate (it’s ok there, the garden-variety weisenheimer doesn’t know where to look on Android).

So, to cut it short. If Raccoon suddenly stops showing search results, then (despite being told not to), you probably used your primary Google account with the application and somehow invalided your auth cookie. In that case, run the setup wizard again to get a new cookie.

Posted in Security