Google fixes Android TV security oversight with this change

Android TV devices, even those running the Google TV layer on top, have a security oversight that exposes practically all of your Google account data if someone has access to your TV with a signed-in Google account. It’s actually intended behavior for Android, but it’s a security oversight for a form factor that isn’t always used in absolutely personal and private environments and doesn’t have further security protections. Google mentioned that it had fixed the oversight, and now, there are more details on what has changed.

Google shared with 9to5Google how it fixed the issue. On Android TV and Google TV, sideloading Google Chrome will no longer automatically use the login token for the Google account when accessing Gmail or Google Drive on the device. This change is rolling out via an app update, so older devices will get the change too.

This change will not completely prevent all means of account access through Android TV. However, it fixes the basic oversight that caused the problem and made it easy to exploit. Since the login token is no longer carried over to sideloaded Chrome, users will likely have to sign in again if they are accessing these services through the browser, which adds a layer of authentication that wasn’t present before.

It does make things a little inconvenient, but there likely aren’t that many people out there using Android TV to sideload Chrome only to access Gmail or Google Drive. Most users aren’t going to be affected, so it’s a good change.

That being said, you should still exercise basic security hygiene with Android TV devices. Do not sign into your personal Google account on shared TV devices outside of places you trust, even if you intend to sign out later. On shared TV devices, it makes sense to use dummy TV accounts to keep your recommendation feeds and viewing history separated.