Google Voice integration sends chat invites periodically

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Sign up to google voice integration from button on front of app
2. Wait 24 hours
3. View sent folder; observe "XXX wants to chat" messages sent

What is the expected output? What do you see instead?

It is bad enough that you need to log into the google account (as soon as I 
found that out I disabled it) but you should be 100% sure that you do not 
interact with the user's contacts. 3 separate people had chat invites sent to 
them. All had sent me email recently, but were not necessarily the most recent.

What version of the product are you using? On what device/operating system?

2.0

Original issue reported on code.google.com by reuben.f...@gmail.com on 21 Dec 2010 at 12:29

[GoogleCodeExporter]

I've experienced the exact same problem after installing Sipdroid yesterday on 
a brand new Nexus S.  One of my contacts has received 10 Google chat invitation 
requests.  I have no idea how many of my other contacts have been similarly 
affected.

I realize now that I should have not provided my Gmail credentials as part of 
the Sipdroid registration - my bad.  But this does not excuse the fact that 
they were used to access my account inappropriately.

I have changed my Gmail password, uninstalled Sipdroid and will certainly not 
recommend it to anyone, until I am confident that this problem has been 
addressed.

An explanation would be appreciated.

Original comment by marc.s.m...@gmail.com on 23 Dec 2010 at 9:59

[GoogleCodeExporter]

I am not sure but it might be caused by this Gmail setting:

http://www.google.com/support/chat/bin/answer.py?answer=29795

Original comment by pmerl...@googlemail.com on 24 Dec 2010 at 8:10

[GoogleCodeExporter]

The Gmail setting you point out is not implicated in sending email chat 
invitations automatically.  It just allows chat to be enabled automatically for 
certain types of contacts.

The facts of the matter are:

1) I have been using Gmail for almost 5 years.  Never has anyone reported 
receiving 1 - let alone 10 - chat invitations from me that I did not send.

2) The first such "unauthorized" chat invitation was received within a couple 
of hours of my installing Sipdroid and authorizing Google Voice integration 
(and setting up an account on PBXes).

3) Within less than a day of my installing Sipdroid, I got a security 
notification of my Gmail account having been accessed from 188.40.65.170 
(abbreviated whois info follows).

$ whois 188.40.65.170

% Information related to '188.40.65.128 - 188.40.65.191'

inetnum:        188.40.65.128 - 188.40.65.191
netname:        HETZNER-RZ10
descr:          Hetzner Online AG
descr:          Datacenter 10
country:        DE

which indicates an originator in Germany, while I am in the States.

Furthermore, comments on this blog post, suggest that other Sipdroid users have 
experienced similar unauthorized use of their Gmail accounts.

http://blog.kylehasegawa.com/google-voice-voip-on-android-just-got-a-lot-easier-
with-pbxes-peering

This post on Reddit

http://www.reddit.com/r/Android/comments/eoqdj/compromised_app_alert_possibly_si
pdroid/

supports this contention.  A commenter here suggests that the chat invites may 
be an artifact of some "keep-alive" system on PBXes.  I have no idea whether 
this may be the case.

The strongly evidence indicates that Sipdroid Google Voice integration is 
implicated in the sending of these chat invitations.  It would be nice to have 
the issue investigated throughly since it suggests a gaping security hole.

Thanks,
Marc

Original comment by marc.s.m...@gmail.com on 24 Dec 2010 at 1:06

[GoogleCodeExporter]

^ What he said. There is no doubt in my mind that this happened because of 
sipdroid. Like him I have had gmail for years, and never have sent out these 
chat invites. Within hours of signing up for the google voice /pbxes 
integration, I had sent out these chat invites.

Please also see http://code.google.com/p/sipdroid/issues/detail?id=794 , which 
is relevant. It's a massive breach of trust to have the application log into 
the user's gmail account periodically without forewarning them that that is how 
the integration works. I strongly recommend you withdraw the feature from the 
market until you've ironed out the bugs and posted a strong terms of service.

Original comment by reuben.f...@gmail.com on 24 Dec 2010 at 1:45