Merge "Don't allow non-authorized apps to access auth tokens" into jb-mr2-dev

services/java/com/android/server/accounts/AccountManagerService.java

@@ -1265,6 +1265,11 @@ public class AccountManagerService
         final boolean customTokens =
             authenticatorInfo != null && authenticatorInfo.type.customTokens;
 
+        // Check to see that the app is authorized to access the account, in case it's a
+        // restricted account.
+        if (!ArrayUtils.contains(getAccounts((String) null), account)) {
+            throw new IllegalArgumentException("no such account");
+        }
         // skip the check if customTokens
         final int callerUid = Binder.getCallingUid();
         final boolean permissionGranted = customTokens ||