I am new to Android but old to Java. I have some questions before getting into my own account manager implementation. Here are the stuffs,
How google account manager works ? I have come across couple of forums and blogs and mostly they explained how account manger is working and how to add our own. Here i have couple of questions,
How google account manager stores user's password in android ?
If they are not storing the user password in the device itself then how they are seamlessly producing the auth tokens for the requested apps who are using google account manager (Like maps / hangouts / ...)
References
How does Android's account manager use the stored password to retrieve an auth token? https://developers.google.com/tasks/oauth-and-tasks-on-android
http://blog.udinic.com/2013/04/24/write-your-own-android-authenticator/
They (most probably) don't store the password but the Oauth token received from Google servers after authenticating, together with the refresh token. All Google apps can use the same account manager to get the authentication token and talk to their backends, once this token expires, the account manager uses the refresh token to get a new token and store it in the account manager.
Storing the password is very dangerous, not just for the app, but it leaves the user's account completely vulnerable to be stolen both in the client app in the servers.