I'm trying to use AccountManager.confirmCredentials method for user verification in my app. I'm using it like that:
AccountManager am = AccountManager.get(ctx);
am.confirmCredentials(account, null, ctx, new AccountManagerCallback<Bundle>() {
@Override
public void run(AccountManagerFuture<Bundle> amf) {
try {
Bundle b = amf.getResult();
boolean r = b.getBoolean(AccountManager.KEY_BOOLEAN_RESULT);
vc.onValidateResult(r);
return;
} catch (OperationCanceledException ignore) {
} catch (AuthenticatorException ignore) {
} catch (IOException ignore) {
}
vc.onValidateResult(false);
}
}, null);
But found a gap in its implementation since Android 5. A user can clear the proposed account name in the Google authorization form and use his/her own.
The result will be positive, and there is no ability to verify if the requested account name was used for confirmation because the got bundle has only timestamp and resulting boolean value. In other words, the bundle doesn't have KEY_ACCOUNT_NAME field, however, accordingly to the reference it should.
Does anyone know how to work around this breach?
It's already fixed by Google. Now works like expected without code changes.