While going through the Account Manager functionality( http://developer.android.com/reference/android/accounts/AccountManager.html), and especially methods like getAccountsByType() to get access to the authenticator, and subsequentlygetAuthToken() to get access to the access token itself, it seems to me like there is no authentication of the app that calls AM to get these. Data like domain of the authenticator and even package name seem easy to get your hands on for a rogue application. What are the ways to ensure an authenticator and corresponding access token are accessed by legitimate apps only? Maybe I'm missing something- looking to be pointed in the right direction. Thanks much in advance.
-- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to android-security-discuss+unsubscr...@googlegroups.com. To post to this group, send email to android-security-discuss@googlegroups.com. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/groups/opt_out.
