AccountManager account chooser intent

Question

I want to authenticate my app's user with his Google account because this is the simplest method to authenticate the user on multiple devices.

My question is, if I use AccountPicker.newChooseAccountIntent intent and the user selects one account and I'll get it's email address as result in onActivityResult , is this already verified by Android in a way, that makes sure that the user has had to input the correct password for the account?

By this I want to ask, if it's possible to get an email address that the user has no rights for. Do I need to do some further checking for the email address to verify, that it belongs to the user?

My app is about the user's text messages, so I don't want to allow hackers to access these by selecting an account that they don't have a password for.

Answer 1

My question is, if I use AccountPicker.newChooseAccountIntent intent and the user selects one account and I'll get it's email address as result in onActivityResult, is this already verified by Android in a way, that makes sure that the user has had to input the correct password for the account?

Yes, of course it means that the account had been set-up, ie the user at some point entered the correct user name and password.

By this I want to ask, if it's possible to get an email address that the user has no rights for. Do I need to do some further checking for the email address to verify, that it belongs to the user?

No, that email address is set up on that device (by entering the correct password), you don't need to verify it further. Whether the user can still log-in to that account (if the password was changed), that is unknown.

My app is about the user's text messages, so I don't want to allow hackers to access these by selecting an account that they don't have a password for.

If somebody manages to break into the Google account of your user, that is something else, you cannot protect your users from such things, they should protect themselves by using secure passwords etc. If your user looses his/her phone, or it was stolen, he/she might change their Google password, but the account will remain set-up on their lost/stolen phone; the new user will not be able to log into GMail, but he will be allowed access to your app.

I want to authenticate my app's user with his Google account because this is the simplest method to authenticate the user on multiple devices.

I would not claim that is the simplest way. First of all, an Android user may not have a Google account, he's not obliged to have one. Second, your app seems to access the internet, in order to have a centralized user DB. Are you sure your web app is secure enough, so that hackers won't authenticate against it using just the username of a Google account? In case you want to offer your users a web-interface to your service, then, of course, only the Google user name would not be sufficient.

This is a correct answer to your question, but I'm not too sure it solves your problem.

BTW, all that is mentioned in the question, and in this answer is not called Authentication. You're not doing any, you're rather trying to avoid it.

Answer 2

The running app has access to all services and functions on the device that its permissions allow.

Accounts returned by accountmanager will be any listed in the phone settings and there will be no extra security checks performed when you retrieve this list.

Depending on the service you want to use, you may be directed to enter a password. For example if you link to a specific service via OAuth then you may need to enter the account password. It really depends on the service you are accessing.

For example, anybody who can access the phone can open the SMS app in exactly the same way they could from your own app. SMS do not tend to be tied to a specific account though as it is a function of the sim card.