I'm trying to use AccountManager.confirmCredentials method for user verification in my app. I'm using it like that:
AccountManager am = AccountManager.get(ctx);
am.confirmCredentials(account, null, ctx, new AccountManagerCallback<Bundle>() {
@Override
public void run(AccountManagerFuture<Bundle> amf) {
try {
Bundle b = amf.getResult();
boolean r = b.getBoolean(AccountManager.KEY_BOOLEAN_RESULT);
vc.onValidateResult(r);
return;
} catch (OperationCanceledException ignore) {
} catch (AuthenticatorException ignore) {
} catch (IOException ignore) {
}
vc.onValidateResult(false);
}
}, null);
But found a gap in its implementation since Android 5. A user can clear the proposed account name in the Google authorization form and use his/her own.
The result will be positive, and there is no ability to verify if the requested account name was used for confirmation because the got bundle has only timestamp and resulting boolean value. In other words, the bundle doesn't have KEY_ACCOUNT_NAME
field, however, accordingly to the reference it should.
Does anyone know how to work around this breach?
android.accounts.AccountManager. This class provides access to a centralized registry of the user's online accounts. The user enters credentials (username and password) once per account, granting applications access to online resources with "one-click" approval.
Using an AccountManager to store credentials is a much secure way than storing in a file or a SQL DB. A file can be retrieved by any other app unlike via AccountManager Android will enforce that only your app will be able to access to the key.
Accounts Manager app can be used to track your daily income and expense transaction as per your need. Easy Entries: Account Manager App is easy in adding, deleting and canceling a credit or debit entry.
According to documentation:
If no activity or password was specified, the returned Bundle contains KEY_INTENT with the Intent needed to launch the password prompt. Also the returning Bundle may contain KEY_LAST_AUTHENTICATED_TIME indicating the last time the credential was validated/created.
If your result does not contain Account Name, then it must be due to above scenario.
You should check if the intent contains KEY_INTENT
and if it does then launch that intent to verify.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With